====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN143
_____________________________________________________________________

DATE                : 11/04/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins versions weekly 2.116, LTS
                                          2.107.2.

=====================================================================
https://jenkins.io/security/advisory/2018-04-11/
_____________________________________________________________________

 Jenkins Security Advisory 2018-04-11

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)


Descriptions

CLI leaked existence of views and agents with attacker-specified names
to users without Overall/Read permission


SECURITY-754 / CVE pending

The Jenkins CLI sent different error responses for commands with view
and agent arguments depending on the existence of the specified views or
agents to unauthorized users. This allowed attackers to determine
whether views or agents with specified names exist.

The Jenkins CLI now returns the same error messages to unauthorized
users independent of the existence of specified view or agent names.

Cross-site scripting vulnerability in confirmation dialogs displaying
item names


SECURITY-759 / CVE pending

Some JavaScript confirmation dialogs included the item name in an unsafe
manner, resulting in a possible cross-site scripting vulnerability
exploitable by users with permission to create or configure items.

JavaScript confirmation dialogs that include the item name now properly
escape it, so it can be safely displayed.


Severity

    SECURITY-754: low
    SECURITY-759: medium


Affected Versions

    Jenkins weekly up to and including 2.115
    Jenkins LTS up to and including 2.107.1


Fix

    Jenkins weekly should be updated to version 2.116
    Jenkins LTS should be updated to version 2.107.2

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Assaf Berg for SECURITY-754
    Jesper den Boer for SECURITY-759

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================