[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 Feb 2019 17:54:39 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins
> On 28. Jan 2019, at 15:28, Daniel Beck <ml@...kweb.net> wrote:
>
> SECURITY-1292
> Script Security sandbox protection could be circumvented during the script
> compilation phase by applying AST transforming annotations such as `@...b`
> to source code elements.
>
> This affected an HTTP endpoint used to validate a user-submitted Groovy
> script that was not covered in the 2019-01-08 fix for SECURITY-1266 and
> allowed users with Overall/Read permission to bypass the sandbox
> protection and execute arbitrary code on the Jenkins master.
>
CVE-2019-1003005
>
> SECURITY-1293
> Groovy Plugin has a form validation HTTP endpoint used to validate a user-
> submitted Groovy script through compilation, which was not subject to
> sandbox protection. This allowed attackers with Overall/Read access to
> execute arbitrary code on the Jenkins master by applying AST transforming
> annotations such as `@...b` to source code elements.
>
CVE-2019-1003006
>
> SECURITY-1295 (1)
> Warnings Plugin has a form validation HTTP endpoint used to validate a
> user-submitted Groovy script through compilation, which was not subject to
> sandbox protection. The endpoint checked for the Overall/RunScripts
> permission, but did not require POST requests, so it was vulnerable to
> cross-site request forgery (CSRF). This allowed attackers to execute
> arbitrary code on the Jenkins master by applying AST transforming
> annotations such as `@...b` to source code elements.
>
CVE-2019-1003007
>
> SECURITY-1295 (2)
> Warnings Next Generation Plugin has a form validation HTTP endpoint used
> to validate a Groovy script through compilation, which was not subject to
> sandbox protection. The endpoint checked for the Overall/RunScripts
> permission, but did not require POST requests, so it was vulnerable to
> cross-site request forgery (CSRF). This allowed attackers to execute
> arbitrary code on the Jenkins master by applying AST transforming
> annotations such as `@...b` to source code elements.
>
CVE-2019-1003008
>
> SECURITY-859
> Active Directory Plugin performs TLS upgrade (StartTLS) after connecting
> to domain controllers through insecure LDAP. In this mode, certificates
> were not properly validated, effectively trusting all certificates,
> allowing man-in-the-middle attacks.
>
> This only affected TLS upgrades. The LDAPS mode, available by setting the
> system property hudson.plugins.active_directory.
> ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.
>
CVE-2019-1003009
>
> SECURITY-1095
> Git Plugin allows the creation of a tag in a job workspace’s Git
> repository with accompanying metadata attached to a build record.
>
> The HTTP endpoint to create the tag did not require POST requests,
> resulting in a CSRF vulnerability.
>
CVE-2019-1003010
>
> SECURITY-1102
> Token Macro Plugin recursively applied token expansion.
>
> This could be used by users able to affect input to token expansion (such
> as change log messages), to inject additional tokens into the input, which
> would then be expanded, resulting in information disclosure (for example
> values of environment variables), or denial of service.
>
CVE-2019-1003011
>
> SECURITY-1201
> Blue Ocean did not require CSRF tokens ("crumbs") for POST requests with
> the `Content-Type: application/json`, resulting in CSRF vulnerabilities.
>
CVE-2019-1003012
>
> SECURITY-1204
> Blue Ocean did not properly escape HTML/JavaScript content set on the
> current user’s description field, resulting in a cross-site scripting
> vulnerability exploitable by administrators and other people accessing
> Jenkins with the same user account.
>
CVE-2019-1003013
>
> SECURITY-1253
> Config File Provider Plugin improperly handled script names in its
> JavaScript-based UI, resulting in a stored cross-site scripting (XSS)
> vulnerability.
>
CVE-2019-1003014
>
> SECURITY-905 (1)
> Job Import Plugin allows to import jobs from other Jenkins instances. As a
> first step in this process, Job Import Plugin sends a request to another
> Jenkins instance, parsing XML REST API output to obtain a list of jobs
> that could be imported.
>
> Job Import Plugin did not configure the XML parser in a way that would
> prevent XML External Entity (XXE) processing. This allowed attackers able
> to control either the server Jenkins will query, or the URL Jenkins
> queries, to have it parse a maliciously crafted XML response that uses
> external entities for extraction of secrets from the Jenkins master,
> server-side request forgery, or denial-of-service attacks.
>
CVE-2019-1003015
>
> SECURITY-905 (2)
> Job Import Plugin did not check user permissions on its API endpoint used
> to access remote Jenkins instances. This allowed users with Overall/Read
> access to Jenkins to connect to an attacker-specified URL using attacker-
> specified credentials IDs obtained through another method, capturing
> credentials stored in Jenkins.
>
CVE-2019-1003016
>
> SECURITY-1302
> Job Import Plugin did not require that POST requests are sent to its
> /import URL, which processes requests to import jobs. This resulted in a
> cross-site request forgery (CSRF) vulnerability that could be exploited to
> create or replace jobs on the local instance if the remote Jenkins
> instance has different ones with the same name, or to install additional
> plugins, if jobs on the remote Jenkins instance reference them in their
> configuration.
>
CVE-2019-1003017
>
> SECURITY-602
> GitHub Authentication Plugin stores the client secret in the global
> Jenkins configuration.
>
> While the client secret is stored encrypted on disk, it was transmitted in
> plain text as part of the configuration form and displayed without masking.
> This could result in exposure of the client secret through browser
> extensions, cross-site scripting vulnerabilities, and similar situations.
>
CVE-2019-1003018
>
> SECURITY-797
> GitHub Authentication Plugin did not invalidate the previous session and
> create a new one upon successful login, allowing attackers able to control
> or obtain another user’s pre-login session ID to impersonate them.
>
CVE-2019-1003019
>
> SECURITY-818
> Kanboard Plugin did not perform permission checks on a method implementing
> form validation. This allowed users with Overall/Read access to Jenkins to
> submit a GET request to an attacker-specified URL.
>
> Additionally, this form validation method did not require POST requests,
> resulting in a CSRF vulnerability.
>
CVE-2019-1003020
>
> SECURITY-886
> OpenId Connect Authentication Plugin stores the client secret in the
> global Jenkins configuration.
>
> While the client secret is stored encrypted on disk, it was transmitted in
> plain text as part of the configuration form and displayed without masking.
> This could result in exposure of the client secret through browser
> extensions, cross-site scripting vulnerabilities, and similar situations.
>
CVE-2019-1003021
>
> SECURITY-1153
> Monitoring Plugin provides a standalone JavaMelody servlet with an
> independent CSRF protection configuration. Even if Jenkins had CSRF
> protection enabled, Monitoring Plugin may not have it enabled.
>
CVE-2019-1003022
>
> SECURITY-1271
> Warnings Next Generation Plugin did not properly escape HTML content in
> warnings displayed on the Jenkins UI, resulting in a cross-site scripting
> vulnerability exploitable by users able to control warnings parser input.
>
CVE-2019-1003023
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
