Jenkins Security Advisory 2013-05-02
This advisory announces multiple security vulnerabilities that were found in Jenkins core.
SECURITY-63 / CVE-2013-2034
This creates a cross-site request forgery (CSRF) vulnerability on Jenkins master, where an anonymous attacker can trick an administrator to execute arbitrary code on Jenkins master by having him open a specifically crafted attack URL.
There’s also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.
SECURITY-67 / CVE-2013-2033
SECURITY-69 / CVE-2013-2034
This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.
SECURITY-71 / CVE-2013-1808
This creates a cross-site scripting (XSS) vulnerability.
SECURITY-63 is rated critical, since it enables arbitrary code execution.
SECURITY-71 and SECURITY-69 are rated as high, as it allows malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.
SECURITY-67 is rated medium, as it requires an attacker to be a valid user of Jenkins with a write access.
- Main line users should upgrade to Jenkins 1.514
- LTS users should upgrade to 1.509.1
- Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.14.1
- Users of Jenkins Enterprise by CloudBees 1.480.x should upgrade to 1.480.4.1
- Fix has already been deployed to DEV@cloud
All the prior versions are affected by these vulnerabilities.