En

Jenkins官网安全更新(2021-04-07)

来源:Jenkins官网 发布日期:2021-04-07 阅读次数:7274 评论:0

基本信息

发布日期:2021-04-07(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2021-04-07 21:24:48

风险等级:未知

情报贡献:TSRC

更新标题

Jenkins Security Advisory 2021-04-07

更新详情

Lack of type validation in agent related REST APISECURITY-1721
/
CVE-2021-21639Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.This allows attackers with Computer/Configure permission to replace a node with one of a different type.Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.View name validation bypassSECURITY-1871
/
CVE-2021-21640Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name.
When a form to create a view is submitted, the name is included twice in the submission.
One instance is validated, but the other instance is used to create the value.This allows attackers with View/Create permission to create views with invalid or already-used names.Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.CSRF vulnerability in promoted builds PluginSECURITY-2293
/
CVE-2021-21641promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.These vulnerabilities allow attackers to promote builds.promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.NoteA security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.CSRF vulnerability and missing permission checks in Micro Focus Application Automation Tools PluginSECURITY-2132
/
CVE-2021-22512 (CSRF), CVE-2021-22513 (permission check)Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.Reflected XSS vulnerability in Micro Focus Application Automation Tools PluginSECURITY-2175
/
CVE-2021-22510Micro Focus Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response.This results in a reflected cross-site scripting (XSS) vulnerability.Micro Focus Application Automation Tools Plugin 6.8 escapes user input in the affected form validation response.NoteA security hardening since Jenkins 2.275 and LTS 2.263.2 prevents exploitation of this vulnerability.SSL/TLS certificate validation unconditionally disabled by Micro Focus Application Automation Tools PluginSECURITY-2176
/
CVE-2021-22511Micro Focus Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers.Micro Focus Application Automation Tools Plugin 6.8 no longer disables SSL/TLS certificate validation unconditionally by default.
It provides an option to disable SSL/TLS certification validation for connections to Service Virtualization servers.SeveritySECURITY-1721:LowSECURITY-1871:MediumSECURITY-2132:MediumSECURITY-2175:HighSECURITY-2176:MediumSECURITY-2293:MediumAffected VersionsJenkins weekly up to and including
2.286Jenkins LTS up to and including
2.277.1Micro Focus Application Automation Tools
Pluginup to and including
6.7promoted builds
Pluginup to and including
3.9FixJenkins weekly should be updated to version
2.287Jenkins LTS should be updated to version
2.277.2Micro Focus Application Automation Tools
Pluginshould be updated to version
6.8promoted builds
Pluginshould be updated to version
3.9.1These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

软件描述

Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。 [1]

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入