[JENKINS-45169] Jenkins 2 setup wizard failing :Unable to connect to Jenkins

Type: Bug
Resolution: Not A Defect
Priority: Blocker
Component/s: core
Labels:
- 2.57
- CSRF
- setup

Similar Issues:
Powered by SuggestiMate

Show

Jenkins 2. setup wizard is failing at the final step after entering the admin username and password details .identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files.As per http://telussecuritylabs.com/threats/show/TSL20170428-01 document I tried to install the latest fixed version(2.57) but still it appears to have the same issue.

Do we have fix for this security vulnerability.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Firewall Log File for 10.133.210.167 Vulnerability Alert.xlsx
13 kB
2017-07-27 14:49
10.133.210.167-Packet Captures.zip
663 kB
2017-07-27 14:48
jenkins setup wizard.png
16 kB
2017-06-27 20:19

SHIREESHA PINNINTI created issue - 2017-06-27 20:52

Daniel Beck added a comment - 2017-06-27 23:35

identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files

Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.

Daniel Beck added a comment - 2017-06-27 23:35 identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.

Daniel Beck made changes - 2017-06-27 23:35

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

SHIREESHA PINNINTI made changes - 2017-07-27 14:48

Attachment

New: 10.133.210.167-Packet Captures.zip [ 39054 ]

SHIREESHA PINNINTI made changes - 2017-07-27 14:49

Attachment

New: Firewall Log File for 10.133.210.167 Vulnerability Alert.xlsx [ 39055 ]

SHIREESHA PINNINTI added a comment - 2017-07-31 19:22

forgot to reopen the ticket.Please see my last comments.

SHIREESHA PINNINTI added a comment - 2017-07-31 19:22 forgot to reopen the ticket.Please see my last comments.

SHIREESHA PINNINTI made changes - 2017-07-31 19:22

Resolution	Original: Not A Defect [ 7 ]
Status	Original: Resolved [ 5 ]	New: Reopened [ 4 ]

Daniel Beck added a comment - 2017-07-31 19:57

The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection.

Your firewall is terrible, and this is still not a defect.

Get rid of this snake oil bullshit.

Daniel Beck added a comment - 2017-07-31 19:57 The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection. Your firewall is terrible, and this is still not a defect. Get rid of this snake oil bullshit.

Daniel Beck made changes - 2017-07-31 19:57

Resolution		New: Not A Defect [ 7 ]
Status	Original: Reopened [ 4 ]	New: Resolved [ 5 ]

Assignee:: Unassigned

Reporter:: SHIREESHA PINNINTI

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2017-06-27 20:52

Updated:: 2017-07-31 19:57

Resolved:: 2017-07-31 19:57

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2017-06-27 23:35

Expand comment: Daniel Beck added a comment - 2017-06-27 23:35

Collapse comment: SHIREESHA PINNINTI added a comment - 2017-07-31 19:22

Expand comment: SHIREESHA PINNINTI added a comment - 2017-07-31 19:22

Collapse comment: Daniel Beck added a comment - 2017-07-31 19:57

Expand comment: Daniel Beck added a comment - 2017-07-31 19:57

People

Dates