Jenkins Security Advisory 2019-06-11

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XML External Entity processing vulnerability in Token Macro Plugin

SECURITY-1399 / CVE-2019-10337

Token Macro Plugin did not configure its XML parser in a way that would prevent XML External Entity (XXE) processing.

This allowed attackers able to control the contents of files processed with the ${XML} macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

Token Macro Plugin no longer processes XML External Entities in XML documents.

CSRF vulnerability and missing permission check in JX Resources Plugin

SECURITY-1379 / CVE-2019-10338 (CSRF), CVE-2019-10339 (improper authorization)

JX Resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins controller process.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in CloudBees CD Plugin allowed SSRF

SECURITY-1410 (1) / CVE-2019-10331 (CSRF), CVE-2019-10332 (missing permission checks)

A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Missing permission checks in CloudBees CD Plugin

SECURITY-1410 (2) / CVE-2019-10333

Various form validation and form autocompletion methods in CloudBees CD Plugin lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of CloudBees CD Plugin, as well as the configuration and data of connected ElectricFlow servers.

These form validation and autocompletion methods now require Overall/Administer or Job/Configure permission, as appropriate for the given method.

CloudBees CD Plugin globally and unconditionally disabled SSL/TLS certificate validation

SECURITY-1411 / CVE-2019-10334

CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM during the deployment/publication of an application.

CloudBees CD Plugin no longer does that. Instead, the existing opt-in option to ignore SSL/TLS errors is used during deployment for the specific connection.

This issue was caused by an incomplete fix for SECURITY-937.

XSS vulnerability in build metadata contributed by CloudBees CD Plugin

SECURITY-1412 / CVE-2019-10335

The plugin adds metadata displayed on build pages during its operations.

Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and JavaScript on Jenkins build pages.

Build metadata is now filtered through a HTML formatter that only allows showing basic HTML, neutralizing any unsafe data. Additionally, all builds executed after the security update is applied will now properly escape content received from ElectricFlow.

XSS vulnerability in CloudBees CD Plugin affecting job configuration forms

SECURITY-1420 / CVE-2019-10336

The configuration forms of various post-build steps contributed by CloudBees CD Plugin were vulnerable to cross-site scripting.

This allowed attackers able to control the output of connected ElectricFlow servers' APIs to inject arbitrary HTML and JavaScript into the configuration form.

CloudBees CD Plugin no longer interprets HTML/JavaScript in responses from ElectricFlow server APIs on job configuration forms.

Severity

Affected Versions

  • CloudBees CD Plugin up to and including 1.1.6
  • JX Resources Plugin up to and including 1.0.36
  • Token Macro Plugin up to and including 2.7

Fix

  • CloudBees CD Plugin should be updated to version 1.1.7
  • JX Resources Plugin should be updated to version 1.0.37
  • Token Macro Plugin should be updated to version 2.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1399, SECURITY-1410 (1), SECURITY-1410 (2), SECURITY-1411, SECURITY-1412
  • Jesse Glick, CloudBees, Inc. for SECURITY-1379