Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <9185D043-96BC-4E0F-9B09-6EF97C4AF4C5@beckweb.net>
Date: Wed, 4 Nov 2020 15:10:32 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Active Directory Plugin 2.20
* Ansible Plugin 1.1
* AppSpider Plugin 1.0.13
* AWS Global Configuration Plugin 1.6
* Azure Key Vault Plugin 2.1
* Kubernetes Plugin 1.27.4
* Mercurial Plugin 2.12
* SQLPlus Script Runner Plugin 2.0.13
* Subversion Plugin 2.13.2
* Visualworks Store Plugin 1.1.4

Additionally, we announce unresolved security issues in the following
plugins:

* FindBugs Plugin
* Mail Commander Plugin for Jenkins-ci Plugin
* Static Analysis Utilities Plugin
* VMware Lab Manager Slaves Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2020-11-04/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2117 / CVE-2020-2299
Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

The LDAP-based mode in Active Directory Plugin 2.19 and earlier shares code
between user lookup and user authentication and distinguishes these
behaviors through the use of a magic constant used in place of a real
password. This allows attackers to log in as any user if the magic constant
is used as the password in Active Directory Plugin 2.19 and earlier.


SECURITY-2099 / CVE-2020-2300
Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

The Windows/ADSI mode does not specifically prohibit use of empty passwords
in Active Directory Plugin 2.19 and earlier. If the Active Directory server
allows the unauthenticated bind operation, this allows attackers to log in
to Jenkins as any user by providing an empty password.


SECURITY-2123 / CVE-2020-2301
Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce
lookup time, a cache can be configured to remember user lookups and user
authentications.

In Active Directory Plugin 2.19 and earlier, when run in Windows/ADSI mode,
the provided password was not used when looking up an applicable cache
entry. This allows attackers to log in as any user using any password while
a successful authentication of that user is still in the cache.

As a workaround for this issue, the cache can be disabled.


SECURITY-1999 / CVE-2020-2302
Active Directory Plugin 2.19 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the domain
health check diagnostic page.


SECURITY-2126 / CVE-2020-2303
Active Directory Plugin 2.19 and earlier does not require POST requests for
multiple HTTP endpoints implementing connection and authentication tests,
resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to perform connection tests, connecting
to attacker-specified or previously configured Active Directory servers
using attacker-specified credentials.


SECURITY-2145 / CVE-2020-2304
Subversion Plugin 2.13.1 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins
parse a crafted changelog file that uses external entities for extraction
of secrets from the Jenkins controller or server-side request forgery.


SECURITY-2115 / CVE-2020-2305
Mercurial Plugin 2.11 and earlier does not configure its XML changelog
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins
parse a crafted changelog file that uses external entities for extraction
of secrets from the Jenkins controller or server-side request forgery.


SECURITY-2104 / CVE-2020-2306
Mercurial Plugin 2.11 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to obtain a list of
names of configured Mercurial installations.


SECURITY-1646 / CVE-2020-2307
Kubernetes Plugin 1.27.3 and earlier includes a feature to replace
placeholders in pod template and container template fields with environment
variable values.

This feature allows low-privilege users to access possibly sensitive
Jenkins controller environment variables.


SECURITY-2102 / CVE-2020-2308
Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to list global pod
template names.


SECURITY-2103 / CVE-2020-2309
Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-1943 / CVE-2020-2310
Ansible Plugin 1.0 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2101 / CVE-2020-2311
AWS Global Configuration Plugin 1.5 and earlier does not perform a
permission check in an HTTP endpoint processing form submissions.

This allows attackers with Overall/Read permission to replace the global
AWS configuration.


SECURITY-2129 / CVE-2020-2312
SQLPlus Script Runner Plugin 2.0.12 and earlier prints the `sqlplus`
command invocation to the build log.

This log message does not redact a password provided as part of a command
line argument. This password can be viewed by users with Item/Read
permission.


SECURITY-2110 / CVE-2020-2313
Azure Key Vault Plugin 2.0 and earlier does not perform permission checks
in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2058 / CVE-2020-2314
AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its
global configuration file `com.rapid7.jenkinspider.PostBuildScan.xml` on
the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.


SECURITY-1900 / CVE-2020-2315
Visualworks Store Plugin 1.1.3 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the output of a script
that run Visualworks with StoreCI, or able to control an agent process, to
have Jenkins parse a crafted file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.


SECURITY-1907 / CVE-2020-2316
Static Analysis Utilities Plugin 1.96 and earlier does not escape the
annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1918 / CVE-2020-2317
FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in
tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to provide report files to FindBugs Plugin's
post build step.

As of publication of this advisory, there is no fix.


SECURITY-2085 / CVE-2020-2318
Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores
passwords unencrypted in job `config.xml` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2084 / CVE-2020-2319
VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password
unencrypted in the global `config.xml` file on the Jenkins controller as
part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.