Jenkins Security Advisory 2019-08-07

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Configuration as Code Plugin failed to mask secrets in system log messages

SECURITY-1497 / CVE-2019-10367

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials

SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

Mask Passwords Plugin shows plain text passwords in global configuration form fields

SECURITY-157 / CVE-2019-10370

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

HTTP session fixation vulnerability in GitLab Authentication Plugin

SECURITY-795 / CVE-2019-10371

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

Open redirect vulnerability in GitLab Authentication Plugin

SECURITY-796 / CVE-2019-10372

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Build Pipeline Plugin

SECURITY-879 / CVE-2019-10373

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

This vulnerability is only exploitable on Jenkins releases older than 2.146 or 2.138.2 due to the security hardening implemented in those releases.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in PegDown Formatter Plugin

SECURITY-142 / CVE-2019-10374

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

Arbitrary file read vulnerability in File System SCM Plugin

SECURITY-569 / CVE-2019-10375

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

Reflected XSS vulnerability in Wall Display Master Project Plugin

SECURITY-751 / CVE-2019-10376

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

Avatar Plugin allows changing other users' avatars

SECURITY-1099 / CVE-2019-10377

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

TestLink Plugin stores credentials in plain text

SECURITY-1428 / CVE-2019-10378

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Google Cloud Messaging Notification Plugin stores credentials in plain text

SECURITY-591 / CVE-2019-10379

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin

SECURITY-922 / CVE-2019-10380

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation

SECURITY-931 / CVE-2019-10381

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation

SECURITY-1376 / CVE-2019-10382

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

eggplant-plugin Plugin stores credentials in plain text

SECURITY-1430 / CVE-2019-10385

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials

SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF

SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Avatar Plugin up to and including 1.2
  • Build Pipeline Plugin up to and including 1.5.8
  • Codefresh Integration Plugin up to and including 1.8
  • Configuration as Code Plugin up to and including 1.26
  • eggplant-plugin Plugin up to and including 2.2
  • File System SCM Plugin up to and including 2.1
  • Google Cloud Messaging Notification Plugin up to and including 1.0
  • GitLab Authentication Plugin up to and including 1.4
  • JClouds Plugin up to and including 2.14
  • Mask Passwords Plugin up to and including 2.12.0
  • PegDown Formatter Plugin up to and including 1.3
  • Relution Enterprise Appstore Publisher Plugin up to and including 1.24
  • Simple Travis Pipeline Runner Plugin up to and including 1.0
  • TestLink Plugin up to and including 3.16
  • VMware Lab Manager Slaves Plugin up to and including 0.2.8
  • Wall Display Master Project Plugin up to and including 0.6.34
  • XL TestView Plugin up to and including 1.2.0

Fix

  • Configuration as Code Plugin should be updated to version 1.27
  • JClouds Plugin should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Avatar Plugin
  • Build Pipeline Plugin
  • Codefresh Integration Plugin
  • eggplant-plugin Plugin
  • File System SCM Plugin
  • Google Cloud Messaging Notification Plugin
  • GitLab Authentication Plugin
  • Mask Passwords Plugin
  • PegDown Formatter Plugin
  • Relution Enterprise Appstore Publisher Plugin
  • Simple Travis Pipeline Runner Plugin
  • TestLink Plugin
  • VMware Lab Manager Slaves Plugin
  • Wall Display Master Project Plugin
  • XL TestView Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
  • David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative for SECURITY-1428, SECURITY-1430
  • Jesse Glick, CloudBees, Inc. for SECURITY-922
  • MWR labs (@mwrlabs) for SECURITY-751
  • Matthias Schmalz, SAP SE for SECURITY-157
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1008, SECURITY-1099
  • Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group for SECURITY-1482
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-795, SECURITY-796