Jenkins Security Advisory 2019-03-25

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin

SECURITY-1353 / CVE-2019-1003040 (Script Security) and CVE-2019-1003041 (Pipeline: Groovy)

Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.

Script Security and Pipeline: Groovy have been hardened to prevent these methods of bypassing sandbox protection.

XSS vulnerability in Lockable Resources Plugin

SECURITY-1361 / CVE-2019-1003042

Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting (XSS) vulnerability.

The plugin now properly escapes resource names in its scripts.

CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials

SECURITY-976 / CVE-2019-1003043 (missing permission check) and CVE-2019-1003044 (CSRF)

Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).

ECS Publisher Plugin stored and displayed API token in plain text

SECURITY-846 / CVE-2019-1003045

ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Additionally, the API token was not masked from view using a password form field.

The plugin now stores the API token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin

SECURITY-992 / CVE-2019-1003046 (CSRF) and CVE-2019-1003047 (missing permission check)

A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability.

The form validation methods now require POST requests and perform a permission check.

PRQA Plugin stored password in plain text

SECURITY-1089 / CVE-2019-1003048

PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk.

Codebeamer Test Results Trend Updater Plugin stored password in plain text

SECURITY-1086 / CVE pending

Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin.

Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin

SECURITY-1328 / CVE pending

Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Severity

Affected Versions

  • Codebeamer Test Results Trend Updater Plugin up to and including 1.1.3
  • Digital.ai App Management Publisher Plugin up to and including 2.1
  • ECS publisher Plugin up to and including 1.0.0
  • Fortify on Demand Plugin up to and including 3.0.10
  • Helix QAC Plugin up to and including 3.1.0
  • Lockable Resources Plugin up to and including 2.4
  • Pipeline: Groovy Plugin up to and including 2.64
  • Script Security Plugin up to and including 1.55
  • Slack Notification Plugin up to and including 2.19

Fix

  • Codebeamer Test Results Trend Updater Plugin should be updated to version 1.1.4
  • Digital.ai App Management Publisher Plugin should be updated to version 2.2
  • ECS publisher Plugin should be updated to version 1.0.1
  • Fortify on Demand Plugin should be updated to version 3.0.11
  • Helix QAC Plugin should be updated to version 3.1.2
  • Lockable Resources Plugin should be updated to version 2.5
  • Pipeline: Groovy Plugin should be updated to version 2.65
  • Script Security Plugin should be updated to version 1.56
  • Slack Notification Plugin should be updated to version 2.20

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Anthony Weems, Praetorian for SECURITY-1353
  • Daniel Beck, CloudBees, Inc. for SECURITY-1328
  • Jesper den Boer for SECURITY-1361
  • Viktor Gazdag for SECURITY-846, SECURITY-976, SECURITY-992, SECURITY-1086, SECURITY-1089