Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-30255

Publicly disclosed security issue on Jenkins suggested to affect latest version

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      A public disclosure for a CSRF issue that can lead to arbitrary command execution through Groovy is posted at:

      http://seclists.org/bugtraq/2015/Aug/161

      Wondering if this has been triaged, being investigated. My searches on JIRA didn't return anything, creating this report to track this just to be on safe side.

      My apologies if this bug doesn't fully follow your guidelines.

        Attachments

          Activity

          Hide
          vjuranek vjuranek added a comment -

          Thanks for reporting the issue. It duplicates SECURITY-199 which was triaged and closed as not a bug. This exploit works only when Jenkins CSRF protection is turned off, turning it on should mitigate this issue.

          Next time please open any security related issue under "Security issues" project, which is not publicly available. Thanks!

          Show
          vjuranek vjuranek added a comment - Thanks for reporting the issue. It duplicates SECURITY-199 which was triaged and closed as not a bug. This exploit works only when Jenkins CSRF protection is turned off, turning it on should mitigate this issue. Next time please open any security related issue under "Security issues" project, which is not publicly available. Thanks!
          Hide
          alip intan alip added a comment -

          Thanks a lot!

          Creating a security report for followups.

          Show
          alip intan alip added a comment - Thanks a lot! Creating a security report for followups.

            People

            Assignee:
            vjuranek vjuranek
            Reporter:
            alip intan alip
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: