Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <882ACAE9-0DFE-4639-AF88-6A29B5A215E3@beckweb.net>
Date: Tue, 17 Dec 2019 15:32:49 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Build Failure Analyzer Plugin 1.24.2
* Gerrit Trigger Plugin 2.30.2
* Maven Release Plugin 0.16.2
* Pipeline Aggregator View Plugin 1.9
* Redgate SQL Change Automation Plugin 2.0.4
* Rundeck Plugin 3.6.6
* Spira Importer Plugin 3.2.4

Additionally, we announce unresolved security issues in the following
plugins:

* Alauda DevOps Pipeline Plugin
* Alauda Kubernetes Suport Plugin
* buildgraph-view Plugin
* Mantis Plugin
* Mission Control Plugin
* RapidDeploy Plugin
* SCTMExecutor Plugin
* Team Concert Plugin
* WebSphere Deployer Plugin
* Weibo Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-12-17/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1681 / CVE-2019-16549 (XXE) & CVE-2019-16550 (CSRF)
Maven Release Plug-in Plugin retrieves XML from Nexus repository manager
APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure
the XML parser to prevent XML external entity (XXE) attacks. While Jenkins
users without Overall/Administer permission are not allowed to configure a
custom Nexus URL, this could still be exploited via man-in-the-middle
attacks, especially if it's not an HTTPS URL.

Additionally, a connection test form validation method does not require
POST requests, resulting in a cross-site request forgery vulnerability.
Combined, these two vulnerabilities allow attackers to have Jenkins parse
crafted XML documents that use external entities for extraction of secrets
from the Jenkins master, server-side request forgery, or denial-of-service
attacks.


SECURITY-1527 / CVE-2019-16551 (CSRF) & CVE-2019-16552 (missing permission check)
Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks
in methods performing form validation. This allows users with Overall/Read
access to perform connection tests, connecting to an HTTP URL or SSH server
using attacker-specified credentials, or determine whether files with an
attacker-specified path exist on the Jenkins master file system.

Additionally, these form validation methods do not require POST requests,
resulting in a CSRF vulnerability.


SECURITY-1651 / CVE-2019-16553 (CSRF) & CVE-2019-16554 (missing permission check)
 & CVE-2019-16555 (resource consumption)
Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a
permission check in a method performing form validation. This allows users
with Overall/Read access to supply a computationally expensive regular
expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests,
resulting in a CSRF vulnerability.


SECURITY-1593 / CVE-2019-16564
Pipeline Aggregator View Plugin 1.8 and earlier does not escape the
information shown on the view it provides, such as stage names or job
names.

This results in a stored cross-site scripting vulnerability exploitable by
users able to configure jobs, define pipeline stages, or otherwise affect
the information shown by Pipeline Aggregator View Plugin.


SECURITY-1636 / CVE-2019-16556
Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global
configuration file `org.jenkinsci.plugins.rundeck.RundeckNotifier.xml` and
job `config.xml` files on the Jenkins master. These URLs could be viewed by
users with Extended Read permission (in the case of job `config.xml` files)
or access to the master file system.


SECURITY-1598 / CVE-2019-16557
Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials
unencrypted in job `config.xml` files on the Jenkins master as part of its
build step configuration. These credentials can be viewed by users with
Extended Read permission or access to the master file system.


SECURITY-1580 / CVE-2019-16558
Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS
certificate validation for the entire Jenkins master JVM.


SECURITY-1371 / CVE-2019-16559 (permission check) & CVE-2019-16560 (CSRF)
WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission
checks in methods performing form validation. This allows users with
Overall/Read access to perform connection tests, determine whether files
with an attacker-specified path exist on the Jenkins master file system,
and obtain limited information about the Jenkins and plugin configuration
based on the responses. The latter include the ability to set plugin
configuration options.

Additionally, these form validation methods do not require POST requests,
resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1581 / CVE-2019-16561
WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read
access to disable SSL/TLS certificate and hostname validation for the
entire Jenkins master JVM, or specify a new Java keystore from a file
stored on the Jenkins master filesystem.

As of publication of this advisory, there is no fix.


SECURITY-1591 / CVE-2019-16562
buildgraph-view Plugin 1.8 and earlier does not escape the description of
builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be
exploited by users able to change the build description.

As of publication of this advisory, there is no fix.


SECURITY-1592 / CVE-2019-16563
Mission Control Plugin 0.9.16 and earlier does not escape job display names
and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be
exploited by users able to change these properties.

As of publication of this advisory, there is no fix.


SECURITY-1605 (1) / CVE-2019-16565 (CSRF) & CVE-2019-16566 (missing permission check)
Team Concert Plugin 1.3.0 and earlier does not perform permission checks on
a method implementing form validation. This allows users with Overall/Read
access to Jenkins to connect to an attacker-specified URL using
attacker-specified credentials IDs obtained through another method,
capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1605 (2) / CVE-2019-16567
Team Concert Plugin 1.3.0 and earlier provides a list of applicable
credential IDs to allow users configuring the plugin to select the one to
use.

This functionality does not correctly check permissions, allowing any user
with Overall/Read permission to get a list of valid credentials IDs. Those
can be used as part of an attack to capture the credentials using another
vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1521 / CVE-2019-16568
SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the
global Jenkins configuration and in job `config.xml` files.

While these credentials are stored encrypted on disk, they are transmitted
in plain text as part of the configuration form. This can result in
exposure of these credentials through browser extensions, cross-site
scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.


SECURITY-1603 / CVE-2019-16569
Mantis Plugin 0.26 and earlier does not require POST requests on a
connection test method, resulting in a CSRF vulnerability. This allows
attackers to have Jenkins connect to Mantis-related paths on an
attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.


SECURITY-1604 / CVE-2019-16570 (CSRF) & CVE-2019-16571 (missing permission check)
RapidDeploy Plugin 4.1 and earlier does not perform a permission check on
form validation methods. This allows users with Overall/Read access to
Jenkins to connect to RapidDeploy-related paths on an attacker-specified
web server.

Additionally, these form validation methods do not require POST requests,
resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1597 / CVE-2019-16572
Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its
global configuration file `org.jenkinsci.plugins.weibo.WeiboNotifier.xml`
on the Jenkins master. This credential can be viewed by users with access
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1600 / CVE-2019-16573 (CSRF) & CVE-2019-16574 (missing permission check)
Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission
checks on a method implementing form validation. This allows users with
Overall/Read access to Jenkins to connect to Kubernetes-related paths on an
attacker-specified web server using attacker-specified credentials IDs
obtained through another method, capturing token credentials managed by
Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1602 / CVE-2019-16575 (CSRF) & CVE-2019-16576 (missing permission check)
Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST
requests on a connection test method, resulting in a CSRF vulnerability.
This allows attackers to have Jenkins connect to Kubernetes-related paths
on an attacker-specified web server using attacker-specified credentials
IDs obtained through another method, capturing 'Secret Text' credentials
stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the
default Kubernetes token from
`/var/run/secrets/kubernetes.io/serviceaccount/token`.

As of publication of this advisory, there is no fix.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.