Security vulnerabilities should be reported using the process on https://wiki.jenkins-ci.org/display/JENKINS/Security+Advisories and not publically disclosed straight away to give the project time to fix affected versions.
Having said all that Jenkins doesn't (usually) use a database so not sure how you've managed to find a SQL vulnerability? Cheers Richard On 4/02/2015 4:18 AM, "Wt Riker" <[email protected]> wrote: > I have uncovered a security vulnerability in Jenkins (1.569) that needs to > be resolved. When creating a job this link results: > > > http://jenkins.server.com:8080/job/64-bit_CHRIS_PLAY_TEST_HUV02MS/descriptorByName/hudson.scm.ExcludedRegion/checkPattern > > As a sys admin, not a Jenkins admin, I do not know how this link is > generated. However, it is vulnerable to SQL injection. The most common > solution is to use prepared statements but I can't spend the time learning > how Jenkins works to fix it myself and I don't want to introduce > non-standard code. I am guessing that this problem has already been > addressed somehow. Is there a patch available? Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/8b673381-aee8-4604-9e97-3a3f508989da%40googlegroups.com > <https://groups.google.com/d/msgid/jenkinsci-users/8b673381-aee8-4604-9e97-3a3f508989da%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAMui9470OD35jKqV4-vywpAQp2%3D2hQN0qLEeKXQFHFBgtNsppg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
