Hi there,
Thanks for the information, but the URL you mention validates regular
expressions for the CVS plugin; it has nothing to do with databases,
makes no SQL queries, nor does it access any files, AFAIK.
Could you maybe explain further what the error is you're seeing?
If possible, could you please report security issues under the SECURITY
project on JIRA, rather than on the users' mailing list?
http://issues.jenkins-ci.org/browse/SECURITY
See also the wiki page:
https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories
Thanks,
Chris
On 03/02/15 15:54, Wt Riker wrote:
I posted this once but it seems to have disappeared so my apologies if
it shows up as a duplicate. I have discovered a security vulnerability
in Jenkins (1.569). I am a sys admin, not a Jenkins admin, so I do not
know how this link is generate and I don't want to start mucking with
Jenkins code to fix it. When a job is created a link like this is generated:
http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern
This link is vulnerable to SQL injection. The usual way to correct this
is to use prepared statements. In any case I am guessing this has been
addressed already and I am looking for the fix. TIA.
--
You received this message because you are subscribed to the Google Groups "Jenkins
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/54D0E365.9080002%40orr.me.uk.
For more options, visit https://groups.google.com/d/optout.
