This can be dangerous if you host public download sites for example, or allow third party code to be hosted on your servers via Git. This vulnerability could be exploited by malicious parties to execute arbitrary code on your Jenkins master if a user downloads and opens a malicious archive. Jenkins is not the only server that offers user uploads. Many other build servers do as well, including GitHub, Bitbucket, etc. This issue has been addressed in XFramium Builder Plugin v1.0.23 and later.
CVE-2017-9233 XFramium Builder Plugin 1.0.23 and later addresses a potential privilege escalation vulnerability in XFramium Builder Plugin 1.0.22 and earlier that could be exploited by malicious parties to execute arbitrary code on Jenkins master if a user downloads and opens a malicious archive.
CVE-2018-6314 XFramium Builder Plugin 1.0.23 and later addresses a potential information disclosure vulnerability in XFramium Builder Plugin 1.0.22 and earlier that could be exploited by malicious parties to obtain sensitive information.
CVE-2018-6315 XFramium Builder Plugin 1.0.23 and later addresses a potential information disclosure vulnerability in XFramium Builder Plugin 1.0.22 and earlier that could be exploited by malicious parties to obtain sensitive information.
CVE-2018-6316 XFramium Builder Plugin 1.0.23 and later addresses a potential information disclosure vulnerability in XFramium Builder Plugin 1
What is XFramework?
XFramework is a open source platform for building and deploying enterprise grade apps. It uses the best of the Java and Node.js ecosystems to provide a development environment that is fast, scalable, reliable, and more secure than ever before.
It enables developers to build their applications on the developer’s laptop or local machine then deploy them on any cloud infrastructure with only one command. It supports most programming languages including Java, Python, NodeJS, Ruby and more.
What's new in XFramework 1.0?
● Enhancements to debugging tools
- support for breakpoints in Chrome browser (breakpoints are enabled by default)
- improvements in profiler tools (including stack traces)
- improved performance when comparing objects
● Improvements for CI/CD Pipeline - bug fixes
- new features in Jenkins Pipeline plugin
● Added support for Docker containers
- Adding support for Windows containers
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/23/2022 02:06:00 UTC