Jenkins Security Advisory 2015-12-09

This advisory announces multiple vulnerabilities in Jenkins.

Description

Stored XSS vulnerability through workspace files and archived artifacts

SECURITY-95 / CVE-2015-7536

In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends Content-Security-Policy headers that enables sandboxing and prohibits script execution by default.

If you rely on the previous behavior, or in case of compatibility problems with certain plugins, you can modify the header sent by Jenkins. Learn more: Configuring Content Security Policy.

CSRF vulnerability in some administrative actions

SECURITY-225 / CVE-2015-7537

Several administration/configuration related URLs could be accessed using GET, which allowed attackers to circumvent CSRF protection.

CSRF protection ineffective

SECURITY-233 / CVE-2015-7538

Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted POST requests.

Jenkins plugin manager vulnerable to MITM attacks

SECURITY-234 / CVE-2015-7539

While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins.

Severity

  • SECURITY-95 is considered medium as it allows low-privilege users to perform limited XSS in certain configurations.

  • SECURITY-225 is considered high as it allows unprivileged attackers to perform some administrative actions via CSRF.

  • SECURITY-233 is considered high as it allows unprivileged attackers to circumvent CSRF protection.

  • SECURITY-234 is considered high as it allows attackers able to manipulate the network path between Jenkins and the update site to install and run arbitrary code on Jenkins.

Affected versions

  • All Jenkins main line releases up to and including 1.640

  • All Jenkins LTS releases up to and including 1.625.2

Fix

  • Jenkins main line users should update to 1.641

  • Jenkins LTS users should update to 1.625.3

These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Credit

The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:

  • Alex Soto Bueno, CloudBees, Inc. for SECURITY-234

  • Antoine Musso and Timo Tijhof for SECURITY-95

  • Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-225 and SECURITY-233