https://bugzilla.redhat.com/show_bug.cgi?id=1282363
Bug ID: 1282363
Summary: CVE-2015-5320 jenkins: Secret key not verified when
connecting a slave (SECURITY-184)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jdetiber(a)redhat.com, jialiu(a)redhat.com,
jkeck(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com
The following flaw was found in Jenkins:
JNLP slave connections did not verify that the correct secret was supplied,
which allowed malicious users to connect their own machines as slaves to
Jenkins knowing only the name of the slave. This enables attackers to take over
Jenkins (unless the slave-to-master security subsystem is enabled) or gain
access to private data like keys and source code.
This issue allowos for several different attacks, compromising integrity,
stability and confidentiality.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=iMwUEXpAua&a=cc_unsubscribe