Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3069
Jenkins Security Advisory 2022-06-22
24 June 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins (core)
Jenkins Plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-34213 CVE-2022-34212 CVE-2022-34211
CVE-2022-34210 CVE-2022-34209 CVE-2022-34208
CVE-2022-34207 CVE-2022-34206 CVE-2022-34205
CVE-2022-34204 CVE-2022-34203 CVE-2022-34202
CVE-2022-34201 CVE-2022-34200 CVE-2022-34199
CVE-2022-34198 CVE-2022-34197 CVE-2022-34196
CVE-2022-34195 CVE-2022-34194 CVE-2022-34193
CVE-2022-34192 CVE-2022-34191 CVE-2022-34190
CVE-2022-34189 CVE-2022-34188 CVE-2022-34187
CVE-2022-34186 CVE-2022-34185 CVE-2022-34184
CVE-2022-34183 CVE-2022-34182 CVE-2022-34181
CVE-2022-34180 CVE-2022-34179 CVE-2022-34178
CVE-2022-34177 CVE-2022-34176 CVE-2022-34175
CVE-2022-34174 CVE-2022-34173 CVE-2022-34172
CVE-2022-34171 CVE-2022-34170 CVE-2017-2601
Original Bulletin:
https://www.jenkins.io/security/advisory/2022-06-22/
Comment: CVSS (Max): 8.8 CVE-2022-34178 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2022-06-22
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Jenkins (core)
o Agent Server Parameter Plugin
o Beaker builder Plugin
o Convertigo Mobile Platform Plugin
o CRX Content Package Deployer Plugin
o Date Parameter Plugin
o Dynamic Extended Choice Parameter Plugin
o EasyQA Plugin
o Embeddable Build Status Plugin
o Filesystem List Parameter Plugin
o Hidden Parameter Plugin
o Image Tag Parameter Plugin
o Jianliao Notification Plugin
o JUnit Plugin
o Maven Metadata Plugin for Jenkins CI server Plugin
o Nested View Plugin
o NS-ND Integration Performance Publisher Plugin
o ontrack Jenkins Plugin
o Package Version Plugin
o Pipeline: Input Step Plugin
o Readonly Parameter Plugin
o Repository Connector Plugin
o REST List Parameter Plugin
o Sauce OnDemand Plugin
o Squash TM Publisher (Squash4Jenkins) Plugin
o Stash Branch Parameter Plugin
o ThreadFix Plugin
o vRealize Orchestrator Plugin
o xUnit Plugin
Descriptions
Multiple XSS vulnerabilities
SECURITY-2781 / CVE-2022-34170 (SECURITY-2779), CVE-2022-34171 (SECURITY-2761),
CVE-2022-34172 (SECURITY-2776), CVE-2022-34173 (SECURITY-2780)
Multiple cross-site scripting (XSS) vulnerabilities in Jenkins 2.355 and
earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and JavaScript
into the Jenkins UI:
o SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help
icon tooltips no longer escape the feature name, effectively undoing the
fix for SECURITY-1955.
o SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the
HTML output generated for new symbol-based SVG icons includes the title
attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon
since Jenkins 2.335 without further escaping.
o SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons
unescape previously escaped values of tooltip parameters.
o SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the
build button in list views supports HTML without escaping the job display
name.
These vulnerabilities are known to be exploitable by attackers with Job/
Configure permission.
Jenkins 2.356, LTS 2.332.4 and LTS 2.346.1 addresses these vulnerabilities:
o SECURITY-2779: The feature name in help icon tooltips is now escaped.
o SECURITY-2761: The title attribute of l:ionicon (Jenkins LTS 2.332.4) and
alt attribute of l:icon (Jenkins 2.356 and LTS 2.346.1) are escaped in the
generated HTML output.
o SECURITY-2776: Symbol-based icons no longer unescape values of tooltip
parameters.
o SECURITY-2780: The tooltip of the build button in list views is now
escaped.
No Jenkins LTS release is affected by SECURITY-2776 or SECURITY-2780, as these
were not present in Jenkins 2.332.x and fixed in the 2.346.x line before
2.346.1.
Observable timing discrepancy allows determining username validity
SECURITY-2566 / CVE-2022-34174
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing
discrepancy on the login form allows distinguishing between login attempts with
an invalid username, and login attempts with a valid username and wrong
password, when using the Jenkins user database security realm. This allows
attackers to determine the validity of attacker-specified usernames.
Login attempts with an invalid username now validate a synthetic password to
eliminate the timing discrepancy in Jenkins 2.356, LTS 2.332.4.
Unauthorized view fragment access
SECURITY-2777 / CVE-2022-34175
Jenkins uses the Stapler web framework to render its UI views. These views are
frequently composed of several view fragments, enabling plugins to extend
existing views with more content.
Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could
in some cases directly access a view fragment containing sensitive information,
bypassing any permission checks in the corresponding view.
In Jenkins 2.335 through 2.355 (both inclusive), the protection added for
SECURITY-534 is disabled for some views. As a result, attackers could in very
limited cases directly access a view fragment containing sensitive information,
bypassing any permission checks in the corresponding view.
As of publication, the Jenkins security team is unaware of any vulnerable view
fragment across the Jenkins plugin ecosystem.
Jenkins 2.356 restores the protection for affected views.
Stored XSS vulnerability in JUnit Plugin
SECURITY-2760 / CVE-2022-34176
JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of
test results.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Run/Update permission.
JUnit Plugin 1119.1121.vc43d0fc45561 applies the configured markup formatter to
descriptions of test results.
Arbitrary file write vulnerability in Pipeline: Input Step Plugin
SECURITY-2705 / CVE-2022-34177
Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier allows Pipeline
authors to specify file parameters for Pipeline input steps even though they
are unsupported. Although the uploaded file is not copied to the workspace,
Jenkins archives the file on the controller as part of build metadata using the
parameter name without sanitization as a relative path inside a build-related
directory.
This allows attackers able to configure Pipelines to create or replace
arbitrary files on the Jenkins controller file system with attacker-specified
content.
Pipeline: Input Step Plugin 449.v77f0e8b_845c4 prohibits use of file parameters
for Pipeline input steps. Attempts to use them will fail Pipeline execution.
Reflected XSS vulnerability in Embeddable Build Status Plugin
SECURITY-2567 / CVE-2022-34178
Embeddable Build Status Plugin 2.0.3 allows specifying a link query parameter
that build status badges will link to, without restricting possible values.
This results in a reflected cross-site scripting (XSS) vulnerability.
Embeddable Build Status Plugin 2.0.4 limits URLs to http and https protocols
and correctly escapes the provided value.
Path traversal vulnerability in Embeddable Build Status Plugin
SECURITY-2792 / CVE-2022-34179
Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a style
query parameter that is used to choose a different SVG image style without
restricting possible values.
This results in a relative path traversal vulnerability, allowing attackers
without Overall/Read permission to specify paths to other SVG images on the
Jenkins controller file system.
Embeddable Build Status Plugin 2.0.4 restricts the style query parameter to one
of the three legal values.
Improper authorization in Embeddable Build Status Plugin bypasses ViewStatus
permission requirement
SECURITY-2794 / CVE-2022-34180
Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform the
ViewStatus permission check in the HTTP endpoint it provides for "unprotected"
status badge access.
This allows attackers without any permissions to obtain the build status badge
icon for any attacker-specified job and/or build.
Embeddable Build Status Plugin 2.0.4 requires ViewStatus permission to obtain
the build status badge icon.
Agent-to-controller security bypass in xUnit Plugin
SECURITY-2549 / CVE-2022-34181
xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that
creates a user-specified directory if it doesn't exist, and parsing files
inside it as test results.
This allows attackers able to control agent processes to create an arbitrary
directory on the Jenkins controller or to obtain test results from existing
files in an attacker-specified directory.
xUnit Plugin 3.1.0 changes the message type from agent-to-controller to
controller-to-agent, preventing execution on the controller.
Reflected XSS vulnerability in Nested View Plugin
SECURITY-2768 / CVE-2022-34182
Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search
parameters.
This results in a reflected cross-site scripting (XSS) vulnerability.
Nested View Plugin 1.26 escapes search parameters.
Stored XSS vulnerabilities in multiple plugins providing additional parameter
types
SECURITY-2784 / CVE-2022-34183 (Agent Server Parameter), CVE-2022-34184 (CRX
Content Package Deployer), CVE-2022-34185 (Date Parameter), CVE-2022-34186
(Dynamic Extended Choice Parameter), CVE-2022-34187 (Filesystem List
Parameter), CVE-2022-34188 (Hidden Parameter), CVE-2022-34189 (Image Tag
Parameter), CVE-2022-34190 (Maven Metadata for CI server), CVE-2022-34191
(NS-ND Integration Performance Publisher), CVE-2022-34192 (ontrack Jenkins),
CVE-2022-34193 (Package Version), CVE-2022-34194 (Readonly Parameter),
CVE-2022-34195 (Repository Connector), CVE-2022-34196 (REST List Parameter),
CVE-2022-34197 (Sauce OnDemand), CVE-2022-34198 (Stash Branch Parameter)
Multiple plugins do not escape the name and description of the parameter types
they provide:
o Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183)
o CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 /
CVE-2022-34184)
o Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)
o Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 /
CVE-2022-34186)
o Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 /
CVE-2022-34187)
o Hidden Parameter Plugin 0.0.4 and earlier (SECURITY-2755 / CVE-2022-34188)
o Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)
o Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 /
CVE-2022-34190)
o NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736
/ CVE-2022-34191)
o ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192)
o Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193)
o Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194)
o Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195)
o REST List Parameter Plugin 1.5.2 and earlier (SECURITY-2730 /
CVE-2022-34196)
o Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197)
o Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198)
This results in stored cross-site scripting (XSS) vulnerabilites exploitable by
attackers with Item/Configure permission.
Exploitation of these vulnerabilities requires that parameters are listed on
another page, like the "Build With Parameters" and "Parameters" pages provided
by Jenkins (core), and that those pages are not hardened to prevent
exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of
this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and
LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally,
several plugins have previously been updated to list parameters in a way that
prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security
advisory for a list.
The following plugins have been updated to escape the name and description of
the parameter types they provide in the versions specified:
o REST List Parameter Plugin 1.6.0
o Hidden Parameter Plugin 0.0.5
As of publication of this advisory, there is no fix available for the following
plugins:
o Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183)
o CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 /
CVE-2022-34184)
o Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)
o Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 /
CVE-2022-34186)
o Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 /
CVE-2022-34187)
o Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)
o Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 /
CVE-2022-34190)
o NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736
/ CVE-2022-34191)
o ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192)
o Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193)
o Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194)
o Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195)
o Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197)
o Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198)
Passwords stored in plain text by Convertigo Mobile Platform Plugin
SECURITY-2064 / CVE-2022-34199
Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted
in job config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in Convertigo Mobile Platform
Plugin
SECURITY-2276 / CVE-2022-34200 (CSRF), CVE-2022-34201 (missing permission
check)
Convertigo Mobile Platform Plugin 1.1 and earlier does not perform a permission
check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
User passwords stored in plain text by EasyQA Plugin
SECURITY-2066 / CVE-2022-34202
EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its global
configuration file EasyQAPluginProperties.xml on the Jenkins controller as part
of its configuration.
These passwords can be viewed by users with access to the Jenkins controller
file system.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in EasyQA Plugin
SECURITY-2281 / CVE-2022-34203 (CSRF), CVE-2022-34204 (missing permission
check)
EasyQA Plugin 1.0 and earlier does not perform a permission check in a method
implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in Jianliao Notification
Plugin
SECURITY-2240 / CVE-2022-34205 (CSRF), CVE-2022-34206 (missing permission
check)
Jianliao Notification Plugin 1.1 and earlier does not perform a permission
check in a method implementing form validation.
This allows attackers with Overall/Read permission to send HTTP POST requests
to an attacker-specified URL.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in Beaker builder Plugin
SECURITY-2248 / CVE-2022-34207 (CSRF), CVE-2022-34208 (missing permission
check)
Beaker builder Plugin 1.10 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission check in ThreadFix Plugin
SECURITY-2249 / CVE-2022-34209 (CSRF), CVE-2022-34210 (missing permission
check)
ThreadFix Plugin 1.5.4 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission check in vRealize Orchestrator Plugin
SECURITY-2279 / CVE-2022-34211 (CSRF), CVE-2022-34212 (missing permission
check)
vRealize Orchestrator Plugin 3.0 and earlier does not perform a permission
check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send an HTTP POST request
to an attacker-specified URL.
Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Passwords stored in plain text by Squash TM Publisher (Squash4Jenkins) Plugin
SECURITY-2089 / CVE-2022-34213
Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores passwords
unencrypted in its global configuration file
org.jenkinsci.squashtm.core.SquashTMPublisher.xml on the Jenkins controller as
part of its configuration.
These passwords can be viewed by users with access to the Jenkins controller
file system.
As of publication of this advisory, there is no fix.
Severity
o SECURITY-2064: Medium
o SECURITY-2066: Low
o SECURITY-2089: Low
o SECURITY-2240: Medium
o SECURITY-2248: Medium
o SECURITY-2249: Medium
o SECURITY-2276: Medium
o SECURITY-2279: Medium
o SECURITY-2281: Medium
o SECURITY-2549: Medium
o SECURITY-2566: Medium
o SECURITY-2567: High
o SECURITY-2705: High
o SECURITY-2760: High
o SECURITY-2768: High
o SECURITY-2777: Medium
o SECURITY-2781: High
o SECURITY-2784: High
o SECURITY-2792: Medium
o SECURITY-2794: Medium
Affected Versions
o Jenkins weekly up to and including 2.355
o Jenkins LTS up to and including 2.332.3
o Agent Server Parameter Plugin up to and including 1.1
o Beaker builder Plugin up to and including 1.10
o Convertigo Mobile Platform Plugin up to and including 1.1
o CRX Content Package Deployer Plugin up to and including 1.9
o Date Parameter Plugin up to and including 0.0.4
o Dynamic Extended Choice Parameter Plugin up to and including 1.0.1
o EasyQA Plugin up to and including 1.0
o Embeddable Build Status Plugin up to and including 2.0.3
o Filesystem List Parameter Plugin up to and including 0.0.7
o Hidden Parameter Plugin up to and including 0.0.4
o Image Tag Parameter Plugin up to and including 1.10
o Jianliao Notification Plugin up to and including 1.1
o JUnit Plugin up to and including 1119.va_a_5e9068da_d7
o Maven Metadata Plugin for Jenkins CI server Plugin up to and including 2.1
o Nested View Plugin up to and including 1.25
o NS-ND Integration Performance Publisher Plugin up to and including 4.8.0.77
o ontrack Jenkins Plugin up to and including 4.0.0
o Package Version Plugin up to and including 1.0.1
o Pipeline: Input Step Plugin up to and including 448.v37cea_9a_10a_70
o Readonly Parameter Plugin up to and including 1.0.0
o Repository Connector Plugin up to and including 2.2.0
o REST List Parameter Plugin up to and including 1.5.2
o Sauce OnDemand Plugin up to and including 1.204
o Squash TM Publisher (Squash4Jenkins) Plugin up to and including 1.0.0
o Stash Branch Parameter Plugin up to and including 0.3.0
o ThreadFix Plugin up to and including 1.5.4
o vRealize Orchestrator Plugin up to and including 3.0
o xUnit Plugin up to and including 3.0.8
Fix
o Jenkins weekly should be updated to version 2.356
o Jenkins LTS should be updated to version 2.332.4 or 2.346.1
o Embeddable Build Status Plugin should be updated to version 2.0.4
o Hidden Parameter Plugin should be updated to version 0.0.5
o JUnit Plugin should be updated to version 1119.1121.vc43d0fc45561
o Nested View Plugin should be updated to version 1.26
o Pipeline: Input Step Plugin should be updated to version 449.v77f0e8b_845c4
o REST List Parameter Plugin should be updated to version 1.6.0
o xUnit Plugin should be updated to version 3.1.0
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Agent Server Parameter Plugin
o Beaker builder Plugin
o Convertigo Mobile Platform Plugin
o CRX Content Package Deployer Plugin
o Date Parameter Plugin
o Dynamic Extended Choice Parameter Plugin
o EasyQA Plugin
o Filesystem List Parameter Plugin
o Image Tag Parameter Plugin
o Jianliao Notification Plugin
o Maven Metadata Plugin for Jenkins CI server Plugin
o NS-ND Integration Performance Publisher Plugin
o ontrack Jenkins Plugin
o Package Version Plugin
o Readonly Parameter Plugin
o Repository Connector Plugin
o Sauce OnDemand Plugin
o Squash TM Publisher (Squash4Jenkins) Plugin
o Stash Branch Parameter Plugin
o ThreadFix Plugin
o vRealize Orchestrator Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Anders Lundman of WithSecure for SECURITY-2566
o Daniel Beck, CloudBees, Inc. for SECURITY-2549
o Justin Philip for SECURITY-2248, SECURITY-2249
o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and
Daniel Beck, CloudBees, Inc. for SECURITY-2784
o Long Nguyen, Viettel Cyber Security for SECURITY-2089
o Long Nguyen, Viettel Cyber Security and, independently, Justin Philip for
SECURITY-2066
o Long Nguyen, Viettel Cyber Security and, independently, Quentin Parra for
SECURITY-2064
o Marc Heyries for SECURITY-2240
o Quentin Parra for SECURITY-2276
o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2768, SECURITY-2781
o Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc. for
SECURITY-2760
o Wadeck Follonier, CloudBees, Inc. for SECURITY-2279, SECURITY-2281
o Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for
SECURITY-2777
o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2792
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYrTxbskNZI30y1K9AQjxAQ/+Lh39ge8v0rROhKjYAOQ1Ypg8bB/9YeIi
R+M3YdbQKNxWTk0EAiyDa9gVuw8/KpVq+Visra0dGISYe6L7jbAfjc0FF+FNCW3O
rxwf5S8TVd9zs31Xn+b1o5YHPCye4e+RSLJvU+maUNpGLFkOsGuI4l85jV8jZt6y
AIoa/oikj2W8wfVkpfRbH+JlpBLzLEa5gAIZvZY/jmMJLhXxre7LiO+t/ZEFWj/V
mXk7hrBKz9WmekAyy2FYAX71M1OAxusqTyltTO5eMf8YRvtHCLBaA4IsMQ8xHpl3
yNxankBCSK2uqY0kBFDzXpX/GJYBvUMoENLXvCsKmWva4L9gx7ccj54mltXnGi0p
3lCH8xFcWdMDVr/fpJ0Y9wyVlmPGVmyOep2r0kwA2wQr2Atnoh1Y8lQH2S04xrGq
PSHog00+v29DQunZ9/JFZb7URKtvBH13opRM/OeNv++KjP22QpVOWkuYlimQ1djs
qnobAWa2J+q7P188sE+VFrcoLRF5VHcgKPbbOBj8fnVxMP+nuACEzsOM//W07nxZ
CEtKPdR1+bclX6ICr+nVPgFH/irm3s+9eeUSHlSiJ8Af1RURu6hcpnnc2La4sbDW
n3DNDZ7HABVqlvnizY0SmZkeb9+4V541RKq+TJFtFALFd/vDQV5QV9safzvoPl5G
3DtzFYB5n0E=
=MjUb
-----END PGP SIGNATURE-----