Jenkins Security Advisory 2015-03-23

This advisory announces a security advisory in Jenkins core.

Description

SECURITY-171/CVE-2015-1812, SECURITY-177/CVE-2015-1813 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker.

SECURITY-180/CVE-2015-1814 (forced API token change)

The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins .

Severity

SECURITY-171/SECURITY-177 is rated high. It is a passive attack, but it can result in a compromise of the Jenkins controller or loss of data.

SECURITY-180 is rated critical. This attack can be mounted by any unauthenticated user, and it results in a compromise of the Jenkins controller or loss of data.

Affected Versions

  • All Jenkins releases <= 1.605

  • All LTS releases <= 1.596.1

Credit

The Jenkins project would like to thank the following people for finding the vulnerabilities:

  • Jesse Glick for finding SECURITY-171

  • Luca Carettoni for finding SECURITY-177

  • Missoum Said for finding SECURITY-180

Fix

  • Main line users should upgrade to Jenkins 1.606

  • LTS users should upgrade to 1.596.2

Other resources