Jenkins Advisory 2017-11-08: CVE-2017-1000391: Unsafe use of user names as directory names
|4||(AV:L/AC:M/Au:N/C:P/I:P/A:P)||November 19, 2017||November 19, 2017||November 19, 2017|
Jenkins stores metadata related to , which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of problems, such as the following:This is not limited to the security realm, other security realms such as LDAP may allow users to create user names that result in problems in Jenkins.User names are now transformed into a filesystem-safe representation that is used as directory name.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
- Jenkins Advisory 2017-10-11: CVE-2017-1000396: CVE-2012-6153: Jenkins core bundled vulnerable version of the commons-httpclient library
- Jenkins Advisory 2017-10-11: CVE-2017-1000393: Arbitrary shell command execution on master by users with Agent-related permissions
- Jenkins Advisory 2017-10-11: CVE-2017-1000398: "Computer" remote API disclosed information about inaccessible jobs
- Jenkins Advisory 2017-10-11: CVE-2017-1000395: "User" remote API disclosed users' email addresses
- Jenkins Advisory 2017-11-08: CVE-2017-1000392: Persisted XSS vulnerability in autocompletion suggestions
- Jenkins Advisory 2017-10-11: CVE-2017-1000399: "Queue Item" remote API disclosed information about inaccessible jobs
- Jenkins Advisory 2017-10-11: CVE-2017-1000394: CVE-2016-3092: Jenkins core bundled vulnerable version of the commons-fileupload library