Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 5 Feb 2018 14:09:15 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins


> On 5. Feb 2018, at 13:17, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-521
> JUnit plugin is affected by an XML External Entity (XXE) processing 
> vulnerability. This allows an attacker to configure build processes such 
> that JUnit plugin parses a maliciously crafted file that uses external 
> entities for extraction of secrets from the Jenkins master, server-side 
> request forgery, or denial-of-service attacks.

CVE-2018-1000056


> SECURITY-659 (CCM)

CVE-2018-1000054


> SECURITY-660 (Android Lint)

CVE-2018-1000055


> SECURITY-698
> Credentials Binding plugin allows specifying passwords and other secrets as
> environment variables, and will hide them from console output in builds.
> 
> However, since Jenkins will try to resolve references to other environment 
> variables in environment variables passed to a build, this can result in 
> other values than the one specified being provided to a build. For 
> example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as 
> $$ is the escape sequence for a single $.
> 
> Credentials Binding plugin does not prevent such a transformed value (e.g. 
> p4$w0rd) from being shown on the build log, allowing users to reconstruct 
> the actual password value from the transformed one.
> 
> Credentials Binding plugin will now escape any $ characters in password 
> values so they are correctly passed to the build.

CVE-2018-1000057


> SECURITY-699
> Arbitrary code execution due to incomplete sandbox protection in Pipeline: 
> Supporting APIs Plugin: Methods related to Java deserialization like 
> readResolve implemented in Pipeline scripts were not subject to sandbox 
> protection, and could therefore execute arbitrary code. This could be 
> exploited e.g. by regular Jenkins users with the permission to configure 
> Pipelines in Jenkins, or by trusted committers to repositories containing 
> Jenkinsfiles.
> 
> Deserialization of objects in Pipeline is now also subject to sandbox 
> protection.

CVE-2018-1000058

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ