Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jul 2020 17:52:43 +0200
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.245
* Jenkins LTS 2.235.2
* Deployer Framework Plugin 1.3
* Gitlab Authentication Plugin 1.6
* Matrix Authorization Strategy Plugin 2.6.2
* Matrix Project Plugin 1.17


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2020-07-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1868 / CVE-2020-2220
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
agent name on build time trend pages. This results in a stored cross-site
scripting (XSS) vulnerability exploitable by users with Agent/Configure
permission.


SECURITY-1901 / CVE-2020-2221
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
upstream job's display name shown as part of a build cause. This results in
a stored cross-site scripting (XSS) vulnerability exploitable by users with
Job/Configure permission.


SECURITY-1902 / CVE-2020-2222
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job
name in the 'Keep this build forever' badge tooltip. This results in a
stored cross-site scripting (XSS) vulnerability exploitable by users able
to configure job names.

As job names do not generally support the character set needed for XSS,
this is believed to be difficult to exploit in common configurations.


SECURITY-1945 / CVE-2020-2223
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
`href` attribute of links to downstream jobs displayed in the build console
page. This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users with Job/Configure permission.


SECURITY-1924 / CVE-2020-2224
Matrix Project Plugin 1.16 and earlier does not escape node names shown in
tooltips on the overview page of builds with a single axis. This results in
a stored cross-site scripting (XSS) vulnerability exploitable by users with
Agent/Configure permission.


SECURITY-1925 / CVE-2020-2225
Matrix Project Plugin 1.16 and earlier does not escape the axis names shown
in tooltips on the overview page of builds with multiple axes. This results
in a stored cross-site scripting (XSS) vulnerability exploitable by users
with Job/Configure permission.


SECURITY-1909 / CVE-2020-2226
Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user
names shown in the permission table. This results in a stored cross-site
scripting (XSS) vulnerability. When using project-based matrix
authorization, this vulnerability can be exploited by a user with
Job/Configure or Agent/Configure permission, otherwise by users with
Overall/Administer permission.


SECURITY-1915 / CVE-2020-2227
Deployer Framework Plugin is a framework plugin allowing other plugins to
provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and
earlier does not escape the URL displayed in the build home page. This
results in a stored cross-site scripting (XSS) vulnerability exploitable by
users able to provide the location.

The exploitability of this vulnerability depends on the specific
implementation using Deployer Framework Plugin. The Jenkins security team
is not aware of any exploitable implementation.


SECURITY-1792 / CVE-2020-2228
Gitlab Authentication Plugin 1.5 and earlier does not differentiate between
user names and hierarchical group names when performing authorization. This
allows an attacker with permissions to create groups in GitLab to gain the
privileges granted to another user or group.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.