ASA-2018-00088 – Jenkins: Workspace browser allowed accessing files outside the workspace


Allele Security Alert

ASA-2018-00088

Identifier(s)

ASA-2018-00088, CVE-2018-1000862, SECURITY-904

Title

Workspace browser allowed accessing files outside the workspace

Vendor(s)

Jenkins project

Product(s)

Jenkins (core)

Affected version(s)

Jenkins 2.153
Jenkins 2.138.3

Fixed version(s)

Jenkins 2.154
Jenkins LTS 2.138.4 or 2.150.1

Proof of concept

Unknown

Description

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ followed symbolic links to locations outside the directory being browsed.

While builds typically have access to the file system outside the workspace allocated by Jenkins, this should not extend to beyond the execution of a build on that agent. Notably, the configuration may have been changed to not allow a build to run on a given agent, but the workspace used during the previous execution still exists, and could allow browsing the file system outside the workspace.

Technical details

Unknown

Credits

Apple Information Security

Reference(s)

Jenkins Security Advisory 2018-12-05
https://jenkins.io/security/advisory/2018-12-05/

CloudBees Security Advisory 2018-12-05
https://www.cloudbees.com/cloudbees-security-advisory-2018-12-05

[SECURITY-904]
https://github.com/jenkinsci/jenkins/commit/c19cc705688cfffa4fe735e0edbe84862b6c135f

CVE-2018-1000862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000862

CVE-2018-1000862
https://nvd.nist.gov/vuln/detail/CVE-2018-1000862

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.