Jenkins Security Bulletin: Fixes for RCE, Directory Traversal, XSS (CVE-2013-7285/5573)

Key Information Vulnerability Details SECURITY-105: Jenkins XML API uses XStream to deserialize arbitrary content, affected by CVE-2013-7285, which may allow malicious users to execute arbitrary code. SECURITY-76 & SECURITY-88 / CVE-2013-5573: HTML tag restrictions are too lenient, potentially allowing users to be tricked into providing sensitive information. SECURITY-109: A new issue introduced while fixing SECURITY-55, allowing malicious users to configure jobs to trigger other jobs without proper authorization. SECURITY-108: CI job creation contains a directory traversal vulnerability, potentially enabling file overwriting and privilege escalation. SECURITY-106: The embedded Winstone Servlet container is vulnerable to session hijacking attacks. SECURITY-93: Password parameters are displayed in plain text in the Jenkins UI; default values for sensitive parameters may be exposed. SECURITY-89: API tokens are not invalidated when a user is deleted, allowing unauthorized access. SECURITY-80: Jenkins UI is vulnerable to clickjacking attacks. SECURITY-79: Jenkins' built-in user database reveals whether users exist or not. SECURITY-77: Cross-site scripting (XSS) vulnerability; exploitable if an attacker can overwrite Jenkins cookies. SECURITY-75: Session fixation attack risk; exploitable under the same conditions as SECURITY-77. SECURITY-74: Stored XSS vulnerability, allowing arbitrary HTML fragments to be stored. SECURITY-73: System diagnostics feature has weak permission checks, potentially leaking information under limited circumstances. Vulnerability Severity High: SECURITY-106, SECURITY-80, SECURITY-105, SECURITY-109, SECURITY-108, SECURITY-74. Medium: SECURITY-76, SECURITY-88, SECURITY-89. Low: SECURITY-93, SECURITY-79, SECURITY-77, SECURITY-75, SECURITY-73. Remediation Mainline users should upgrade to Jenkins 1.551. LTS users should upgrade to 1.532.2. Additional Resources CloudBees Security Advisory for Jenkins Enterprise.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Bulletin: Fixes for RCE, Directory Traversal, XSS (CVE-2013-7285/5573)