Hudson Security Advisory 2010-07-05

Vulnerability

This vulnerability allows an attacker to read arbitrary files in the server file system whose path names are known, by sending malicious HTTP GET requests. While such access is still subject to the normal access control enforced by the operating system, Hudson can still leak "secrets" possessed by Hudson, hence the critical rating.

Affected Versions

This vulnerability affects your Hudson if all of the following conditions are met:

  • Hudson version 1.364 or earlier

  • Hudson is run on the built-in Winstone servlet container. This includes the RPM and DEB packages.

  • Attacker has a direct access to the TCP/IP port that Hudson listens to, without going through an HTTP proxy of some kind, such as Apache.

Fix

One of the following actions will fix the problem.

  • Upgrade to Hudson 1.365 or later, which contains a fix to this problem.

  • Run Hudson in a servlet container other than Winstone, such as Jetty, Tomcat, or GlassFish.

  • Run Hudson behind a reverse HTTP proxy, such as apache.

Future Advisories

See the security page for how to subscribe to future security advisories.