Devuan bug report logs - #566
Sensitive Information Disclosure

version graph

Packages: jenkins, server; Maintainer for jenkins is (unknown); Maintainer for server is (unknown);

Reported by: Nitish Singh <nitishsingh78697@gmail.com>

Date: Thu, 11 Mar 2021 03:03:01 UTC

Severity: normal

Found in version 2.194

Done: Mark Hindley <mark@hindley.org.uk>

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.devuan.org
Subject: bug#566: Sensitive Information Disclosure
Reply-To: Nitish Singh <nitishsingh78697@gmail.com>, 566@bugs.devuan.org
Resent-From: Nitish Singh <nitishsingh78697@gmail.com>
Resent-To: devuan-bugs@lists.dyne.org
Resent-CC: devuan-dev@lists.dyne.org
X-Loop: owner@bugs.devuan.org
Resent-Date: Thu, 11 Mar 2021 03:03:02 +0000
Resent-Message-ID: <handler.566.B.161543160722656@bugs.devuan.org>
Resent-Sender: owner@bugs.devuan.org
X-Devuan-PR-Message: report 566
X-Devuan-PR-Package: jenkins server
X-Devuan-PR-Keywords: 
Received: via spool by submit@bugs.devuan.org id=B.161543160722656
          (code B); Thu, 11 Mar 2021 03:03:02 +0000
Received: (at submit) by bugs.devuan.org; 11 Mar 2021 03:00:07 +0000
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Thu, 11 Mar 2021 03:00:04 +0000 (UTC)
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id AC7E5F60A0F
	for <submit@bugs.devuan.org>; Thu, 11 Mar 2021 03:53:20 +0100 (CET)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="NIDLoXrE";
	dkim-atps=neutral
Received: by mail-lj1-f181.google.com with SMTP id z8so208687ljm.12
        for <submit@bugs.devuan.org>; Wed, 10 Mar 2021 18:53:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=MMP76rAeazHuvHPhUQ5c8ayNQHHtPj4+rx1GBu8E7f8=;
        b=NIDLoXrEoErpTV7njIuqeJ1aEr/oMDpF0Rq8OWzF1d3hr2agrCeuYnNPfEmdVr4jbz
         kjyciKq2hEz1zl9ikV62pnstr6M8nVR3ha4bIouv49SIlJSNQke0RGXo0N0tQfWSEfsV
         Q5jPrWB9V4SeVf3wZMozGn3DpoJF3bygSK4NIfSFalXH/o0irEQKaRSLrHEfJxDDjFDt
         2bx39aleFlHmub/IU4Edv+QOPafklj3sKphbsqPTWSYt2lguRnyxXEJNcLCQ9cbmdNTx
         UOxN8ihZSiHeZoCoDHbrfqYCPzs6CT4q74UQIsIyvoOuZZz4yweoTcxt+TTBWkOuKTAe
         n0Fw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=MMP76rAeazHuvHPhUQ5c8ayNQHHtPj4+rx1GBu8E7f8=;
        b=axg517h0ByZ3uzhJH/svR2MxkQ5ZEP0NI0ZEsQwAKRpzTG7rgoheuYp7nKfypO9Cyt
         mRTZ+F28bXaQlpe98P4lDY1E7MTiW9y6fVVIYdqIAS0L/e+T/8SxflAGGG+aEl/TUY7W
         dklk1YBAdPpqK3FzSLUaToDkYiXLPlaiWuz1NuzNNo0zNvkDJT7w4RIjyNiYUZ4mG6OC
         +gd0e3gloFn5cEA9ey0HWCOXD7G3HHxUFqGdFb++g6Vy64W36OosaP8Qbvu8ilgqUUXz
         zuIYzGoyVB+wZRA3FaEUeqrkytDcvhHbFxhb4g8uHGfIAq4+fxmSCkbE3anCF3tdLRmE
         H0yQ==
X-Gm-Message-State: AOAM530MzUE2bg64joNQdrC7runI4cWEjPyoMH2mlyGfTPxn8SSttF7K
	3kxMcixeZ4b71yj5y8XTdOB6L7IiZE13uv1dpD1GkJAEp3JEKdC6
X-Google-Smtp-Source: ABdhPJznYp6ugDtlHtFyHBQI34YQku3WiW6cs1Grq/K0iKAjouhpnf1cQf4DYjb3ATT1/T8QeVioT3RQlMpoCK7XJRY=
X-Received: by 2002:a2e:9a0c:: with SMTP id o12mr3487994lji.121.1615431192789;
 Wed, 10 Mar 2021 18:53:12 -0800 (PST)
MIME-Version: 1.0
From: Nitish Singh <nitishsingh78697@gmail.com>
Date: Thu, 11 Mar 2021 08:22:55 +0530
Message-ID: <CAP6CBM1p_GwNvz-AjrTQxTAup6js_SMY+244GeZedXJ=bKPTEw@mail.gmail.com>
To: submit@bugs.devuan.org
Content-Type: multipart/mixed; boundary="0000000000006a608a05bd39e2ba"
[Message part 1 (text/plain, inline)]
Package: JENKINS SERVER
Version: 2.194
Severity: HIGH


Summary
I found a Jenkins server running on the public internet which is easy to
access and get sensitive information.

Steps To Reproduce
1. Visit the link https://46.105.191.79/  there is options to sign up.
2. You will get access to all the projects to check the files and check
their users.
3. If a hacker gets access to the .git file he uses and does something
against your organisation.

POC video is attached to this email.
[Message part 2 (text/html, inline)]
[POC_devuan.mp4 (video/mp4, attachment)]

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun Nov 24 11:58:26 2024;