Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45169

Jenkins 2 setup wizard failing :Unable to connect to Jenkins

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Blocker Blocker
    • core

      Jenkins 2. setup wizard is failing at the final step after entering the admin username and password details .identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files.As per http://telussecuritylabs.com/threats/show/TSL20170428-01 document I tried to install the latest fixed version(2.57) but still it appears to have the same issue.

      Do we have fix for this security vulnerability.

        1. 10.133.210.167-Packet Captures.zip
          663 kB
        2. Firewall Log File for 10.133.210.167 Vulnerability Alert.xlsx
          13 kB
        3. jenkins setup wizard.png
          jenkins setup wizard.png
          16 kB

          [JENKINS-45169] Jenkins 2 setup wizard failing :Unable to connect to Jenkins

          Daniel Beck added a comment -

          identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files

          Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.

          Daniel Beck added a comment - identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.

          SHIREESHA PINNINTI added a comment -

          forgot to reopen the ticket.Please see my last comments.

          SHIREESHA PINNINTI added a comment - forgot to reopen the ticket.Please see my last comments.

          Daniel Beck added a comment -

          The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection.

          Your firewall is terrible, and this is still not a defect.

          Get rid of this snake oil bullshit.

          Daniel Beck added a comment - The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection. Your firewall is terrible, and this is still not a defect. Get rid of this snake oil bullshit.

            Unassigned Unassigned
            shireesha SHIREESHA PINNINTI
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: