Unauthorized URL redirect via HTTP host poisoning vulnerability with Jenkins

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Unauthorized URL redirect via HTTP host poisoning vulnerability with Jenkins

Mohtashim S

We have noticed if we change the host header in HTTP request for Jenkins and fire the request then Jenkins is vulnerable through http host header injection.

Change the Jenkins request host header to say xyz.com, then it successfully redirects to xyz.com.

How do we address this vulnerability of Jenkins?

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3706acc8-6a71-4a69-b17b-ec2f35ec1ed6n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Unauthorized URL redirect via HTTP host poisoning vulnerability with Jenkins

Daniel Beck


> On 25. Sep 2020, at 23:49, Mohtashim S <[hidden email]> wrote:
>
> How do we address this vulnerability of Jenkins?

https://www.jenkins.io/security/#reporting-vulnerabilities explains how to report security issues.

Please make sure in your report to explain why it is a problem for Jenkins beyond linking to the top Google result. We've previously looked into it and determined that this is unlikely to cause real issues, and have prioritized related improvements accordingly.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/5400E656-6D76-43D0-ADF0-1630073A1A2C%40beckweb.net.