CloudBees Security Advisory 2014-02-15

This advisory announces multiple security vulnerabilities that were found in Jenkins core.

SECURITY-105

In some places, Jenkins XML API uses XStream to deserialize arbitrary content, which is affected by CVE-2013-7285 reported against XStream. This allows malicious users of Jenkins with a limited set of permissions to execute arbitrary code inside Jenkins master.

SECURITY-76 & SECURITY-88 / CVE-2013-5573

Restrictions of HTML tags for user-editable contents are too lax. This allows malicious users of Jenkins to trick other unsuspecting users into providing sensitive information.

SECURITY-109

Plugging a hole in the earlier fix to SECURITY-55. Under some circimstances, a malicious user of Jenkins can configure job X to trigger another job Y that the user has no access to.

SECURITY-108

CLI job creation had a directory traversal vulnerability. This allows a malicious user of Jenkins with a limited set of permissions to overwrite files in the Jenkins master and escalate privileges.

SECURITY-106

The embedded Winstone servlet container is susceptive to session hijacking attack.

SECURITY-93

The password input control in the password parameter definition in the Jenkins UI was serving the actual value of the password in HTML, not an encrypted one. If a sensitive value is set as the default value of such a parameter definition, it can be exposed to unintended audience.

SECURITY-89

Deleting the user was not invalidating the API token, allowing users to access Jenkins when they shouldn't be allowed to do so.

SECURITY-80

Jenkins UI was vulnerable to click jacking attacks.

SECURITY-79

"Jenkins' own user database" was revealing the presence/absence of users when login attempts fail.

SECURITY-77

Jenkins had a cross-site scripting vulnerability in one of its cookies. If Jenkins is deployed in an environment that allows an attacker to override Jenkins cookies in victim's browser, this vulnerability can be exploited.

SECURITY-75

Jenkins was vulnerable to session fixation attack. If Jenkins is deployed in an environment that allows an attacker to override Jenkins cookies in victim's browser, this vulnerability can be exploited.

SECURITY-74

Stored XSS vulnerability. A malicious user of Jenkins with a certain set of permissions can cause Jenkins to store arbitrary HTML fragment.

SECURITY-73

Some of the system diagnostic functionalities were checking a lesser permission than it should have. In a very limited circumstances, this can cause an attacker to gain information that he shouldn't have access to.

SECURITY-106, SECURITY-80 are rated high . An attacker only needs direct HTTP access to the server to mount this attack.

SECURITY-105, SECURITY-109, SECURITY-108, SECURITY-74 are rated high . These vulnerabilities allow attackes with valid Jenkins user accounts to escalate privileges in various ways.

SECURITY-76, SECURIT-88, SECURITY-89 are rated medium . These vulnerabilities requires an attacker to be an user of Jenkins, and the mode of the attack is limited.

SECURITY-93, SECURITY-79 are rated low . These vulnerabilities only affect a small part of Jenkins and has limited impact.

SECURITY-77, SECURITY-75, SECURITY-73 are rated low . These vulnerabilities are hard to exploit unless combined with other exploit in the network.

• Main line users should upgrade to Jenkins 1.551

• LTS users should upgrade to 1.532.2

• Users of Jenkins Enterprise by CloudBees 1.509.x should upgrade to 1.509.5.1

• Users of Jenkins Enterprise by CloudBees 1.532.x should upgrade to 1.532.2.2

• DEV@cloud users will automatically receive fixes, so no action is needed

All the prior versions are affected by these vulnerabilities.