Devuan bug report logs - #566
Sensitive Information Disclosure

version graph

Packages: server, jenkins; Maintainer for server is (unknown); Maintainer for jenkins is (unknown);

Reported by: Nitish Singh <nitishsingh78697@gmail.com>

Date: Thu, 11 Mar 2021 03:03:01 UTC

Severity: normal

Found in version 2.194

Done: Mark Hindley <mark@hindley.org.uk>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#566; Package jenkins server. (Thu, 11 Mar 2021 03:03:02 GMT) (full text, mbox, link).


Acknowledgement sent to Nitish Singh <nitishsingh78697@gmail.com>:
New bug report received and forwarded. Copy sent to devuan-dev@lists.dyne.org.

Your message specified a Severity: in the pseudo-header, but the severity value high was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, normal, minor, wishlist.

(Thu, 11 Mar 2021 03:03:15 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

From: Nitish Singh <nitishsingh78697@gmail.com>
To: submit@bugs.devuan.org
Subject: Sensitive Information Disclosure
Date: Thu, 11 Mar 2021 08:22:55 +0530
[Message part 1 (text/plain, inline)]
Package: JENKINS SERVER
Version: 2.194
Severity: HIGH


Summary
I found a Jenkins server running on the public internet which is easy to
access and get sensitive information.

Steps To Reproduce
1. Visit the link https://46.105.191.79/  there is options to sign up.
2. You will get access to all the projects to check the files and check
their users.
3. If a hacker gets access to the .git file he uses and does something
against your organisation.

POC video is attached to this email.
[Message part 2 (text/html, inline)]
[POC_devuan.mp4 (video/mp4, attachment)]

Marked bug as done Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. (Tue, 24 Jan 2023 18:12:01 GMT) (full text, mbox, link).


Notification sent to Nitish Singh <nitishsingh78697@gmail.com>:
bug acknowledged by developer. (Tue, 24 Jan 2023 18:12:02 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Dec 26 06:38:08 2024;