Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.2911
Jenkins Security Advisory 2023-05-16
18 May 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Plugins
Publisher: Jenkins
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-33007 CVE-2023-33006 CVE-2023-33005
CVE-2023-33004 CVE-2023-33003 CVE-2023-33002
CVE-2023-33001 CVE-2023-33000 CVE-2023-32999
CVE-2023-32998 CVE-2023-32997 CVE-2023-32996
CVE-2023-32995 CVE-2023-32994 CVE-2023-32993
CVE-2023-32992 CVE-2023-32991 CVE-2023-32990
CVE-2023-32989 CVE-2023-32988 CVE-2023-32987
CVE-2023-32986 CVE-2023-32985 CVE-2023-32984
CVE-2023-32983 CVE-2023-32982 CVE-2023-32981
CVE-2023-32980 CVE-2023-32979 CVE-2023-32978
CVE-2023-32977 CVE-2023-2633 CVE-2023-2632
CVE-2023-2631 CVE-2023-2196 CVE-2023-2195
Original Bulletin:
https://www.jenkins.io/security/advisory/2023-05-16/
Comment: CVSS (Max): 8.8 CVE-2023-32986 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2023-05-16
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Ansible Plugin
o AppSpider Plugin
o Azure VM Agents Plugin
o CAS Plugin
o Code Dx Plugin
o Email Extension Plugin
o File Parameter Plugin
o HashiCorp Vault Plugin
o LDAP Plugin
o LoadComplete support Plugin
o NS-ND Integration Performance Publisher Plugin
o Pipeline Utility Steps Plugin
o Pipeline: Job Plugin
o Reverse Proxy Auth Plugin
o SAML Single Sign On(SSO) Plugin
o SAML Single Sign On(SSO) Plugin
o SAML Single Sign On(SSO) Plugin
o Sidebar Link Plugin
o Tag Profiler Plugin
o TestComplete support Plugin
o TestNG Results Plugin
o WSO2 Oauth Plugin
Descriptions
Stored XSS vulnerability in Pipeline: Job Plugin
SECURITY-3042 / CVE-2023-32977
Severity (CVSS): High
Affected plugin: workflow-job
Description:
Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display
name of the build that caused an earlier build to be aborted, when "Do not
allow concurrent builds" is set.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to set build display names immediately.
The Jenkins security team is not aware of any plugins that allow the
exploitation of this vulnerability, as the build name must be set before the
build starts.
Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build
that caused an earlier build to be aborted.
CSRF vulnerability in LDAP Plugin
SECURITY-3046 / CVE-2023-32978
Severity (CVSS): Medium
Affected plugin: ldap
Description:
LDAP Plugin 673.v034ec70ec2b_b_ and earlier does not require POST requests for
a form validation method, resulting in a cross-site request forgery (CSRF)
vulnerability.
This vulnerability allows attackers to connect to an attacker-specified LDAP
server using attacker-specified credentials.
LDAP Plugin 676.vfa_64cf6b_b_002 requires POST requests for the affected form
validation method.
Missing permission check in Email Extension Plugin
SECURITY-3088 (1) / CVE-2023-32979
Severity (CVSS): Medium
Affected plugin: email-ext
Description:
Email Extension Plugin 2.96 and earlier does not perform a permission check in
a method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence
of files in the email-templates/ directory in the Jenkins home directory on the
controller file system.
This form validation method requires the appropriate permission in Email
Extension Plugin 2.96.1.
CSRF vulnerability in Email Extension Plugin
SECURITY-3088 (2) / CVE-2023-32980
Severity (CVSS): Medium
Affected plugin: email-ext
Description:
Email Extension Plugin 2.96 and earlier does not require POST requests for an
HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This allows attackers to make another user stop watching an attacker-specified
job.
Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP
endpoint.
Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin
SECURITY-2196 / CVE-2023-32981
Severity (CVSS): Medium
Affected plugin: pipeline-utility-steps
Description:
Pipeline Utility Steps Plugin provides the untar and unzip Pipeline steps to
extract archives into job workspaces.
Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit
file paths of files contained within these archives.
This allows attackers able to provide crafted archives as parameters to create
or replace arbitrary files on the agent file system with attacker-specified
content.
Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in tar and zip
archives that would be placed outside the expected destination directory.
Secrets stored and displayed in plain text by Ansible Plugin
SECURITY-3017 / CVE-2023-32982 (storage), CVE-2023-32983 (masking)
Severity (CVSS): Medium
Affected plugin: ansible
Description:
Ansible Plugin allows the specification of extra variables that can be passed
to Ansible. These extra variables are commonly used to pass secrets.
Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables
unencrypted in job config.xml files on the Jenkins controller as part of its
configuration.
These extra variables can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these extra variables,
increasing the potential for attackers to observe and capture them.
Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the
configuration form, and stores them encrypted once job configurations are saved
again.
Stored XSS vulnerability in TestNG Results Plugin
SECURITY-3047 / CVE-2023-32984
Severity (CVSS): High
Affected plugin: testng-plugin
Description:
TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several
values that are parsed from TestNG report files and displayed on the plugin's
test information pages.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to provide a crafted TestNG report file.
TestNG Results Plugin 730.732.v959a_3a_a_eb_a_72 escapes the affected values
that are parsed from TestNG report files.
Path traversal vulnerability in Sidebar Link Plugin
SECURITY-3125 / CVE-2023-32985
Severity (CVSS): Medium
Affected plugin: sidebar-link
Description:
Sidebar Link Plugin allows specifying files in the userContent/ directory for
use as link icons.
Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a
method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.
Sidebar Link Plugin 2.2.2 ensures that only files located within the expected
userContent/ directory can be accessed.
Arbitrary file write vulnerability in File Parameter Plugin
SECURITY-3123 / CVE-2023-32986
Severity (CVSS): High
Affected plugin: file-parameters
Description:
File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the
name (and resulting uploaded file name) of Stashed File Parameters.
This allows attackers with Item/Configure permission to create or replace
arbitrary files on the Jenkins controller file system with attacker-specified
content.
File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting
uploaded file name) of Stashed File Parameters.
CSRF vulnerability in Reverse Proxy Auth Plugin
SECURITY-3002 / CVE-2023-32987
Severity (CVSS): Medium
Affected plugin: reverse-proxy-auth-plugin
Description:
Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for
a form validation method, resulting in a cross-site request forgery (CSRF)
vulnerability.
This vulnerability allows attackers to connect to an attacker-specified LDAP
server using attacker-specified credentials.
Reverse Proxy Auth Plugin 1.7.5 requires POST requests for the affected form
validation method.
Missing permission check in Azure VM Agents Plugin allows enumerating
credentials IDs
SECURITY-2855 (1) / CVE-2023-32988
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:
Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform a
permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Azure VM Agents Plugin 853.v4a_1a_dd947520
requires Overall/Administer permission.
CSRF vulnerability and missing permission checks in Azure VM Agents Plugin
SECURITY-2855 (2) / CVE-2023-32989 (CSRF), CVE-2023-32990 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:
Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform
permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an
attacker-specified Azure Cloud server using attacker-specified credentials IDs
obtained through another method.
Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the
appropriate permissions for the affected HTTP endpoints.
CSRF vulnerability and missing permission checks in SAML Single Sign On(SSO)
Plugin allow XXE
SECURITY-2993 / CVE-2023-32991 (CSRF), CVE-2023-32992 (missing permission
check)
Severity (CVSS): High
Affected plugin: miniorange-saml-sp
Description:
SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform permission
checks in multiple HTTP endpoints.
This allows attackers with Overall/Read permission to send an HTTP request to
an attacker-specified URL and parse the response as XML, or parse a local file
on the Jenkins controller as XML.
As the plugin does not configure its XML parser to prevent XML external entity
(XXE) attacks, attackers can have Jenkins parse a crafted XML response that
uses external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.
Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
SAML Single Sign On(SSO) Plugin 2.1.0 requires POST requests and Overall/
Administer permission for the affected HTTP endpoints.
Missing hostname validation in SAML Single Sign On(SSO) Plugin
SECURITY-3001 (1) / CVE-2023-32993
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:
SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname
validation when connecting to miniOrange or the configured IdP to retrieve SAML
metadata.
This lack of validation could be abused using a man-in-the-middle attack to
intercept these connections.
SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when
connecting to miniOrange or the configured IdP to retrieve SAML metadata.
SSL/TLS certificate validation unconditionally disabled by SAML Single Sign On
(SSO) Plugin
SECURITY-3001 (2) / CVE-2023-32994
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:
SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/
TLS certificate validation for connections to miniOrange or the configured IdP
to retrieve SAML metadata.
This lack of validation could be abused using a man-in-the-middle attack to
intercept these connections.
SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation
when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
CSRF vulnerability and missing permission check in SAML Single Sign On(SSO)
Plugin
SECURITY-2994 / CVE-2023-32995 (CSRF), CVE-2023-32996 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:
SAML Single Sign On(SSO) Plugin 2.0.0 and earlier does not perform a permission
check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send an HTTP POST request
with JSON body containing attacker-specified content, to miniOrange's API for
sending emails.
Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
SAML Single Sign On(SSO) Plugin 2.0.1 removes the affected HTTP endpoint.
Session fixation vulnerability in CAS Plugin
SECURITY-3000 / CVE-2023-32997
Severity (CVSS): High
Affected plugin: cas-plugin
Description:
CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
CAS Plugin 1.6.3 invalidates the existing session on login.
CSRF vulnerability and missing permission checks in Code Dx Plugin
SECURITY-3118 / CVE-2023-2195 (CSRF), CVE-2023-2631 (missing permission check)
Severity (CVSS): Medium
Affected plugin: codedx
Description:
Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several
HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for
the affected HTTP endpoints.
Missing permission checks in Code Dx Plugin
SECURITY-3145 / CVE-2023-2196
Severity (CVSS): Medium
Affected plugin: codedx
Description:
Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Item/Read permission to check for the existence of
an attacker-specified file path on an agent file system.
Code Dx Plugin 4.0.0 requires Item/Configure permission for this form
validation method and ensures that only files located within the workspace can
be checked.
API keys stored and displayed in plain text by Code Dx Plugin
SECURITY-3146 / CVE-2023-2632 (storage), CVE-2023-2633 (masking)
Severity (CVSS): Medium
Affected plugin: codedx
Description:
Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in
job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys,
increasing the potential for attackers to observe and capture them.
Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing
them through its newly added Credentials Plugin integration. Affected jobs need
to be reconfigured.
CSRF vulnerability and missing permission check in AppSpider Plugin
SECURITY-3121 / CVE-2023-32998 (CSRF), CVE-2023-32999 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:
AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL and send an HTTP POST request with a JSON payload
consisting of attacker-specified credentials.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer
permission for the affected form validation method.
Credentials displayed without masking by NS-ND Integration Performance
Publisher Plugin
SECURITY-2962 / CVE-2023-33000
Severity (CVSS): Low
Affected plugin: cavisson-ns-nd-integration
Description:
NS-ND Integration Performance Publisher Plugin stores credentials in job
config.xml files on the Jenkins controller as part of its configuration.
While these credentials are stored encrypted on disk, in NS-ND Integration
Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form
does not mask these credentials, increasing the potential for attackers to
observe and capture them.
NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials
displayed on the configuration form.
Improper masking of credentials in HashiCorp Vault Plugin
SECURITY-3077 / CVE-2023-33001
Severity (CVSS): Medium
Affected plugin: hashicorp-vault-plugin
Description:
HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask
(i.e., replace with asterisks) credentials printed in the build log from
Pipeline steps like sh and bat, when both of the following conditions are met:
o The credentials are printed in build steps executing on an agent (typically
inside a node block).
o Push mode for durable task logging is enabled. This is a hidden option in
Pipeline: Nodes and Processes that can be enabled through the Java system
property
org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING.
It is also automatically enabled by some plugins, e.g., OpenTelemetry and
Pipeline Logging over CloudWatch.
An improvement in Credentials Binding 523.525.vb_72269281873 implements a
workaround that applies build log masking even in affected plugins. This
workaround is temporary and potentially incomplete, so it is still recommended
that affected plugins be updated to resolve this issue.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Stored XSS vulnerability in TestComplete support Plugin
SECURITY-2892 / CVE-2023-33002
Severity (CVSS): High
Affected plugin: TestComplete
Description:
TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete
project name in its test result page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission checks in Tag Profiler Plugin
SECURITY-3083 / CVE-2023-33003 (CSRF), CVE-2023-33004 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: tag-profiler
Description:
Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an
HTTP endpoint.
This allows attackers with Overall/Read permission to reset profiler
statistics.
Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Session fixation vulnerability in WSO2 Oauth Plugin
SECURITY-2991 / CVE-2023-33005
Severity (CVSS): High
Affected plugin: wso2id-oauth
Description:
WSO2 Oauth Plugin 1.0 and earlier does not invalidate the existing session on
login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability in WSO2 Oauth Plugin
SECURITY-2990 / CVE-2023-33006
Severity (CVSS): Medium
Affected plugin: wso2id-oauth
Description:
WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its
OAuth flow, a unique and non-guessable value associated with each
authentication request.
This vulnerability allows attackers to trick users into logging in to the
attacker's account.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Stored XSS vulnerability in LoadComplete support Plugin
SECURITY-2903 / CVE-2023-33007
Severity (CVSS): High
Affected plugin: loadcomplete
Description:
LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete
test name in its test result page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Severity
o SECURITY-2196: Medium
o SECURITY-2855 (1): Medium
o SECURITY-2855 (2): Medium
o SECURITY-2892: High
o SECURITY-2903: High
o SECURITY-2962: Low
o SECURITY-2990: Medium
o SECURITY-2991: High
o SECURITY-2993: High
o SECURITY-2994: Medium
o SECURITY-3000: High
o SECURITY-3001 (1): Medium
o SECURITY-3001 (2): Medium
o SECURITY-3002: Medium
o SECURITY-3017: Medium
o SECURITY-3042: High
o SECURITY-3046: Medium
o SECURITY-3047: High
o SECURITY-3077: Medium
o SECURITY-3083: Medium
o SECURITY-3088 (1): Medium
o SECURITY-3088 (2): Medium
o SECURITY-3118: Medium
o SECURITY-3121: Medium
o SECURITY-3123: High
o SECURITY-3125: Medium
o SECURITY-3145: Medium
o SECURITY-3146: Medium
Affected Versions
o Ansible Plugin up to and including 204.v8191fd551eb_f
o AppSpider Plugin up to and including 1.0.15
o Azure VM Agents Plugin up to and including 852.v8d35f0960a_43
o CAS Plugin up to and including 1.6.2
o Code Dx Plugin up to and including 3.1.0
o Email Extension Plugin up to and including 2.96
o File Parameter Plugin up to and including 285.v757c5b_67a_c25
o HashiCorp Vault Plugin up to and including 360.v0a_1c04cf807d
o LDAP Plugin up to and including 673.v034ec70ec2b_b_
o LoadComplete support Plugin up to and including 1.0
o NS-ND Integration Performance Publisher Plugin up to and including
4.8.0.149
o Pipeline Utility Steps Plugin up to and including 2.15.2
o Pipeline: Job Plugin up to and including 1292.v27d8cc3e2602
o Reverse Proxy Auth Plugin up to and including 1.7.4
o SAML Single Sign On(SSO) Plugin up to and including 2.0.2
o SAML Single Sign On(SSO) Plugin up to and including 2.1.0
o SAML Single Sign On(SSO) Plugin up to and including 2.0.0
o Sidebar Link Plugin up to and including 2.2.1
o Tag Profiler Plugin up to and including 0.2
o TestComplete support Plugin up to and including 2.8.1
o TestNG Results Plugin up to and including 730.v4c5283037693
o WSO2 Oauth Plugin up to and including 1.0
Fix
o Ansible Plugin should be updated to version 205.v4cb_c48657c21
o AppSpider Plugin should be updated to version 1.0.16
o Azure VM Agents Plugin should be updated to version 853.v4a_1a_dd947520
o CAS Plugin should be updated to version 1.6.3
o Code Dx Plugin should be updated to version 4.0.0
o Email Extension Plugin should be updated to version 2.96.1
o File Parameter Plugin should be updated to version 285.287.v4b_7b_29d3469d
o LDAP Plugin should be updated to version 676.vfa_64cf6b_b_002
o NS-ND Integration Performance Publisher Plugin should be updated to version
4.11.0.48
o Pipeline Utility Steps Plugin should be updated to version 2.15.3
o Pipeline: Job Plugin should be updated to version 1295.v395eb_7400005
o Reverse Proxy Auth Plugin should be updated to version 1.7.5
o SAML Single Sign On(SSO) Plugin should be updated to version 2.1.0
o SAML Single Sign On(SSO) Plugin should be updated to version 2.2.0
o SAML Single Sign On(SSO) Plugin should be updated to version 2.0.1
o Sidebar Link Plugin should be updated to version 2.2.2
o TestNG Results Plugin should be updated to version
730.732.v959a_3a_a_eb_a_72
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o HashiCorp Vault Plugin
o LoadComplete support Plugin
o Tag Profiler Plugin
o TestComplete support Plugin
o WSO2 Oauth Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Alvaro Munoz (@pwntester), GitHub Security Lab for SECURITY-3118,
SECURITY-3121
o Daniel Beck, CloudBees, Inc. for SECURITY-2962
o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2990, SECURITY-2991,
SECURITY-2994, SECURITY-3000, SECURITY-3017, SECURITY-3042, SECURITY-3046,
SECURITY-3145
o Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc. for
SECURITY-3002
o Kevin Guerroudj, CloudBees, Inc. and, independently, Alvaro Munoz
(@pwntester), GitHub Security Lab for SECURITY-2993
o Tony Torralba (@atorralba), GitHub Security Lab for SECURITY-3123,
SECURITY-3125
o Trung Pham, and, independently, Tony Torralba (@atorralba), GitHub Security
Lab for SECURITY-2196
o Valdes Che Zogou for SECURITY-3047
o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2855 (1), SECURITY-2855 (2),
SECURITY-2892
o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2903, SECURITY-3001 (1),
SECURITY-3001 (2), SECURITY-3083, SECURITY-3146
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZGXNZMkNZI30y1K9AQjMIhAAnrV2cJuonn71Z8TAX4FDg1K9Hcb1MAT/
GBSInLJs9+c0pJTFqfM//od5iNcziep2VpqiGWQx3UGzL/WM0piWe4uDumOKb1Ju
mwB3ME733igFPVZ47YOkIiF1AT64ZeLaMb3ezPfbMl9jUf+qYB9lkNym+dCWOMhx
1qOKKd7NGt5ISrmq9C70vgsLz74x6QcxqbZTnV3AV/76NPqhJLJ4MSNUEeBSC8A0
nLyVzPO3beP92/ZKnLasHy12ps092PP3jPzxag3v67BCYnbFBddR2ifSXZQRuX5s
d67EMxUDcVpub1NfJf64MVm20ZHO7YoNGXchJZNQrJa6F87pS02V30Iu2sE2Kolr
mv97Cy+6Y10aK3trYinxXXXCC7AKobXYq6LuzRASmG/Z4Jk/9n43+Dlp5Ri1Gj28
nhTRQrNSrNypOkNeNNgJZ2IEp36dfTOi+GoagSuZUpABSyrl9Rbh3mmcBrBF9rYL
HvLKcoevWIApinYbIxd+b2GCEZ7JtSAVt5jZWPn+1cdT05efbGIbpHwOcp/Qg4DQ
BJaoaYx+vWrOT4t6lEr0BQGhO9KQkPkfg+7laTkxFB0NYy2O+FYD3rpZ3Wjzb8Am
8u4PKZ9u01uh6DfLTNiGps8ao2Rc9Z/1GGSmlUS49AtW0blmMwp2fHQLDco6jR+H
W2oTsufMsFg=
=8bXE
-----END PGP SIGNATURE-----