Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 6 Mar 2019 15:41:34 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* AppDynamics Dashboard Plugin 1.0.15
* Azure VM Agents Plugin 0.8.1
* Bitbar Run-in-Cloud Plugin 2.70.0
* Email Extension Plugin 2.65
* Groovy Plugin 2.2
* Job DSL Plugin 1.72
* Matrix Project Plugin 1.14
* OSF Builder Suite For Salesforce Commerce Cloud :: Deploy Plugin 1.0.11
* Pipeline: Groovy Plugin 2.64
* Rabbit-MQ Publisher Plugin 1.2.0
* Repository Connector Plugin 1.2.5
* Script Security Plugin 1.54

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-03-06/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1336 (1)
Script Security sandbox protection could be circumvented during parsing, 
compilation, and script instantiation by providing a crafted Groovy script.

Script Security Plugin is now newly applying sandbox protection during 
these phases.

This affected both script execution (typically invoked from other plugins) 
as well as an HTTP endpoint providing script validation and allowed users 
with Overall/Read permission to bypass the sandbox protection and execute 
arbitrary code on the Jenkins master.

The API `GroovySandbox#run(Script, Whitelist)` has been deprecated and now 
emits a warning to the system log about potential security problems. 
`GroovySandbox#run(GroovyShell, String, Whitelist)` replaces it. 
`GroovySandbox#checkScriptForCompilationErrors(String, GroovyClassLoader)` 
has been added as a safer method to implement script validation.


SECURITY-1336 (2)
Pipeline: Groovy sandbox protection could be circumvented during parsing, 
compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the contents of a pipeline to bypass 
the sandbox protection and execute arbitrary code on the Jenkins master.

Pipeline: Groovy Plugin now uses Script Security APIs that apply sandbox 
protection during these phases.


SECURITY-1339
Matrix Project Plugin supports a sandboxed Groovy expression to filter 
matrix combinations. Its sandbox protection could be circumvented during 
parsing, compilation, and script instantiation by providing a crafted 
Groovy script.

This allowed users able to configure a Matrix project to bypass the 
sandbox protection and execute arbitrary code on the Jenkins master.

Matrix Project Plugin now uses Script Security APIs that apply sandbox 
protection during these phases.


SECURITY-1340
Email Extension Plugin supports sandboxed Groovy expressions for multiple 
features. Its sandbox protection could be circumvented during parsing, 
compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the plugin’s job-specific configuration 
to bypass the sandbox protection and execute arbitrary code on the Jenkins 
master.

Email Extension Plugin now uses Script Security APIs that apply sandbox 
protection during these phases.


SECURITY-1338
Groovy Plugin supports sandboxed Groovy expressions for its "System 
Groovy" functionality. Its sandbox protection could be circumvented during 
parsing, compilation, and script instantiation by providing a crafted 
Groovy script.

This affected both System Groovy script execution as well as an HTTP 
endpoint providing script validation, and allowed users with Overall/Read 
permission to bypass the sandbox protection and execute arbitrary code on 
the Jenkins master.

Groovy Plugin now uses Script Security APIs that apply sandbox protection 
during these phases.


SECURITY-1342
Job DSL Plugin supports sandboxed Groovy expressions for Job DSL 
definitions. Its sandbox protection could be circumvented during parsing, 
compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the Job DSL scripts to bypass the 
sandbox protection and execute arbitrary code on the Jenkins master.

Job DSL Plugin now uses Script Security APIs that apply sandbox protection 
during these phases.


SECURITY-1330
A missing permission check in a form validation method in Azure VM Agents 
Plugin allowed users with Overall/Read access to verify a submitted 
configuration, obtaining limited information about the Azure account and 
configuration.

Additionally, this form validation method did not require POST requests, 
resulting in a potential CSRF vulnerability.

This form validation method now requires POST requests and 
Overall/Administer permissions.


SECURITY-1331
A missing permission check in an HTTP endpoint allowed users with 
Overall/Read access to attach a public IP address to an Azure VM in Azure 
VM Agents Plugin, making a virtual machine publicly accessible.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability with more limited impact, as the IP 
address would not be known.

This form validation method now requires POST requests and 
Overall/Administer permissions.


SECURITY-1332
Azure VM Agents Plugin provides a list of applicable credential IDs to 
allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with 
Overall/Read permission to get a list of valid credentials IDs. Those 
could be used as part of an attack to capture the credentials using 
another vulnerability.

An enumeration of credentials IDs in this plugin now requires 
Overall/Administer permission.


SECURITY-958
Repository Connector Plugin stored the username and password in its 
configuration unencrypted in its global configuration file on the Jenkins 
master. This password could be viewed by users with access to the master 
file system.

The plugin now stores the password encrypted in the configuration files on 
disk and no longer transfers it to users viewing the configuration form in 
plain text.


SECURITY-1087
AppDynamics Dashboard Plugin stored username and password in its 
configuration unencrypted in jobs' config.xml files on the Jenkins master. 
This password could be viewed by users with Extended Read permission, or 
access to the master file system.

While masked from view using a password form field, the password was 
transferred in plain text to users when accessing the job configuration 
form.

AppDynamics Dashboard Plugin now stores the password encrypted in the 
configuration files on disk and no longer transfers it to users viewing 
the configuration form in plain text. Existing jobs need to have their 
configuration saved for existing plain text passwords to be overwritten.


SECURITY-848
Rabbit-MQ Publisher Plugin stored the username and password in its 
configuration unencrypted in its global configuration file on the Jenkins 
master. This password could be viewed by users with access to the master 
file system.

The plugin now stores the password encrypted in the configuration files on 
disk and no longer transfers it to users viewing the configuration form in 
plain text.


SECURITY-970
A missing permission check in a form validation method of Rabbit-MQ 
Publisher Plugin allowed users with Overall/Read access to have Jenkins 
initiate a RabbitMQ connection to an attacker-specified host and port with 
an attacker-specified username and password.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.

This form validation method now requires POST requests and 
Overall/Administer permissions.


SECURITY-1038
OSF Builder Suite For Salesforce Commerce Cloud : : Deploy Plugin stored 
the HTTP proxy username and password in its configuration unencrypted in 
its global configuration file on the Jenkins master. This password could 
be viewed by users with access to the master file system.

The plugin now integrates with Credentials Plugin to store the HTTP proxy 
credentials.


SECURITY-1088
A missing permission check in a method performing both form validation and 
saving new configuration in Bitbar Run-in-Cloud Plugin allowed users with 
Overall/Read permission to have Jenkins master connect to an attacker-
specified host with attacker-specified credentials, and, if successful, 
save that as the new configuration for the plugin. This could then 
potentially result in future builds submitting their data to an 
unauthorized remote server.

Additionally, this method did not require POST requests, resulting in a 
CSRF vulnerability.

This form validation method now requires POST requests and 
Overall/Administer permissions.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.