Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43811

Arbitrary code execution vulnerability

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Jenkins Security Advisory 2017-04-10 revealed a arbitrary code execution vulnerability in the claim plugin.

        Attachments

          Activity

          Hide
          mindrunner Lukas Elsner added a comment -

          Is this plugin dead? 

          Show
          mindrunner Lukas Elsner added a comment - Is this plugin dead? 
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Arnaud
          Path:
          pom.xml
          src/test/java/hudson/plugins/claim/ClaimGroovyTest.java
          http://jenkins-ci.org/commit/claim-plugin/2c84835873010cbd9d51ee3781510b6be62932d6
          Log:
          JENKINS-43811 Reproduced vulnerability with a test

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Arnaud Path: pom.xml src/test/java/hudson/plugins/claim/ClaimGroovyTest.java http://jenkins-ci.org/commit/claim-plugin/2c84835873010cbd9d51ee3781510b6be62932d6 Log: JENKINS-43811 Reproduced vulnerability with a test
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Arnaud TAMAILLON
          Path:
          pom.xml
          src/main/java/hudson/plugins/claim/AbstractClaimBuildAction.java
          src/main/java/hudson/plugins/claim/ClaimBuildFailureAnalyzer.java
          src/main/java/hudson/plugins/claim/ClaimColumn.java
          src/main/java/hudson/plugins/claim/ClaimConfig.java
          src/main/java/hudson/plugins/claim/ClaimEmailer.java
          src/main/java/hudson/plugins/claim/ClaimIndication.java
          src/main/java/hudson/plugins/claim/ClaimPublisher.java
          src/main/java/hudson/plugins/claim/ClaimTestDataPublisher.java
          src/main/java/hudson/plugins/claim/ClaimedBuildsReport.java
          src/main/java/hudson/plugins/claim/DescribableTestAction.java
          src/main/resources/hudson/plugins/claim/ClaimConfig/config.jelly
          src/test/java/hudson/plugins/claim/ClaimBFATest.java
          src/test/java/hudson/plugins/claim/ClaimEmailerTest.java
          src/test/java/hudson/plugins/claim/ClaimGroovyTest.java
          src/test/java/hudson/plugins/claim/ClaimTest.java
          http://jenkins-ci.org/commit/claim-plugin/56c54d353129af2c024d29b5abb9e0772422ebea
          Log:
          Merge pull request #30 from Greybird/JENKINS-43811

          JENKINS-43811 Arbitrary code execution vulnerability

          Compare: https://github.com/jenkinsci/claim-plugin/compare/f2bec8c54bfc...56c54d353129

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Arnaud TAMAILLON Path: pom.xml src/main/java/hudson/plugins/claim/AbstractClaimBuildAction.java src/main/java/hudson/plugins/claim/ClaimBuildFailureAnalyzer.java src/main/java/hudson/plugins/claim/ClaimColumn.java src/main/java/hudson/plugins/claim/ClaimConfig.java src/main/java/hudson/plugins/claim/ClaimEmailer.java src/main/java/hudson/plugins/claim/ClaimIndication.java src/main/java/hudson/plugins/claim/ClaimPublisher.java src/main/java/hudson/plugins/claim/ClaimTestDataPublisher.java src/main/java/hudson/plugins/claim/ClaimedBuildsReport.java src/main/java/hudson/plugins/claim/DescribableTestAction.java src/main/resources/hudson/plugins/claim/ClaimConfig/config.jelly src/test/java/hudson/plugins/claim/ClaimBFATest.java src/test/java/hudson/plugins/claim/ClaimEmailerTest.java src/test/java/hudson/plugins/claim/ClaimGroovyTest.java src/test/java/hudson/plugins/claim/ClaimTest.java http://jenkins-ci.org/commit/claim-plugin/56c54d353129af2c024d29b5abb9e0772422ebea Log: Merge pull request #30 from Greybird/ JENKINS-43811 JENKINS-43811 Arbitrary code execution vulnerability Compare: https://github.com/jenkinsci/claim-plugin/compare/f2bec8c54bfc...56c54d353129
          Hide
          ricktw Rick Oosterholt added a comment -

          What needs to be done in order to get rid of the "Arbitrary code execution vulnerability in rare circumstances" warning in Jenkins?

          Show
          ricktw Rick Oosterholt added a comment - What needs to be done in order to get rid of the "Arbitrary code execution vulnerability in rare circumstances" warning in Jenkins?
          Hide
          greybird Arnaud TAMAILLON added a comment -

          Hi,

          The plugin version 2.10 is released, even if it does not appear yet in the update center.

          The PR to remove the warning is there : https://github.com/jenkins-infra/backend-update-center2/pull/170

          I believe we need to let Jenkins team some time to handle that.

           

          Arnaud

          Show
          greybird Arnaud TAMAILLON added a comment - Hi, The plugin version 2.10 is released, even if it does not appear yet in the update center. The PR to remove the warning is there : https://github.com/jenkins-infra/backend-update-center2/pull/170 I believe we need to let Jenkins team some time to handle that.   Arnaud

            People

            • Assignee:
              greybird Arnaud TAMAILLON
              Reporter:
              ricktw Rick Oosterholt
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: