CVE-2012-6073: Input Validation
First published: Fri Dec 28 2012(Updated: )
Jenkins Security Advisory 2012-11-20 The second vulnerability is so-called open redirect vulnerability. This allows an anonymous attacker to create an URL that looks as if it's pointing to Jenkins, yet it actually lands on the site that the attacker controls. This can be therefore used as a basis for phishing. Fix: Main line users should upgrade to Jenkins 1.491 LTS users should upgrade to 1.480.1 External URLs: <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20">https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20</a> <a href="http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cb">http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cb</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins | =1.447.1.1 | |
| Jenkins | =1.447.2.2 | |
| Jenkins | =1.447.3.1 | |
| Jenkins | =1.400 | |
| Jenkins | =1.424 | |
| Jenkins | =1.447 | |
| Jenkins LTS | <=1.466.2 | |
| Jenkins LTS | =1.409.1 | |
| Jenkins LTS | =1.409.2 | |
| Jenkins LTS | =1.409.3 | |
| Jenkins LTS | =1.424.1 | |
| Jenkins LTS | =1.424.2 | |
| Jenkins LTS | =1.424.3 | |
| Jenkins LTS | =1.424.4 | |
| Jenkins LTS | =1.424.5 | |
| Jenkins LTS | =1.424.6 | |
| Jenkins LTS | =1.447.1 | |
| Jenkins LTS | =1.447.2 | |
| Jenkins LTS | =1.466.1 | |
| Jenkins | =1.424.0.2 | |
| Jenkins | =1.424.0.4 | |
| Jenkins | =1.424.1.1 | |
| Jenkins | =1.424.2.1 | |
| Jenkins | =1.424.4.1 | |
| Jenkins | =1.424.5.1 | |
| Jenkins | =1.424.6.1 | |
| Jenkins | =1.424.6.11 | |
| Jenkins | <=1.480.3.1 | |
| Jenkins LTS | =1.400 | |
| Jenkins LTS | =1.401 | |
| Jenkins LTS | =1.402 | |
| Jenkins LTS | =1.403 | |
| Jenkins LTS | =1.404 | |
| Jenkins LTS | =1.405 | |
| Jenkins LTS | =1.406 | |
| Jenkins LTS | =1.407 | |
| Jenkins LTS | =1.408 | |
| Jenkins LTS | =1.409 | |
| Jenkins LTS | =1.410 | |
| Jenkins LTS | =1.411 | |
| Jenkins LTS | =1.412 | |
| Jenkins LTS | =1.413 | |
| Jenkins LTS | =1.414 | |
| Jenkins LTS | =1.415 | |
| Jenkins LTS | =1.416 | |
| Jenkins LTS | =1.417 | |
| Jenkins LTS | =1.418 | |
| Jenkins LTS | =1.419 | |
| Jenkins LTS | =1.420 | |
| Jenkins LTS | =1.421 | |
| Jenkins LTS | =1.422 | |
| Jenkins LTS | =1.423 | |
| Jenkins LTS | =1.424 | |
| Jenkins LTS | =1.425 | |
| Jenkins LTS | =1.426 | |
| Jenkins LTS | =1.427 | |
| Jenkins LTS | =1.428 | |
| Jenkins LTS | =1.429 | |
| Jenkins LTS | =1.430 | |
| Jenkins LTS | =1.431 | |
| Jenkins LTS | =1.432 | |
| Jenkins LTS | =1.433 | |
| Jenkins LTS | =1.434 | |
| Jenkins LTS | =1.435 | |
| Jenkins LTS | =1.436 | |
| Jenkins LTS | =1.437 | |
| Jenkins | =1.466.1.2 | |
| Jenkins | =1.466.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2013-0220.html
- http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-11-20.cb
- http://www.openwall.com/lists/oss-security/2012/12/28/1
- https://bugzilla.redhat.com/show_bug.cgi?id=890608
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
- https://rhn.redhat.com/errata/RHSA-2013-0220.html
Frequently Asked Questions
What is the severity of CVE-2012-6073?
CVE-2012-6073 is classified as a medium severity open redirect vulnerability.
How do I fix CVE-2012-6073?
To fix CVE-2012-6073, update Jenkins to a version that addresses the open redirect issue.
Which versions of Jenkins are affected by CVE-2012-6073?
CVE-2012-6073 affects multiple versions of Jenkins including 1.400 through 1.466.2.
Can CVE-2012-6073 allow an attacker to redirect to malicious sites?
Yes, CVE-2012-6073 allows attackers to craft URLs that redirect users to potentially harmful sites.
Is there a workaround for CVE-2012-6073 if I cannot update Jenkins?
A recommended workaround for CVE-2012-6073 is to disable features in Jenkins that utilize URL redirection.
- agent/type
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-6073
- agent/last-modified-date
- agent/author
- agent/severity
- agent/weakness
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/cloudbees
- canonical/jenkins
- version/jenkins/1.447.1.1
- version/jenkins/1.447.2.2
- version/jenkins/1.447.3.1
- version/jenkins/1.400
- version/jenkins/1.424
- version/jenkins/1.447
- vendor/jenkins
- canonical/jenkins lts
- version/jenkins lts/1.466.2
- version/jenkins lts/1.409.1
- version/jenkins lts/1.409.2
- version/jenkins lts/1.409.3
- version/jenkins lts/1.424.1
- version/jenkins lts/1.424.2
- version/jenkins lts/1.424.3
- version/jenkins lts/1.424.4
- version/jenkins lts/1.424.5
- version/jenkins lts/1.424.6
- version/jenkins lts/1.447.1
- version/jenkins lts/1.447.2
- version/jenkins lts/1.466.1
- version/jenkins/1.424.0.2
- version/jenkins/1.424.0.4
- version/jenkins/1.424.1.1
- version/jenkins/1.424.2.1
- version/jenkins/1.424.4.1
- version/jenkins/1.424.5.1
- version/jenkins/1.424.6.1
- version/jenkins/1.424.6.11
- version/jenkins/1.480.3.1
- version/jenkins lts/1.400
- version/jenkins lts/1.401
- version/jenkins lts/1.402
- version/jenkins lts/1.403
- version/jenkins lts/1.404
- version/jenkins lts/1.405
- version/jenkins lts/1.406
- version/jenkins lts/1.407
- version/jenkins lts/1.408
- version/jenkins lts/1.409
- version/jenkins lts/1.410
- version/jenkins lts/1.411
- version/jenkins lts/1.412
- version/jenkins lts/1.413
- version/jenkins lts/1.414
- version/jenkins lts/1.415
- version/jenkins lts/1.416
- version/jenkins lts/1.417
- version/jenkins lts/1.418
- version/jenkins lts/1.419
- version/jenkins lts/1.420
- version/jenkins lts/1.421
- version/jenkins lts/1.422
- version/jenkins lts/1.423
- version/jenkins lts/1.424
- version/jenkins lts/1.425
- version/jenkins lts/1.426
- version/jenkins lts/1.427
- version/jenkins lts/1.428
- version/jenkins lts/1.429
- version/jenkins lts/1.430
- version/jenkins lts/1.431
- version/jenkins lts/1.432
- version/jenkins lts/1.433
- version/jenkins lts/1.434
- version/jenkins lts/1.435
- version/jenkins lts/1.436
- version/jenkins lts/1.437
- version/jenkins/1.466.1.2
- version/jenkins/1.466.2.1