Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 13 Apr 2019 01:13:39 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins



> On 3. Apr 2019, at 15:55, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-829
> IRC Plugin stores credentials unencrypted in its global configuration file 
> hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.
> 

CVE-2019-1003051

> 
> SECURITY-831
> AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its 
> global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.
> AWSEBPublisher.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003052

> 
> SECURITY-837
> Jira Issue Updater Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-1003054

> 
> SECURITY-839
> HockeyApp Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.
> 

CVE-2019-1003053

> 
> SECURITY-954
> FTP publisher Plugin stores credentials unencrypted in its global 
> configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.
> 

CVE-2019-1003055

> 
> SECURITY-956
> WebSphere Deployer Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-1003056

> 
> SECURITY-965
> Bitbucket Approve Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003057

> 
> SECURITY-974
> A missing permission check in a form validation method in FTP publisher 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified FTP server with attacker-specified credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)

> 
> SECURITY-1041
> Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.
> 

CVE-2019-1003060

> 
> SECURITY-1042
> jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.
> 

CVE-2019-1003061

> 
> SECURITY-830
> AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its 
> global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003062

> 
> SECURITY-832
> Amazon SNS Build Notifier Plugin stores credentials unencrypted in its 
> global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003063

> 
> SECURITY-835
> aws-device-farm Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003064

> 
> SECURITY-838
> CloudShare Docker-Machine Plugin stores credentials unencrypted in its 
> global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003065

> 
> SECURITY-841
> Bugzilla Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.
> 

CVE-2019-1003066

> 
> SECURITY-842
> Trac Publisher Plugin stores credentials unencrypted in job config.xml files 
> on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-1003067

> 
> SECURITY-945
> VMware vRealize Automation Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.
> 

CVE-2019-1003068

> 
> SECURITY-949
> Aqua Security Scanner Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.
> AquaDockerScannerBuilder.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003069

> 
> SECURITY-952
> veracode-scanner Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-1003070

> 
> SECURITY-957
> OctopusDeploy Plugin stores credentials unencrypted in its global 
> configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on 
> the Jenkins master. These credentials can be viewed by users with access to 
> the master file system.
> 

CVE-2019-1003071

> 
> SECURITY-961
> WildFly Deployer Plugin stores deployment credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.
> 

CVE-2019-1003072

> 
> SECURITY-962
> VS Team Services Continuous Deployment Plugin stores credentials unencrypted 
> in job config.xml files on the Jenkins master. These credentials can be 
> viewed by users with Extended Read permission, or access to the master file 
> system.
> 

CVE-2019-1003073

> 
> SECURITY-964
> Hyper.sh Commons Plugin stores credentials unencrypted in its global 
> configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.
> 

CVE-2019-1003074

> 
> SECURITY-966
> Audit to Database Plugin stores database credentials unencrypted in its 
> global configuration file audit2db.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.
> 

CVE-2019-1003075

> 
> SECURITY-977
> A missing permission check in a form validation method in Audit to Database 
> Plugin allows users with Overall/Read permission to initiate a JDBC database 
> connection test to an attacker-specified server with attacker-specified 
> credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)

> 
> SECURITY-979
> A missing permission check in a form validation method in VMware Lab Manager 
> Slaves Plugin allows users with Overall/Read permission to initiate a Lab 
> Manager connection test to an attacker-specified server with attacker-
> specified credentials and settings.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)

> 
> SECURITY-981
> A missing permission check in a form validation method in OpenShift Deployer 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified server with attacker-specified credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)

> 
> SECURITY-991
> A missing permission check in a form validation method in Gearman Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified server.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)

> 
> SECURITY-993
> A missing permission check in a form validation method in Zephyr Enterprise 
> Test Management Plugin allows users with Overall/Read permission to initiate 
> a connection test to an attacker-specified server with attacker-specified 
> credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)

> 
> SECURITY-1037
> A missing permission check in a form validation method in Chef Sinatra 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified server.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)

> 
> SECURITY-1043
> Fabric Beta Publisher Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.
> 

CVE-2019-1003088

> 
> SECURITY-1044
> Upload to pgyer Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-1003089

> 
> SECURITY-1054
> A missing permission check in a form validation method in SOASTA CloudTest 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified URL with attacker-specified credentials and 
> SSH key store options.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)

> 
> SECURITY-1058
> A missing permission check in a form validation method in Nomad Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified URL.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)

> 
> SECURITY-1059
> Open STF Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.
> 

CVE-2019-1003094

> 
> SECURITY-1061
> Perfecto Mobile Plugin stores credentials unencrypted in its global 
> configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on 
> the Jenkins master. These credentials can be viewed by users with access to 
> the master file system.
> 

CVE-2019-1003095

> 
> SECURITY-1062
> TestFairy Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.
> 

CVE-2019-1003096

> 
> SECURITY-1069
> Crowd Integration Plugin stores credentials unencrypted in the global 
> configuration file config.xml on the Jenkins master. These credentials can 
> be viewed by users with access to the master file system.
> 

CVE-2019-1003097

> 
> SECURITY-1084
> A missing permission check in a form validation method in openid Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified URL.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)

> 
> SECURITY-1085
> StarTeam Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.
> 

CVE-2019-10277

> 
> SECURITY-1091
> A missing permission check in a form validation method in jenkins-reviewbot 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified URL with attacker-specified credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)

> 
> SECURITY-1093
> Assembla Auth Plugin stores credentials unencrypted in the global 
> configuration file config.xml on the Jenkins master. These credentials can 
> be viewed by users with access to the master file system.
> 

CVE-2019-10280

> 
> SECURITY-828
> Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted 
> in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-10281

> 
> SECURITY-843
> Klaros-Testmanagement Plugin stores credentials unencrypted in job
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.
> 

CVE-2019-10282

> 
> SECURITY-946
> mabl Plugin stores credentials unencrypted in job config.xml files on the 
> Jenkins master. These credentials can be viewed by users with Extended Read 
> permission, or access to the master file system.
> 

CVE-2019-10283

> 
> SECURITY-947
> Diawi Upload Plugin stores credentials unencrypted in job config.xml files 
> on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-10284

> 
> SECURITY-955
> Minio Storage Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the 
> Jenkins master. These credentials can be viewed by users with access to the 
> master file system.
> 

CVE-2019-10285

> 
> SECURITY-959
> DeployHub Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.
> 

CVE-2019-10286

> 
> SECURITY-963
> youtrack-plugin Plugin stored credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
> on the Jenkins master. These credentials could be viewed by users with 
> access to the master file system.
> 

CVE-2019-10287

> 
> SECURITY-1031
> Jabber Server Plugin stores credentials unencrypted in its global 
> configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master.
> These credentials can be viewed by users with access to the master file 
> system.
> 

CVE-2019-10288

> 
> SECURITY-1032
> A missing permission check in a form validation method in Netsparker Cloud 
> Scan Plugin allowed users with Overall/Read permission to initiate a 
> connection test to an attacker-specified server with attacker-specified API 
> token.
> 
> Additionally, the form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)

> 
> SECURITY-1040
> Netsparker Cloud Scan Plugin stored credentials unencrypted in its global 
> configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the 
> Jenkins master. These credentials could be viewed by users with access to 
> the master file system.
> 

CVE-2019-10291

> 
> SECURITY-1055
> A missing permission check in a form validation method in Kmap Plugin allows 
> users with Overall/Read permission to initiate a connection test to an 
> attacker-specified server with attacker-specified credentials.
> 
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.
> 

CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)

> 
> SECURITY-1056
> Kmap Plugin stores credentials unencrypted in job config.xml files on the 
> Jenkins master. These credentials can be viewed by users with Extended Read 
> permission, or access to the master file system.
> 

CVE-2019-10294

> 
> SECURITY-1063
> crittercism-dsym Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.
> 

CVE-2019-10295

> 
> SECURITY-1066
> Serena SRA Deploy Plugin stores credentials unencrypted in its global 
> configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.
> 

CVE-2019-10296

> 
> SECURITY-1090
> Sametime Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the 
> Jenkins master. These credentials can be viewed by users with access to the 
> master file system.
> 

CVE-2019-10297

> 
> SECURITY-1092
> Koji Plugin stores credentials unencrypted in its global configuration file 
> org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.
> 

CVE-2019-10298

> 
> SECURITY-960
> CloudCoreo DeployTime Plugin stores credentials unencrypted in its global 
> configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-10299

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.