Jenkins Security Advisory 2019-05-31

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Persisted XSS vulnerability in Warnings Next Generation Plugin

SECURITY-1373 / CVE-2019-10325

Warnings Next Generation Plugin rendered the name of a custom warnings parser unescaped on Jenkins web pages. This allowed attackers with Job/Configure permission to define a custom parser whose name included HTML and JavaScript, resulting in a persisted cross-site scripting vulnerability.

Warnings Next Generation Plugin now properly escapes custom warnings parser names.

CSRF vulnerability in Warnings Next Generation Plugin

SECURITY-1391 / CVE-2019-10326

Warnings Next Generation Plugin did not require that requests sent to the endpoint used to reset warning counts use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to reset warning counts for future builds.

Warnings Next Generation Plugin now requires that these requests be sent via POST.

XML External Entity processing vulnerability in Pipeline Maven Integration Plugin

SECURITY-1409 / CVE-2019-10327

Pipeline Maven Integration Plugin did not configure its XML parser in a way that would prevent XML External Entity (XXE) processing.

This allowed attackers able to control the contents of a temporary directory on the agent that the Maven build is executing on to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Pipeline Maven Integration Plugin no longer processes XML External Entities in XML documents.

Unsafe entry in Script Security list of approved signatures in Pipeline Remote Loader Plugin

SECURITY-921 / CVE-2019-10328

Pipeline Remote Loader Plugin provides a custom list of pre-approved signatures for Script Security. Those entries apply to all scripts with sandbox protection, such as Pipeline.

One entry provided here was unsafe, as it allowed invoking arbitrary methods, bypassing sandbox protection.

The unsafe pre-approved entry has been removed.

InfluxDB Plugin stored credentials in plain text

SECURITY-1403 / CVE-2019-10329

InfluxDB Plugin stored target passwords unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

InfluxDB Plugin now stores its passwords encrypted.

Improper handling of untrusted branches in Gitea Plugin

SECURITY-1046 / CVE-2019-10330

Multibranch pipelines are typically configured so that only committers to the repository are able to effectively propose changes to Jenkinsfiles. Changes to Jenkinsfiles in pull requests created by other users would not be trusted, and the target branch’s Jenkinsfile content is used instead.

Gitea Plugin did not implement this behavior. Attackers without commit access to the Git repository could therefore propose changes to Jenkinsfiles and have those be applied for PR builds despite the configuration declaring them to be untrusted.

Gitea Plugin now implements the desired behavior of only trusting pull request content when those are trusted.

CSRF vulnerability and missing permission check in Artifactory Plugin allow capturing credentials

SECURITY-1015 (1) / CVE-2019-10321 (CSRF), CVE-2019-10322 (missing permission check)

Artifactory Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, no release containing a fix is available.

Users with Overall/Read access could enumerate credential IDs in Artifactory Plugin

SECURITY-1015 (2) / CVE-2019-10323

Artifactory Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, no release containing a fix is available.

CSRF vulnerability in Artifactory Plugin

SECURITY-1347 / CVE-2019-10324

Artifactory Plugin implements a number of API endpoints allowing users to trigger various actions related to releasing and promotion.

These endpoints do not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, no release containing a fix is available.

Severity

Affected Versions

  • Artifactory Plugin up to and including 3.2.2
  • Gitea Plugin up to and including 1.1.1
  • InfluxDB Plugin up to and including 1.21
  • Pipeline Maven Integration Plugin up to and including 3.7.0
  • Pipeline Remote Loader Plugin up to and including 1.4
  • Warnings Next Generation Plugin up to and including 5.0.0

Fix

  • Gitea Plugin should be updated to version 1.1.2
  • InfluxDB Plugin should be updated to version 1.22
  • Pipeline Maven Integration Plugin should be updated to version 3.7.1
  • Pipeline Remote Loader Plugin should be updated to version 1.5
  • Warnings Next Generation Plugin should be updated to version 5.1.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Artifactory Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1391
  • Jesse Glick, CloudBees, Inc. for SECURITY-921
  • Kurt Boberg, DocuSign Inc. for SECURITY-1409
  • Oleg Naneshev and Fred Blaise, CloudBees, Inc. for SECURITY-1347
  • Oleg Nenashev, CloudBees, Inc., and Peter Adkins of Cisco Umbrella for SECURITY-1015 (1), SECURITY-1015 (2)
  • René Scheibe for SECURITY-1403
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1373