SQL Injection Vulnerability
75 views
Skip to first unread message
Wt Riker
Feb 3, 2015, 9:54:33 AM2/3/15
to jenkins...@googlegroups.com
I posted this once but it seems to have disappeared so my apologies if it shows up as a duplicate. I have discovered a security vulnerability in Jenkins (1.569). I am a sys admin, not a Jenkins admin, so I do not know how this link is generate and I don't want to start mucking with Jenkins code to fix it. When a job is created a link like this is generated:
http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern
This link is vulnerable to SQL injection. The usual way to correct this is to use prepared statements. In any case I am guessing this has been addressed already and I am looking for the fix. TIA.
http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern
This link is vulnerable to SQL injection. The usual way to correct this is to use prepared statements. In any case I am guessing this has been addressed already and I am looking for the fix. TIA.
Christopher Orr
Feb 3, 2015, 10:04:23 AM2/3/15
to jenkins...@googlegroups.com
Hi there,
Thanks for the information, but the URL you mention validates regular
expressions for the CVS plugin; it has nothing to do with databases,
makes no SQL queries, nor does it access any files, AFAIK.
Could you maybe explain further what the error is you're seeing?
If possible, could you please report security issues under the SECURITY
project on JIRA, rather than on the users' mailing list?
http://issues.jenkins-ci.org/browse/SECURITY
See also the wiki page:
https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
Thanks,
Chris
Thanks for the information, but the URL you mention validates regular
expressions for the CVS plugin; it has nothing to do with databases,
makes no SQL queries, nor does it access any files, AFAIK.
Could you maybe explain further what the error is you're seeing?
If possible, could you please report security issues under the SECURITY
project on JIRA, rather than on the users' mailing list?
http://issues.jenkins-ci.org/browse/SECURITY
See also the wiki page:
https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
Thanks,
Chris
Wt Riker
Feb 3, 2015, 10:30:59 AM2/3/15
to jenkins...@googlegroups.com
Thanks. I will move this to that forum.
Daniel Beck
Feb 3, 2015, 1:35:15 PM2/3/15
to jenkins...@googlegroups.com
Just to clear this up, since it was reported publicly:
This appears to be from the CVS plugin and is clearly a false positive:
https://github.com/jenkinsci/cvs-plugin/blob/master/src/main/java/hudson/scm/ExcludedRegion.java#L100
It seems the scanner mistakes printing parts of the input (to return a helpful error message about an invalid regex to the user) as SQL injection for some reason.
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/eb52c2a4-1359-4603-afa1-61dd0f39d172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
This appears to be from the CVS plugin and is clearly a false positive:
https://github.com/jenkinsci/cvs-plugin/blob/master/src/main/java/hudson/scm/ExcludedRegion.java#L100
It seems the scanner mistakes printing parts of the input (to return a helpful error message about an invalid regex to the user) as SQL injection for some reason.
> You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/eb52c2a4-1359-4603-afa1-61dd0f39d172%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kanstantsin Shautsou
Feb 3, 2015, 1:54:26 PM2/3/15
to jenkins...@googlegroups.com, m...@beckweb.net
This is not an SQL injection, configuration page calls all checks for form validations https://wiki.jenkins-ci.org/display/JENKINS/Form+Validation
Reply all
Reply to author
Forward
0 new messages