CloudBees Security Advisory 2018-09-25

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

CSRF vulnerability in JUnit Plugin SECURITY-1101

A URL used to allow setting the description of a test object in JUnit Plugin did not require POST requests, resulting in a cross-site request forgery vulnerability.

That URL now requires POST requests be sent.

CSRF vulnerability and missing permission checks in Jira Plugin allowed capturing credentials SECURITY-1029

Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer (for globally defined sites) or Item/Configure permissions (for sites defined for a folder).

Stored XSS vulnerability in Config File Provider Plugin SECURITY-1080

Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting (XSS) vulnerability.

Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI.

CSRF vulnerability in Config File Provider Plugin SECURITY-938

A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability.

This URL now requires POST requests.

Stored XSS vulnerability in Rebuild Plugin SECURITY-130

Rebuild Plugin did not escape parameter descriptions shown on the rebuild form page, resulting in a stored Cross-Site Scripting (XSS) vulnerability exploitable by users with the permission to configure jobs.

Rebuild Plugin now applies the configured markup formatter to the parameter descriptions it displays.

Reflected XSS vulnerability in Job Config History Plugin SECURITY-1130

Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting (XSS) vulnerability.

Job Config History Plugin now globally applies variable escaping to its pages.

CSRF vulnerability in Email Extension Template Plugin

Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates.

These URLs now require POST requests.

CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials SECURITY-984 (1)

HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method, capturing credentials stored in Jenkins, and submitting messages to HipChat.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permissions.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in HipChat Plugin SECURITY-984 (2)

HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin SECURITY-1013 (1)

Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Server-side request forgery vulnerability in Mesos Plugin SECURITY-1013 (2)

A missing permission check in a form validation method in Mesos Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Server-side request forgery vulnerability in Crowd 2 Integration Plugin SECURITY-1067

Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Crowd 2 Integration Plugin stored credentials in plain text SECURITY-1068

Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in MQ Notifier Plugin SECURITY-972

Users with Overall/Read permission were able to access MQ Notifier Plugin’s form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

Stored XSS vulnerability in Metadata Plugin SECURITY-1075

A stored cross-site scripting (XSS) vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages.

As of publication of this advisory, there is no fix.

Missing permission check in Metadata Plugin allows unauthorized users to change Metadata Plugin configuration SECURITY-1135

Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin’s configuration.

As of publication of this advisory, there is no fix.

Artifactory Plugin stored old directly entered credentials unencrypted on disk SECURITY-265

Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system.

Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using the Credentials Plugin integration.

PAM Authentication Plugin did not properly validate user accounts SECURITY-813 / CVE-2017-12197

The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts.

The bundled version of the library was updated to include the fix for this.

SonarQube Scanner Plugin stored server authentication token in plain text​​​​​​​ SECURITY-1163

SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins master. This token could be viewed by users with access to the master file system.

The plugin now stores the token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Stored XSS vulnerability in Git Changelog Plugin SECURITY-1122

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with commit access to specific Git repositories.

Git Changelog Plugin 2.7 and newer escape Git commit messages shown on the UI.

Arachni Scanner Plugin stored credentials in plain text ​​​​​​​SECURITY-948

Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.

The plugin now integrates with Credentials Plugin . Existing configurations are migrated.

CSRF vulnerability and missing permission checks in Argus Notifier Plugin allowed capturing credentials ​​​​​​​SECURITY-1011 (1)

Argus Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permission.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Argus Notifier Plugin SECURITY-1011 (2)

Argus Notifier Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in Chatter Notifier Plugin allowed capturing credentials SECURITY-1050 (1)

Chatter Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Item/Configure permission on the job being configured.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Chatter Notifier Plugin SECURITY-1050 (2)

Chatter Notifier Plugin provides a list of applicable credential IDs to allow users configuring the plugin’s functionality to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Item/Configure permission for the job being configured.

Dimensions Plugin stored credentials in plain text SECURITY-1065

Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in Dimensions Plugin SECURITY-1108

Users with Overall/Read permission were able to access Dimensions Plugin’s form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

Publish Over Dropbox Plugin stored credentials in plain text SECURITY-845

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins master. These secrets could be viewed by users with access to the master file system.

Additionally, the authorization code was not masked from view using a password form field.

The plugin now stores these secrets encrypted in the configuration files on disk and no longer transfers the authorization code to users viewing the configuration form in plain text.

XML External Entity Processing Vulnerability in Monitoring Plugin ​​​​​​​SECURITY-1156 / CVE-2018-15531

The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity (XXE) processing vulnerability.

This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.

Monitoring plugin 1.74 updates its JavaMelody dependency to fix the issue.

The Jenkins security team and the maintainer of Monitoring Plugin have been unable to reproduce the issue in Jenkins, but we still recommend updating.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded 2.138.1.2

  • CloudBees Cloud Platforms should be upgraded 2.138.1.2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.138.1.2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.138.1.2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.35.0.1

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.107.x.0.z) should be upgraded to version 2.107.34.0.1

  • CloudBees Jenkins Team should be upgraded to version 2.138.1.2

  • DEV@cloud is already protected