Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 5 Feb 2018 14:09:15 +0100
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins plugins

> On 5. Feb 2018, at 13:17, Daniel Beck <> wrote:
> JUnit plugin is affected by an XML External Entity (XXE) processing 
> vulnerability. This allows an attacker to configure build processes such 
> that JUnit plugin parses a maliciously crafted file that uses external 
> entities for extraction of secrets from the Jenkins master, server-side 
> request forgery, or denial-of-service attacks.




> SECURITY-660 (Android Lint)


> Credentials Binding plugin allows specifying passwords and other secrets as
> environment variables, and will hide them from console output in builds.
> However, since Jenkins will try to resolve references to other environment 
> variables in environment variables passed to a build, this can result in 
> other values than the one specified being provided to a build. For 
> example, the value p4$$w0rd would result in Jenkins passing on p4$w0rd, as 
> $$ is the escape sequence for a single $.
> Credentials Binding plugin does not prevent such a transformed value (e.g. 
> p4$w0rd) from being shown on the build log, allowing users to reconstruct 
> the actual password value from the transformed one.
> Credentials Binding plugin will now escape any $ characters in password 
> values so they are correctly passed to the build.


> Arbitrary code execution due to incomplete sandbox protection in Pipeline: 
> Supporting APIs Plugin: Methods related to Java deserialization like 
> readResolve implemented in Pipeline scripts were not subject to sandbox 
> protection, and could therefore execute arbitrary code. This could be 
> exploited e.g. by regular Jenkins users with the permission to configure 
> Pipelines in Jenkins, or by trusted committers to repositories containing 
> Jenkinsfiles.
> Deserialization of objects in Pipeline is now also subject to sandbox 
> protection.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ