Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 1 Aug 2018 04:38:37 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins


> On 30. Jul 2018, at 16:10, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-704
> When using the `sshagent` step inside a `withDockerContainer` block in 
> Pipeline, the resulting logging of the `ssh-add` command included the SSH 
> key passphrase in plain text.

CVE-2018-1999036

> SECURITY-997
> Resource Disposer Plugin did not perform permission checks on an API 
> endpoint. This allowed users with Overall/Read access to Jenkins to stop 
> tracking a specified resource.
> 
> Additionally, this API endpoint did not require POST requests, resulting 
> in a CSRF vulnerability.

CVE-2018-1999037

> SECURITY-975
> Publish Over CIFS Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to initiate CIFS connections to an attacker specified host.
> 
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999038

> SECURITY-982
> Confluence Publisher Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to submit login requests to Confluence using attacker-
> specified credentials.
> 
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999039

> SECURITY-1016
> Kubernetes Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified Kubernetes cluster using 
> attacker-specified credentials IDs obtained through another method, 
> capturing credentials stored in Jenkins.
> 
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999040

> SECURITY-840
> Tinfoil Security Plugin stored the API Secret Key in its configuration 
> unencrypted in its global configuration file on the Jenkins master. This 
> key could be viewed by users with access to the master file system.

CVE-2018-1999041

> SECURITY-932
> TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate 
> validation for the entire Jenkins master JVM.

CVE-2018-1999025

> SECURITY-994
> TraceTronic ECU-TEST Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified URL, with the path suffix
> `/app-version-info` appended.
> 
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999026

> SECURITY-1009
> SaltStack Plugin did not perform permission checks on methods implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> connect to an attacker-specified URL using attacker-specified credentials 
> IDs obtained through another method, capturing credentials stored in 
> Jenkins, and to cause Jenkins to submit HTTP requests to attacker-
> specified URLs.
> 
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999027

> SECURITY-1021
> Accurev Plugin did not perform permission checks on a method implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> connect to an attacker-specified Accurev server using attacker-specified 
> credentials IDs obtained through another method, capturing credentials 
> stored in Jenkins.
> 
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999028

> SECURITY-1001
> Shelve Project Plugin did not escape the names of shelved projects on the 
> UI, potentially resulting in a stored XSS vulnerability.

CVE-2018-1999029

> SECURITY-1022
> Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform 
> permission checks on a method implementing form validation. This allowed 
> users with Overall/Read access to Jenkins to connect to an attacker-
> specified Nexus or Artifactory server using attacker-specified credentials 
> IDs obtained through another method, capturing credentials stored in 
> Jenkins.
> 
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999030

> SECURITY-847
> meliora-testlab Plugin stored the API Key in its configuration unencrypted 
> in its global configuration file on the Jenkins master. This key could be 
> viewed by users with access to the master file system.
> 
> Additionally, the API key was not masked from view using a password form 
> field.

CVE-2018-1999031

> SECURITY-995
> Agiletestware Pangolin Connector for TestRail Plugin did not perform 
> permission checks on an API endpoint used to validate and save the plugin 
> configuration. This allowed users with Overall/Read access to Jenkins to 
> override the plugin configuration.
> 
> Additionally, the API endpoint did not require POST requests, resulting in 
> a CSRF vulnerability.

CVE-2018-1999032

> SECURITY-1039
> Anchore Container Image Scanner Plugin stored the password in its 
> configuration unencrypted in its global configuration file on the Jenkins 
> master. This password could be viewed by users with access to the master 
> file system.

CVE-2018-1999033

> SECURITY-933
> Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate 
> validation for the entire Jenkins master JVM.

CVE-2018-1999034

> SECURITY-935
> Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation 
> for the entire Jenkins master JVM.

CVE-2018-1999035

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.