Date: Thu, 5 Apr 2018 12:37:58 +0200 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins plugins > On 26. Mar 2018, at 13:22, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-261 > GitHub Pull Request Builder Plugin stored serialized objects in `build.xml` > files that contained the credential used to poll Jenkins. This can be used > by users with master file system access to obtain GitHub credentials. > > Since 1.40.0, the plugin no longer stores serialized objects containing the > credential on disk. > > Builds started before the plugin was updated to 1.40.0 will retain the > encoded credentials on disk. We strongly recommend revoking old GitHub > credentials used in Jenkins. CVE-2018-1000142 > SECURITY-262 > GitHub Pull Request Builder Plugin stored the webhook secret shared between > Jenkins and GitHub in plain text. > > This allowed users with Jenkins master local file system access and Jenkins > administrators to retrieve the stored password. The latter could result in > exposure of the passwords through browser extensions, cross-site scripting > vulnerabilities, and similar situations. > > GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook > secret encrypted on disk. CVE-2018-1000143 > SECURITY-308 > Cucumber Living Documentation Plugin disabled the 'Content-Security-Policy' > HTTP header XSS protection for files served by Jenkins until Jenkins was > restarted whenever a Cucumber peport was viewed by any user. > > This has been addressed in version 1.1.0 of the plugin, and it will now > request that users manually change the Content-Security-Policy option in > Jenkins. CVE-2018-1000144 > SECURITY-373 > Perforce Plugin encrypts its credentials using DES and a public key stored > in its public source code, so it only serves as basic obfuscation. This > allowed users with Jenkins master local file system access and Jenkins > administrators to retrieve the stored password. The latter could result in > exposure of the passwords through browser extensions, cross-site scripting > vulnerabilities, and similar situations. > > As of publication of this advisory, there is no fix. The plugin has been > removed from publication at the request of its former maintainers. CVE-2018-1000145 > SECURITY-504 > vSphere Plugin disabled SSL/TLS certificate validation unconditionally, > allowing potential man-in-the-middle attacks. > > vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by > default. CVE-2018-1000151 > SECURITY-519 > Liquibase Runner Plugin allows users with Job/Configure permission to > configure its build step in a way that loads arbitrary class files into the > Jenkins master JVM, resulting in arbitrary code execution. > > As of publication of this advisory, there is no fix. CVE-2018-1000146 > SECURITY-536 > Perforce Plugin implements its own credential encryption using DES and an > encryption key stored in its public source code. This is not considered a > secret by Jenkins, resulting in potential exposure of Perforce credentials > stored in job configurations to users with Extended Read permission. > While these are encrypted, this can only be considered basic obfuscation > due to the hard-coded public encryption key used. > > As of publication of this advisory, there is no fix. CVE-2018-1000147 > SECURITY-545 > Copy To Slave Plugin allows users with Job/Configure permissions to > configure it in such a way that it allows obtaining arbitrary files > accessible to the Jenkins master process from the Jenkins master file > system. > > As of publication of this advisory, there is no fix. CVE-2018-1000148 > SECURITY-630 > Ansible Plugin disabled host key verification by default, having it only as > an opt-in option. > > Ansible Plugin 1.0 now enables host key verification by default, adding > options allowing users to opt out. > > Existing configurations that previously did not opt into host key > verification will have host key verification enabled after update, possibly > resulting in failures. CVE-2018-1000149 > SECURITY-736 > Reverse Proxy Auth Plugin persisted a cache of granted authorities (group > memberships) on disk. > > This could allow users with local Jenkins master file system access to > obtain group membership information of Jenkins users. CVE-2018-1000150 > SECURITY-745 > vSphere Plugin did not perform permission checks on methods implementing > form validation. This allowed users with Overall/Read access to Jenkins to > perform various actions such as: > > * Connect to an attacker-specified vSphere server using attacker-specified > credentials IDs obtained through another method, capturing credentials > stored in Jenkins > * Connect to configured vSphere servers and looking up information, > potentially resulting in denial of service > > Additionally, these form validation methods did not require POST requests, > resulting in a CSRF vulnerability. > > These form validation methods now require POST requests and appropriate > user permissions. CVE-2018-1000152 (improper authorization) and CVE-2018-1000153 (CSRF)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ