Jenkins Security Advisory 2019-04-10

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Jenkins accepted cached legacy CLI authentication

SECURITY-1289 / CVE-2019-1003049

The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches.

This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated.

Support for the remoting-based CLI was dropped in Jenkins 2.165, so newer weekly releases are not affected. Jenkins 2.164.2 no longer supports legacy CLI authentication caches from before 2.150.2/2.160, and these users will be considered logged out.

XSS vulnerability in form validation button

SECURITY-1327 / CVE-2019-1003050

The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.

The affected form control has been rewritten to no longer need to escape job URLs.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.171
  • Jenkins LTS up to and including 2.164.1

Fix

  • Jenkins weekly should be updated to version 2.172
  • Jenkins LTS should be updated to version 2.164.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1289