Jenkins Security Advisory 2018-04-11

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission

SECURITY-754 / CVE-2018-1000169

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized users independent of the existence of specified view or agent names.

Cross-site scripting vulnerability in confirmation dialogs displaying item names

SECURITY-759 / CVE-2018-1000170

Some JavaScript confirmation dialogs included the item name in an unsafe manner, resulting in a possible cross-site scripting vulnerability exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly escape it, so it can be safely displayed.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.115
  • Jenkins LTS up to and including 2.107.1

Fix

  • Jenkins weekly should be updated to version 2.116
  • Jenkins LTS should be updated to version 2.107.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Assaf Berg for SECURITY-754
  • Jesper den Boer for SECURITY-759