Jenkins Security Advisory 2015-03-23

This advisory announces a security advisory in Jenkins core.

Description

SECURITY-171/CVE-2015-1812, SECURITY-177/CVE-2015-1813 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker.

SECURITY-180/CVE-2015-1814 (forced API token change)

The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins .

Severity

SECURITY-171/SECURITY-177 is rated high. It is a passive attack, but it can result in a compromise of the Jenkins controller or loss of data.

SECURITY-180 is rated critical. This attack can be mounted by any unauthenticated user, and it results in a compromise of the Jenkins controller or loss of data.

Affected Versions

All Jenkins releases <= 1.605
All LTS releases <= 1.596.1

Credit

The Jenkins project would like to thank the following people for finding the vulnerabilities:

Jesse Glick for finding SECURITY-171
Luca Carettoni for finding SECURITY-177
Missoum Said for finding SECURITY-180

Fix

Main line users should upgrade to Jenkins 1.606
LTS users should upgrade to 1.596.2

Other resources

Corresponding security advisory on CloudBees regarding DEV@cloud and Jenkins Enterprise by CloudBees