This advisory announces vulnerabilities in the following Jenkins deliverables:
Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.
This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.
Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.
In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
This vulnerability was originally introduced in SAML Plugin 1.1.3.
SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.
In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.
Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.
Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.
This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Nested View Plugin 1.21 disables external entity resolution for its XML transformer.
Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.
These passwords can be viewed by users with access to the Jenkins controller file system.
Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: