From cc7bdc55abcc3b08247c3205bcdc6a734df9f2e4 Mon Sep 17 00:00:00 2001 From: Li-Wen Hsu Date: Sat, 15 Feb 2014 09:07:33 +0000 Subject: [PATCH] whitespace Notified by: remko --- security/vuxml/vuln.xml | 78 ++++++++++++++++++++--------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 18701ed373df..ea884b70ec13 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -73,48 +73,48 @@ Note: Please add new entries to the beginning of this file.

  • iSECURITY-105

    In some places, Jenkins XML API uses XStream to deserialize - arbitrary content, which is affected by CVE-2013-7285 reported - against XStream. This allows malicious users of Jenkins with - a limited set of permissions to execute arbitrary code inside - Jenkins master.

    + arbitrary content, which is affected by CVE-2013-7285 reported + against XStream. This allows malicious users of Jenkins with + a limited set of permissions to execute arbitrary code inside + Jenkins master.

  • SECURITY-76 & SECURITY-88 / CVE-2013-5573

    Restrictions of HTML tags for user-editable contents are too - lax. This allows malicious users of Jenkins to trick other - unsuspecting users into providing sensitive information.

    + lax. This allows malicious users of Jenkins to trick other + unsuspecting users into providing sensitive information.

  • SECURITY-109

    Plugging a hole in the earlier fix to SECURITY-55. Under some - circimstances, a malicious user of Jenkins can configure job - X to trigger another job Y that the user has no access to.

    + circimstances, a malicious user of Jenkins can configure job + X to trigger another job Y that the user has no access to.

  • SECURITY-108

    CLI job creation had a directory traversal vulnerability. This - allows a malicious user of Jenkins with a limited set of - permissions to overwrite files in the Jenkins master and - escalate privileges.

    + allows a malicious user of Jenkins with a limited set of + permissions to overwrite files in the Jenkins master and + escalate privileges.

  • SECURITY-106

    The embedded Winstone servlet container is susceptive to - session hijacking attack.

    + session hijacking attack.

  • SECURITY-93

    The password input control in the password parameter - definition in the Jenkins UI was serving the actual value of - the password in HTML, not an encrypted one. If a sensitive - value is set as the default value of such a parameter - definition, it can be exposed to unintended audience.

    + definition in the Jenkins UI was serving the actual value of + the password in HTML, not an encrypted one. If a sensitive + value is set as the default value of such a parameter + definition, it can be exposed to unintended audience.

  • SECURITY-89

    Deleting the user was not invalidating the API token, - allowing users to access Jenkins when they shouldn't be - allowed to do so.

    + allowing users to access Jenkins when they shouldn't be + allowed to do so.

  • SECURITY-80

    @@ -123,52 +123,52 @@ Note: Please add new entries to the beginning of this file.

  • SECURITY-79

    "Jenkins' own user database" was revealing the - presence/absence of users when login attempts fail.

    + presence/absence of users when login attempts fail.

  • SECURITY-77

    Jenkins had a cross-site scripting vulnerability in one of its - cookies. If Jenkins is deployed in an environment that allows - an attacker to override Jenkins cookies in victim's browser, - this vulnerability can be exploited.

    + cookies. If Jenkins is deployed in an environment that allows + an attacker to override Jenkins cookies in victim's browser, + this vulnerability can be exploited.

  • SECURITY-75

    Jenkins was vulnerable to session fixation attack. If Jenkins - is deployed in an environment that allows an attacker to - override Jenkins cookies in victim's browser, this - vulnerability can be exploited.

    + is deployed in an environment that allows an attacker to + override Jenkins cookies in victim's browser, this + vulnerability can be exploited.

  • SECURITY-74

    Stored XSS vulnerability. A malicious user of Jenkins with a - certain set of permissions can cause Jenkins to store - arbitrary HTML fragment.

    + certain set of permissions can cause Jenkins to store + arbitrary HTML fragment.

  • SECURITY-73

    Some of the system diagnostic functionalities were checking a - lesser permission than it should have. In a very limited - circumstances, this can cause an attacker to gain information - that he shouldn't have access to.

    + lesser permission than it should have. In a very limited + circumstances, this can cause an attacker to gain information + that he shouldn't have access to.

    • Severity

    1. SECURITY-106, and SECURITY-80 are rated high. An attacker only - needs direct HTTP access to the server to mount this attack.
      2. + needs direct HTTP access to the server to mount this attack.
    2. SECURITY-105, SECURITY-109, SECURITY-108, and SECURITY-74 are - rated high. These vulnerabilities allow attackes with valid - Jenkins user accounts to escalate privileges in various ways.
      3. + rated high. These vulnerabilities allow attackes with valid + Jenkins user accounts to escalate privileges in various ways.
    3. SECURITY-76, SECURIT-88, and SECURITY-89 are rated medium. - These vulnerabilities requires an attacker to be an user of - Jenkins, and the mode of the attack is limited.
      4. + These vulnerabilities requires an attacker to be an user of + Jenkins, and the mode of the attack is limited.
    4. SECURITY-93, and SECURITY-79 are rated low. These - vulnerabilities only affect a small part of Jenkins and has - limited impact.
      5. + vulnerabilities only affect a small part of Jenkins and has + limited impact.
    5. SECURITY-77, SECURITY-75, and SECURITY-73 are rated low. These - vulnerabilities are hard to exploit unless combined with other - exploit in the network.
      6. + vulnerabilities are hard to exploit unless combined with other + exploit in the network.