Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <BC62CA7E-C08B-4762-AD58-5E0751CC4334@beckweb.net>
Date: Wed, 3 Jun 2020 14:33:18 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Compact Columns Plugin 1.12
* ECharts API Plugin 4.7.0-4
* Script Security Plugin 1.73
* Self-Organizing Swarm Plug-in Modules Plugin 3.21

Additionally, we announce unresolved security issues in the following
plugins:

* Play Framework Plugin
* Project Inheritance Plugin
* Selenium Plugin
* Subversion Partial Release Manager Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2020-06-03/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1866 / CVE-2020-2190
Script Security Plugin 1.72 and earlier does not correctly escape pending
or approved classpath entries on the In-process Script Approval page.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users able to configure sandboxed scripts.


SECURITY-1200 / CVE-2020-2191 (permission checks) & CVE-2020-2192 (CSRF)
Self-Organizing Swarm Plug-in Modules Plugin adds API endpoints to add or
remove agent labels. In Self-Organizing Swarm Plug-in Modules Plugin 3.20
and earlier these only require a global Swarm secret to use, and no regular
permission check is performed. This allows users with Agent/Create
permission to add or remove labels of any agent.

Additionally, these API endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1841 / CVE-2020-2193
ECharts API Plugin 4.7.0-3 and earlier does not escape the parser
identifier when rendering charts.

This results in a stored cross-site scripting (XSS) vulnerability that can
be exploited by users with Job/Configure permission.


SECURITY-1842 / CVE-2020-2194
ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of
the builds in the trend chart.

This results in a stored cross-site scripting (XSS) vulnerability that can
be exploited by users with Run/Update permission.


SECURITY-1837 / CVE-2020-2195
Compact Columns Plugin 1.11 and earlier displays the unprocessed job
description in tooltips.

This results in a stored cross-site scripting vulnerability that can be
exploited by users with Job/Configure permission.


SECURITY-1766 / CVE-2020-2196
Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP
endpoints.

This allows attackers to perform the following actions:

* Restart the Selenium Grid hub.
* Delete or replace the plugin configuration.
* Start, stop, or restart Selenium configurations on specific nodes.

Through carefully chosen configuration parameters, these actions can result
in OS command injection on the Jenkins master.

As of publication of this advisory, there is no fix.


SECURITY-1582 / CVE-2020-2197 (permission check) & CVE-2020-2198 (unredacted encrypted secrets)
Jenkins limits access to job configuration XML data (`config.xml`) to users
with Job/ExtendedRead permission, typically implied by Job/Configure
permission. Project Inheritance Plugin has several job inspection features,
including the API URL `/job/.../getConfigAsXML` for its Inheritance Project
job type that does something similar.

Project Inheritance Plugin 19.08.02 and earlier does not check permissions
for this new endpoint, granting access to job configuration XML data to
every user with Job/Read permission.

Additionally, the encrypted values of secrets stored in the job
configuration are not redacted, as they would be by the `config.xml` API
for users without Job/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1726 / CVE-2020-2199
Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape
the error message for the repository URL field form validation.

This results in a reflected cross-site scripting (XSS) vulnerability that
can also be exploited similar to a stored cross-site scripting
vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1879 / CVE-2020-2200
A form validation endpoint in Play Framework Plugin executes the `play`
command to validate a given input file.

Play Framework Plugin 1.0.2 and earlier lets users specify the path to the
`play` command on the Jenkins master. This results in an OS command
injection vulnerability exploitable by users able to store such a file on
the Jenkins master (e.g. through archiving artifacts).

As of publication of this advisory, there is no fix.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.