SB2018051527 - Multiple vulnerabilities in Jenkins
Published: May 15, 2018 Updated: August 8, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2017-2602)
The vulnerability allows a remote authenticated user to manipulate data.
jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blacklisting of the Pipeline metadata files in the agent-to-master security subsystem. This could allow metadata files to be written to by malicious agents (SECURITY-358).
2) Deserialization of Untrusted Data (CVE-ID: CVE-2017-2608)
The vulnerability allows a remote authenticated user to execute arbitrary code.
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
Remediation
Install update from vendor's website.
References
- http://www.securityfocus.com/bid/95952
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2602
- https://github.com/jenkinsci/jenkins/commit/414ff7e30aba66bed18c4ee8a8660fb36fc8c655
- https://jenkins.io/security/advisory/2017-02-01/
- http://www.securityfocus.com/bid/95953
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2608
- https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722