Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45169

Jenkins 2 setup wizard failing :Unable to connect to Jenkins

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Jenkins 2. setup wizard is failing at the final step after entering the admin username and password details .identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files.As per http://telussecuritylabs.com/threats/show/TSL20170428-01 document I tried to install the latest fixed version(2.57) but still it appears to have the same issue.

      Do we have fix for this security vulnerability.

        Attachments

        1. Firewall Log File for 10.133.210.167 Vulnerability Alert.xlsx
          13 kB
          SHIREESHA PINNINTI
        2. jenkins setup wizard.png
          16 kB
          SHIREESHA PINNINTI

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files

          Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.

          Show
          danielbeck Daniel Beck added a comment - identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.
          Hide
          shireesha SHIREESHA PINNINTI added a comment -

          forgot to reopen the ticket.Please see my last comments.

          Show
          shireesha SHIREESHA PINNINTI added a comment - forgot to reopen the ticket.Please see my last comments.
          Hide
          danielbeck Daniel Beck added a comment -

          The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection.

          Your firewall is terrible, and this is still not a defect.

          Get rid of this snake oil bullshit.

          Show
          danielbeck Daniel Beck added a comment - The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection. Your firewall is terrible, and this is still not a defect. Get rid of this snake oil bullshit.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            shireesha SHIREESHA PINNINTI
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: