Jenkins Security Advisory 2018-07-18

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart

SECURITY-897 / CVE-2018-1999001

Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.

The fix prevents this behavior.

To mitigate this problem, we strongly advise that administrators of Jenkins instances without this fix, that are reachable by untrusted users, save the global configuration shortly before shutting down Jenkins. Doing so will write the current configuration from memory to the config.xml file, which is only read on startup or when reloading configuration.

If Jenkins has already been shut down after this issue has been exploited, the config.xml file can be found at users/$002e$002e/config.xml in the Jenkins home directory.

This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security advisory.

Arbitrary file read vulnerability

SECURITY-914 / CVE-2018-1999002

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to.

Input validation in Stapler has been improved to prevent this.

Unauthorized users could cancel queued builds

SECURITY-891 / CVE-2018-1999003

The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds.

The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission.

Unauthorized users could initiate and abort agent launches

SECURITY-892 / CVE-2018-1999004

The URL that initiates agent launches on the Jenkins controller did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches.

Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.

The URL for agent launches now ensures that the user has the Agent/Connect permission.

Stored XSS vulnerability

SECURITY-944 / CVE-2018-1999005

The build timeline widget shown on URLs like /view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names.

Jenkins now escapes job display names shown on the timeline widget.

Unauthorized users are able to determine when a plugin was extracted from its JPI package

SECURITY-925 / CVE-2018-1999006

Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users with Overall/Read permission. This allowed unauthorized users to determine the likely install date of a given plugin.

The affected files are no longer available via HTTP.

XSS vulnerability in Stapler debug mode

SECURITY-390 / CVE-2018-1999007

Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability.

Parts of URLs displayed on these error pages are now properly escaped.

As a workaround, Stapler debug mode should not be enabled on instances accessible to untrusted users.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.132
  • Jenkins LTS up to and including 2.121.1

Fix

  • Jenkins weekly should be updated to version 2.133
  • Jenkins LTS should be updated to version 2.121.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • AZZAZ Yasmine, IT Security Engineer for SECURITY-944
  • Daniel Beck, CloudBees, Inc. for SECURITY-390, SECURITY-925
  • Nimrod Stoler of CyberArk Labs for SECURITY-891, SECURITY-892, SECURITY-897
  • Orange Tsai(@orange_8361) from DEVCORE for SECURITY-914