Date: Thu, 21 Nov 2019 15:06:02 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Multiple vulnerabilities in Jenkins plugins Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Anchore Container Image Scanner Plugin 1.0.20 * Google Compute Engine Plugin 4.2.0 * JIRA Plugin 3.0.11 * QMetry for JIRA - Test Management Plugin 1.13 * Script Security Plugin 1.68 * Spira Importer Plugin 3.2.3 * Support Core Plugin 2.64 Additionally, we announce unresolved security issues in the following plugins: * QMetry for JIRA - Test Management Plugin Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2019-11-21/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1658 / CVE-2019-16538 Sandbox protection in Script Security Plugin could be circumvented through closure default parameter expressions. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM. SECURITY-1634 / CVE-2019-16539 (permission check), CVE-2019-16540 (path traversal) Support Core Plugin did not validate the paths submitted for the "Delete Support Bundles" feature. This allowed users to delete arbitrary files on the Jenkins master file system accessible to the OS user account running Jenkins. Additionally, this endpoint did not perform a permission check, allowing users with Overall/Read permission to delete support bundles, and any arbitrary other file, with a known name/path. SECURITY-1106 / CVE-2019-16541 JIRA Plugin allows the definition of per-folder Jira sites. The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder to access credentials they’re not entitled to, and potentially capture them. SECURITY-1539 / CVE-2019-16542 Anchore Container Image Scanner Plugin stored an Anchore.io service password unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the master file system. SECURITY-1554 / CVE-2019-16543 Spira Importer Plugin stored a credential unencrypted in its global configuration file com.inflectra.spiratest.plugins.SpiraBuilder.xml on the Jenkins master. This credential could be viewed by users with access to the master file system. SECURITY-1584 / CVE-2019-16546 Google Compute Engine Plugin did not use SSH host key verification when connecting to VMs launched by the plugin. This lack of verification could be abused by a MitM attacker to intercept these connections to attacker-specified build agents without warning. SECURITY-1585 / CVE-2019-16547 Google Compute Engine Plugin did not verify permissions on multiple auto-complete API endpoints. This allowed users with Overall/Read permissions to view various metadata about the running cloud environment. SECURITY-1586 / CVE-2019-16548 Google Compute Engine Plugin did not require POST requests on an API endpoint. This CSRF vulnerability allowed attackers to provision new agents. SECURITY-727 (1) / CVE-2019-16544 QMetry for JIRA - Test Management Plugin stored credentials unencrypted in job config.xml files on the Jenkins master as part of its post-build step configuration. This credential could be viewed by users with Extended Read permission or access to the master file system. SECURITY-727 (2) / CVE-2019-16545 QMetry for JIRA - Test Management Plugin stores a credential as part of its post-build step configuration. While the password is stored encrypted on disk since QMetry for JIRA - Test Management Plugin 1.13, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. As of publication of this advisory, there is no fix.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.