Date: Mon, 25 Jun 2018 20:21:20 +0200 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins plugins > On 25. Jun 2018, at 16:10, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-915 > A form action method in GitHub Plugin did not check the permission of the > user accessing it, allowing anyone with Overall/Read access to Jenkins to > cause Jenkins to send a GitHub API request to create an API token to a an > attacker specified URL. > > This allowed users with Overall/Read access to Jenkins to connect to an > attacker-specified URL using attacker-specified credentials IDs obtained > through another method, capturing credentials stored in Jenkins. > > Additionally, this form validation method did not require POST requests, > resulting in a CSRF vulnerability. CVE-2018-1000600 > SECURITY-440 > SSH Credentials Plugin allowed the creation of SSH credentials with keys > "From a file on Jenkins master". Credentials Binding Plugin 1.13 and newer > allows binding SSH credentials to environment variables. In combination, > these two features allow users with the permission to configure a job to > read arbitrary files on the Jenkins master by creating an SSH credential > referencing an arbitrary file on the Jenkins master, and binding it to an > environment variable in a job. CVE-2018-1000601 > SECURITY-916 > SAML Plugin did not invalidate the previous session and create a new one > upon successful login, allowing attackers able to control or obtain > another user’s pre-login session ID to impersonate them. CVE-2018-1000602 > SECURITY-808 > Openstack Cloud Plugin did not perform permission checks on methods > implementing form validation. This allowed users with Overall/Read access > to Jenkins to connect to an attacker-specified URL using attacker- > specified credentials IDs obtained through another method, capturing > credentials stored in Jenkins, and to cause Jenkins to submit HTTP > requests to attacker-specified URLs. > > Additionally, these form validation methods did not require POST requests, > resulting in a CSRF vulnerability. CVE-2018-1000603 > SECURITY-906 > Badge Plugin stored and displayed user-provided HTML for badges and > summaries unprocessed, allowing users with the ability to control badge > content to store malicious HTML to be displayed within Jenkins. CVE-2018-1000604 > SECURITY-941 > CollabNet Plugin disabled SSL/TLS certificate validation for the entire > Jenkins master JVM by default. CVE-2018-1000605 > SECURITY-819 > A form validation method in URLTrigger Plugin did not check the permission > of the user accessing them, allowing anyone with Overall/Read access to > Jenkins to cause Jenkins to send a GET request to a specified URL. > > Additionally, this form validation method did not require POST requests, > resulting in a CSRF vulnerability. CVE-2018-1000606 > SECURITY-870 > Fortify CloudScan Plugin did not validate file names in rulepack ZIP > archives it extracts, resulting in an arbitrary file write vulnerability. CVE-2018-1000607 > SECURITY-950 > IBM z/OS Connector Plugin did not encrypt password credentials stored in > its configuration. This could be used by users with master file system > access to obtain the password. > > While masked from view using a password form field, the AWS Secret Key was > transferred in plain text to administrators when accessing the global > configuration form. CVE-2018-1000608 > SECURITY-927 > Configuration as Code Plugin lacked a permission check in the method > handling the URL exporting the system configuration. This allows users > with Overall/Read access to Jenkins to obtain this YAML export. CVE-2018-1000609 > SECURITY-929 > Configuration as Code Plugin logged secrets set via its configuration to > the Jenkins master system log in plain text. This allowed users with > access to the Jenkins log files to obtain these passwords and similar > secrets. CVE-2018-1000610
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ