Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Jun 2018 17:58:25 +0200
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins and Jenkins

> On 9. May 2018, at 11:45, Daniel Beck <> wrote:
> Users with Overall/Read permission were able use the list-plugins CLI
> command and view the About Jenkins page to list all installed plugins.


> The built-in Jenkins user database optionally allows user registration.
> This feature did not properly sanitize user names, allowing registration of
> user names containing control characters. This could be used to confuse
> administrators (appearing to be a different user) while preventing deletion
> of such users through the UI.


> The agent to master security subsystem ensures that the Jenkins master is
> protected from maliciously configured agents. A path traversal vulnerability
> allowed agents to escape whitelisted directories to read and write to files
> they should not be able to access.


> The form validation code for a tool installer improperly checked
> permissions, allowing any user with Overall/Read permission to submit a
> HTTP GET request to any user specified URL, and learn whether the response
> was successful (HTTP 200) or not.
> Additionally, this functionality did not require POST requests be used,
> thereby allowing the above to be performed without direct access to Jenkins
> via Cross-Site Request Forgery attacks.


> Gitlab Hook Plugin does not encrypt the Gitlab API token used to access
> Gitlab. This can be used by users with master file system access to obtain
> GitHub credentials.
> Additionally, the Gitlab API token round-trips in its plaintext form, and
> is displayed in a regular text field to users with Overall/Administer
> permission. This exposes the API token to people viewing a Jenkins
> administrator’s screen, browser extensions, cross-site scripting
> vulnerabilities, etc.


> Black Duck Hub Plugin did not perform permission checks for its config.xml
> API endpoint. This allowed any user with Overall/Read permission to both
> read and write the plugin configuration XML.


> Black Duck Hub Plugin config.xml API endpoint was affected by an XML
> External Entity (XXE) processing vulnerability. This allowed an attacker
> with Overall/Read access to have Jenkins parse a maliciously crafted file
> that uses external entities for extraction of secrets from the Jenkins
> master, server-side request forgery, or denial-of-service attacks.


> SECURITY-821 / CVE pending
> Groovy Postbuild Plugin did not properly escape badge content from user
> input, resulting in a stored cross-site scripting vulnerability.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ