https://bugzilla.redhat.com/show_bug.cgi?id=1282363 Bug ID: 1282363 Summary: CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184) Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: mprpic(a)redhat.com CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com, dmcphers(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jdetiber(a)redhat.com, jialiu(a)redhat.com, jkeck(a)redhat.com, joelsmith(a)redhat.com, jokerman(a)redhat.com, kseifried(a)redhat.com, lmeyer(a)redhat.com, mizdebsk(a)redhat.com, mmccomas(a)redhat.com, msrb(a)redhat.com The following flaw was found in Jenkins: JNLP slave connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as slaves to Jenkins knowing only the name of the slave. This enables attackers to take over Jenkins (unless the slave-to-master security subsystem is enabled) or gain access to private data like keys and source code. This issue allowos for several different attacks, compromising integrity, stability and confidentiality. External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20... -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=iMwUEXpAua&a=cc_unsubscribe