Just to clear this up, since it was reported publicly: This appears to be from the CVS plugin and is clearly a false positive: https://github.com/jenkinsci/cvs-plugin/blob/master/src/main/java/hudson/scm/ExcludedRegion.java#L100
It seems the scanner mistakes printing parts of the input (to return a helpful error message about an invalid regex to the user) as SQL injection for some reason. On 03.02.2015, at 15:54, Wt Riker <[email protected]> wrote: > I posted this once but it seems to have disappeared so my apologies if it > shows up as a duplicate. I have discovered a security vulnerability in > Jenkins (1.569). I am a sys admin, not a Jenkins admin, so I do not know how > this link is generate and I don't want to start mucking with Jenkins code to > fix it. When a job is created a link like this is generated: > > http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern > > This link is vulnerable to SQL injection. The usual way to correct this is to > use prepared statements. In any case I am guessing this has been addressed > already and I am looking for the fix. TIA. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/eb52c2a4-1359-4603-afa1-61dd0f39d172%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/871F96B9-07D1-45E1-8807-63D54EAB5359%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
