https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Bug ID: 1857433 Summary: CVE-2020-2223 jenkins: Stored XSS vulnerability in console links Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: abenaiss@redhat.com, aos-bugs@redhat.com, bmontgom@redhat.com, eparis@redhat.com, extras-orphan@fedoraproject.org, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jokerman@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, nstielau@redhat.com, pbhattac@redhat.com, sponnaga@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
References:
https://www.jenkins.io/security/advisory/2020-07-15/
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857434
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1857434 [Bug 1857434] CVE-2020-2223 jenkins: Stored XSS vulnerability in console links [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1857434]
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1857443
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Mark Cooper mcooper@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857552, 1857548, 1857551, | |1857549, 1857550
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Jenkins versions 2.244 and prior and in LTS 2.235.1 and prior. HREF attribute of links to downstream jobs are not escaped on build console pages which could lead to a stored cross-site scripting (XSS) vulnerability. The user must have the Agent/Configure permission for this exploit to function. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
--- Comment #3 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.5
Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3519
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-08-24 15:15:34
--- Comment #4 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-2223
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2020:3541 https://access.redhat.com/errata/RHSA-2020:3541
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3541
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
Vikas Laad vlaad@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1873181
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
--- Comment #8 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.3
Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3808
https://bugzilla.redhat.com/show_bug.cgi?id=1857433
jawed jkhelil@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877292
https://bugzilla.redhat.com/show_bug.cgi?id=1857433 Bug 1857433 depends on bug 1857434, which changed state.
Bug 1857434 Summary: CVE-2020-2223 jenkins: Stored XSS vulnerability in console links [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1857434
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org