Jenkins Security Advisory 2013-05-02

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

Description

SECURITY-63 / CVE-2013-2034

This creates a cross-site request forgery (CSRF) vulnerability on the Jenkins controller, where an anonymous attacker can trick an administrator to execute arbitrary code on the Jenkins controller by having him open a specifically crafted attack URL.

There’s also a related vulnerability where the permission check on this ability is done imprecisely, which may affect those who are running Jenkins instances with a custom authorization strategy plugin.

SECURITY-67 / CVE-2013-2033

This creates a cross-site scripting (XSS) vulnerability, where an attacker with a valid user account on Jenkins can execute JavaScript in the browser of other users, if those users are using certain browsers.

SECURITY-69 / CVE-2013-2034

This is another CSRF vulnerability that allows an attacker to cause a deployment of binaries to Maven repositories. This vulnerability has the same CVE ID as SEUCRITY-63.

SECURITY-71 / CVE-2013-1808

This creates a cross-site scripting (XSS) vulnerability.

Severity

SECURITY-63 is rated critical, since it enables arbitrary code execution.

SECURITY-71 and SECURITY-69 are rated as high, as it allows malicious users to gain unauthorized access to the information and impersonate the administrator of the system. In addition, this allows Jenkins inside a firewall to be attacked from outside. On the other hands, this attack can be only mounted passively, and the attacker needs to know the URL of your Jenkins installations.

SECURITY-67 is rated medium, as it requires an attacker to be a valid user of Jenkins with a write access.

Fix

  • Main line users should upgrade to Jenkins 1.514

  • LTS users should upgrade to 1.509.1

All the prior versions are affected by these vulnerabilities.