SB2012030903 - Multiple vulnerabilities in Jenkins

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2012-0324)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2012-0325)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in Jenkins before 1.454, Jenkins LTS before 1.424.5, and Jenkins Enterprise 1.400.x before 1.400.0.13 and 1.424.x before 1.424.5.1. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://jvn.jp/en/jp/JVN14791558/index.html
• http://jvndb.jvn.jp/jvndb/JVNDB-2012-000022
• http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-03-05.cb
• http://www.securityfocus.com/bid/52384
• http://jvn.jp/en/jp/JVN79950061/index.html
• http://jvndb.jvn.jp/jvndb/JVNDB-2012-000023