Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918101 (CVE-2023-36478, CVE-2023-39151, CVE-2023-43494, CVE-2023-43495, CVE-2023-43496, CVE-2023-43497, CVE-2023-43498) - <dev-util/jenkins-bin-{2.414.3,2.428}: multiple vulnerabilities
Summary: <dev-util/jenkins-bin-{2.414.3,2.428}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2023-36478, CVE-2023-39151, CVE-2023-43494, CVE-2023-43495, CVE-2023-43496, CVE-2023-43497, CVE-2023-43498
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks: CVE-2023-44487
  Show dependency tree
 
Reported: 2023-11-23 18:40 UTC by John Helmert III
Modified: 2023-12-01 13:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 18:40:12 UTC
CVE-2023-43494 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261):

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

CVE-2023-43495 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3245):

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter.

CVE-2023-43496 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072):

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

CVE-2023-43497 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073):

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

CVE-2023-36478 (http://www.openwall.com/lists/oss-security/2023/10/18/4):

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

This one documented in https://www.jenkins.io/security/advisory/2023-10-18/.

Fixes are in 2.414.3 and 2.428, so please cleanup.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 21:17:47 UTC
CVE-2023-43498 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073):

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

CVE-2023-39151 (https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188):

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

(Doesn't seem to be a more appropriate bug to track these issues)