Arch Linux Security Advisory ASA-201908-22
=========================================
Severity: Medium
Date    : 2019-08-30
CVE-ID  : CVE-2019-10383 CVE-2019-10384
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1030

Summary
======
The package jenkins before version 2.192-1 is vulnerable to multiple
issues including cross-site request forgery and cross-site scripting.

Resolution
=========
Upgrade to 2.192-1.

# pacman -Syu "jenkins>=2.192-1"

The problems have been fixed upstream in version 2.192.

Workaround
=========
None.

Description
==========
- CVE-2019-10383 (cross-site scripting)

Jenkins did not properly escape the update site URL in some status
messages shown in the update center, resulting in a stored cross-site
scripting vulnerability that is exploitable by administrators and
affects other administrators.

- CVE-2019-10384 (cross-site request forgery)

Jenkins allowed the creation of CSRF tokens without a corresponding web
session ID. This is the result of an incomplete fix for SECURITY-626 in
the 2019-07-17 security advisory. This allowed attackers able to obtain
a CSRF token without associated session ID to implement CSRF attacks
with the following constraints. The token had to be created for the
anonymous user (and could only be used for actions the anonymous user
can perform). The victim’s IP address needed to remain unchanged
(unless the proxy compatibility option was enabled) The victim must not
have a valid web session at the time of the attack. CSRF token
generation now creates a web session if none exists yet, so that the
lack of a web session ID cannot be exploited.

Impact
=====
An attacker with administrative access can execute XSS attacks on other
administrators by using crafted status messages on the update center.
Further, an attacker is able to execute a CSRF attack under a very
narrow set of constraints.

References
=========
https://www.jenkins.io/security/advisory/2019-08-28/
https://security.archlinux.org/CVE-2019-10383
https://security.archlinux.org/CVE-2019-10384

ArchLinux: 201908-22: jenkins: multiple issues

September 4, 2019

Summary

- CVE-2019-10383 (cross-site scripting) Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators.
- CVE-2019-10384 (cross-site request forgery)
Jenkins allowed the creation of CSRF tokens without a corresponding web session ID. This is the result of an incomplete fix for SECURITY-626 in the 2019-07-17 security advisory. This allowed attackers able to obtain a CSRF token without associated session ID to implement CSRF attacks with the following constraints. The token had to be created for the anonymous user (and could only be used for actions the anonymous user can perform). The victim’s IP address needed to remain unchanged (unless the proxy compatibility option was enabled) The victim must not have a valid web session at the time of the attack. CSRF token generation now creates a web session if none exists yet, so that the lack of a web session ID cannot be exploited.

Resolution

Upgrade to 2.192-1. # pacman -Syu "jenkins>=2.192-1"
The problems have been fixed upstream in version 2.192.

References

https://www.jenkins.io/security/advisory/2019-08-28/ https://security.archlinux.org/CVE-2019-10383 https://security.archlinux.org/CVE-2019-10384

Severity
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1030

Workaround

None.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved