[3.9] jenkins: Multiple vulnerabilities (CVE-2019-1003049, CVE-2019-1003050)
CVE-2019-1003049: Jenkins accepted cached legacy CLI authentication
Users who cached their CLI authentication before Jenkins was updated to
2.150.2 and newer, or 2.160 and newer, would remain authenticated in
Jenkins 2.171 and
earlier and Jenkins LTS 2.164.1 and earlier, because the fix for
CVE-2019-1003004 in these releases did not reject existing
remoting-based CLI authentication caches.
Fixed In Version:
jenkins 2.172, jenkins 2.164.2
References:
https://jenkins.io/security/advisory/2019-04-10/\#SECURITY-1289
https://nvd.nist.gov/vuln/detail/CVE-2019-1003049
CVE-2019-1003050: Improper escaping of job URLs in f:validateButton leads to cross-site scripting vulnerability.
The f:validateButton form control for the Jenkins UI did not properly
escape job URLs. This resulted in a cross-site scripting (XSS)
vulnerability exploitable by users with the ability to control job
names.
Fixed In Version:
jenkins 2.172, jenkins 2.164.2
References:
https://jenkins.io/security/advisory/2019-04-10/\#SECURITY-1327
https://nvd.nist.gov/vuln/detail/CVE-2019-1003050
(from redmine: issue id 10330, created on 2019-04-25, closed on 2019-06-20)
- Changesets:
- Revision 340842e8 by Francesco Colista on 2019-06-17T08:34:45Z:
community/jenkins: security upgrade to 2.164.2 (CVE-2019-1003049)
Fixes #10330