Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714730 (CVE-2020-2160, CVE-2020-2161, CVE-2020-2162, CVE-2020-2163) - dev-util/jenkins-bin: Multiple vulnerabilities (CVE-2020-{2160,2161,2162,2163})
Summary: dev-util/jenkins-bin: Multiple vulnerabilities (CVE-2020-{2160,2161,2162,2163})
Status: RESOLVED FIXED
Alias: CVE-2020-2160, CVE-2020-2161, CVE-2020-2162, CVE-2020-2163
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://jenkins.io/security/advisory/...
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-25 16:18 UTC by Sam James
Modified: 2020-04-25 21:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-25 16:18:36 UTC
1) CVE-2020-2160

Description:
"An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL."

2) CVE-2020-2161

Description:
"Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels."

3) CVE-2020-2162

Description:
"Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL."

4) CVE-2020-2163

Description:
"Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers... Jenkins no longer processes HTML embedded in list view column headers."
Comment 1 Larry the Git Cow gentoo-dev 2020-03-26 06:04:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=409180265366a89318a7de312b9a2422ed36b72b

commit 409180265366a89318a7de312b9a2422ed36b72b
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2020-03-26 06:03:07 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2020-03-26 06:03:07 +0000

    dev-util/jenkins-bin: add 2.204.6 and 2.228
    
    Security fixes
    
    Bug: https://bugs.gentoo.org/714730
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-util/jenkins-bin/Manifest                   |  2 ++
 dev-util/jenkins-bin/jenkins-bin-2.204.6.ebuild | 46 +++++++++++++++++++++++++
 dev-util/jenkins-bin/jenkins-bin-2.228.ebuild   | 46 +++++++++++++++++++++++++
 3 files changed, 94 insertions(+)
Comment 2 Hans de Graaff gentoo-dev 2020-03-26 06:05:29 UTC
Cleanup done.
Comment 3 Sam James archtester gentoo-dev Security 2020-03-26 19:06:08 UTC
Tree is clean, thanks!