Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 29 Jan 2020 16:10:08 +0100
From: Daniel Beck <>
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.219
* Jenkins LTS 2.204.2
* Code Coverage API Plugin 1.1.3
* Fortify Plugin 19.2.30

Additionally, we announce unresolved security issues in the following

* WebSphere Deployer Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:

We provide advance notification for security updates on this mailing list:

If you discover security vulnerabilities in Jenkins, please report them as
described here:


SECURITY-1682 / CVE-2020-2099
Jenkins 2.213 and earlier, LTS 2.204.1 and earlier includes support for the
Inbound TCP Agent Protocol/3 for communication between master and agents.
While this protocol has been deprecated in 2018 and was recently removed
from Jenkins in 2.214, it could still easily be enabled in Jenkins LTS
2.204.1, 2.213, and older.

This protocol incorrectly reuses encryption parameters which allow an
unauthenticated remote attacker to determine the connection secret. This
secret can then be used to connect attacker-controlled Jenkins agents to
the Jenkins master.

SECURITY-1641 / CVE-2020-2100
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier supports two network
discovery services (UDP multicast/broadcast and DNS multicast) by default.

The UDP multicast/broadcast service can be used in an amplification
reflection attack, as very few bytes sent to the respective endpoint result
in much larger responses: A single byte request to this service would
respond with more than 100 bytes of Jenkins metadata which could be used in
a DDoS attack on a Jenkins master. Within the same network, spoofed UDP
packets could also be sent to make two Jenkins masters go into an infinite
loop of replies to one another, thus causing a denial of service.

SECURITY-1659 / CVE-2020-2101
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a
constant-time comparison validating the connection secret when an inbound
TCP agent connection is initiated. This could potentially allow attackers
to use statistical methods to obtain the connection secret.

SECURITY-1660 / CVE-2020-2102
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a
constant-time comparison when checking whether two HMACs are equal. This
could potentially allow attackers to use statistical methods to obtain a
valid HMAC for an attacker-controlled input value.

SECURITY-1695 / CVE-2020-2103
Jenkins shows various technical details about the current user on the
`/whoAmI` page. In a previous fix, the `Cookie` header value containing the
HTTP session ID was redacted. However, user metadata shown on this page
could also include the HTTP session ID in Jenkins 2.218 and earlier, LTS
2.204.1 and earlier.

This allows attackers able to exploit a cross-site scripting vulnerability
to obtain the HTTP session ID value from this page.

SECURITY-1650 / CVE-2020-2104
Jenkins includes a feature that shows a JVM memory usage chart for the
Jenkins master.

Access to the chart in Jenkins 2.218 and earlier, LTS 2.204.1 and earlier
requires no permissions beyond the general Overall/Read, allowing users who
are not administrators to view JVM memory usage data.

SECURITY-1704 / CVE-2020-2105
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not serve the
`X-Frame-Options: deny` HTTP header on REST API responses to protect
against clickjacking attacks. An attacker could exploit this by routing the
victim through a specially crafted web page that embeds a REST API endpoint
in an iframe and tricking the user into performing an action which would
allow for the attacker to learn the content of that REST API endpoint.

SECURITY-1680 / CVE-2020-2106
Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of
the coverage report used in its view.

This results in a stored cross-site scripting vulnerability that can be
exploited by users able to change the job configuration.

SECURITY-1565 / CVE-2020-2107
Fortify Plugin 19.1.29 and earlier stored its proxy server password
unencrypted in job `config.xml` files. This password could be read by users
with the Extended Read permission.

SECURITY-1719 / CVE-2020-2108
WebSphere Deployer Plugin 1.6.1 and earlier does not configure the XML
parser to prevent XML external entity (XXE) attacks. This could be
exploited by a user with Job/Configure permissions to upload a specially
crafted war file containing a `WEB-INF/ibm-web-ext.xml` which is parsed by
the plugin.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.