Web Vulnerability

[Wt Riker]

I have uncovered a security vulnerability in Jenkins (1.569) that needs to be resolved. When creating a job this link results:

http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern

As a sys admin, not a Jenkins admin, I do not know how this link is generated. However, it is vulnerable to SQL injection. The most common solution is to use prepared statements but I can't spend the time learning how Jenkins works to fix it myself and I don't want to introduce non-standard code. I am guessing that this problem has already been addressed somehow. Is there a patch available? Thanks.

[Baptiste Mathus]

Hi,
Currently offline, so I can't give you the full URL. But security issues should not be reported here, but on the SECURITY project on the Jenkins JIRA instance. The issues logged there are not accessible publicly and let the secu team work on them and produce a fix before disclosure.

HTH
Cheers

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8b673381-aee8-4604-9e97-3a3f508989da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Richard Bywater]

Security vulnerabilities should be reported using the process on https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories and not publically disclosed straight away to give the project time to fix affected versions.

Having said all that Jenkins doesn't (usually) use a database so not sure how you've managed to find a SQL vulnerability?

Cheers
Richard

--