-
Improvement
-
Resolution: Not A Defect
-
Blocker
-
Linux Ubuntu 14.04.05 LTS
Description:
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. Following vulnerabilities are reported in Jenkins:- Code execution through crafted URLs- Forced migration of user records- Workspace browser allowed accessing files outside the workspace- Potential denial of service through cron expression form validation Affected Versions: Jenkins weekly up to and including 2.153Jenkins LTS up to and including 2.138.3QID Detection Logic:(Unauthenticated)This QID checks for vulnerable version by sending a crafted GET request to Jenkins. This QID also detects the vulnerable version from login page or HTTP header.
Solution:
Customers are advised to upgrade to Jenkins weekly version 2.154,Jenkins LTS version 2.138.4 or 2.150.1 or later to remediate these vulnerabilities.
Patch: Following are links for downloading patches to fix the vulnerabilities: Jenkins Security Advisory 2018-12-05
Current version:
Jenkins ver. 2.141
[JENKINS-56218] Steps to follow JENKINS upgrade 2.154 in Ubuntu 14.04 LTS
Please do not use the Jenkins project issue tracker as your personal to-do list.
have no idea what is this request about