Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Aug 2017 18:36:54 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Jenkins plugins -- multiple vulnerabilities

Jenkins is an open source automation server which enables developers around 
the world to reliably build, test, and deploy their software. The following 
plugin releases contain fixes for security vulnerabilities:

* Blue Ocean 1.1.6
* Config File Provider Plugin 2.16.2
* Datadog Plugin 0.5.7
* Deploy to container Plugin 1.13
* DRY Plugin 2.49
* OWASP Dependency-Check Plugin 2.0.1.2
* Pipeline: Groovy Plugin 2.39
* Pipeline: Input Step Plugin 2.8
* Script Security Plugin 1.31
* Static Analysis Utilities Plugin 1.92

Users of these plugins should upgrade them to the indicated versions.

Descriptions of the vulnerabilities are below. Some more details, 
severity, and attribution can be found here:
https://jenkins.io/security/advisory/2017-08-07/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you find security vulnerabilities in Jenkins, please report them as 
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---


SECURITY-467 / CVE-2017-1000102
The Details view of some Static Analysis Utilities based plugins, was 
vulnerable to a persisted cross-site scripting vulnerability: Malicious 
users able to influence the input to these plugins, for example the console 
output which is parsed to extract build warnings (Warnings Plugin), could 
insert arbitrary HTML into this view.


SECURITY-467 / CVE-2017-1000103
The custom Details view of the Static Analysis Utilities based DRY Plugin, 
was vulnerable to a persisted cross-site scripting vulnerability: Malicious 
users able to influence the input to this plugin could insert arbitrary HTML 
into this view.


SECURITY-513 / CVE-2017-1000104
The Config File Provider Plugin is used to centrally manage configuration 
files that often include secrets, such as passwords. Users with only 
Overall/Read access to Jenkins were able to access URLs directly that 
allowed viewing these files. Access to view these files now requires 
sufficient permissions to configure the provided files, view the 
configuration of the folder in which the configuration files are defined, or 
have Job/Configure permissions to a job able to use these files.


SECURITY-564 / CVE-2017-1000105
The optional Run/Artifacts permission can be enabled by setting a Java 
system property. Blue Ocean did not check this permission before providing 
access to archived artifacts, Item/Read permission was sufficient.


SECURITY-565 / CVE-2017-1000106
Blue Ocean allows the creation of GitHub organization folders that are set 
up to scan a GitHub organization for repositories and branches containing a 
Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content 
REST API supports the pipeline creation and editing feature in Blue Ocean. 

The SCM content REST API did not check the current user's authentication or 
credentials. If the GitHub organization folder was created via Blue Ocean, 
it retained a reference to its creator's GitHub credentials.

This allowed users with read access to the GitHub organization folder to 
create arbitrary commits in the repositories inside the GitHub organization 
corresponding to the GitHub organization folder with the GitHub credentials 
of the creator of the organization folder.

Additionally, users with read access to the GitHub organization folder could 
read arbitrary file contents from the repositories inside the GitHub 
organization corresponding to the GitHub organization folder if the branch 
contained a Jenkinsfile (which could be created using the other part of this 
vulnerability), and they could provide the organization folder name, 
repository name, branch name, and file name.


SECURITY-566, SECURITY-567, SECURITY-580, SECURITY-582 / CVE-2017-1000107
Script Security Plugin did not apply sandboxing restrictions to constructor 
invocations via positional arguments list, super constructor invocations, 
method references, and type coercion expressions. This could be used to 
invoke arbitrary constructors and methods, bypassing sandbox protection.


SECURITY-576 / CVE-2017-1000108
The Pipeline: Input Step Plugin by default allowed users with Item/Read 
access to a pipeline to interact with the step to provide input. This has 
been changed, and now requires users to have the Item/Build permission 
instead.


SECURITY-577 / CVE-2017-1000109
The custom Details view of the Static Analysis Utilities based OWASP 
Dependency-Check Plugin, was vulnerable to a persisted cross-site scripting 
vulnerability: Malicious users able to influence the input to this plugin 
could insert arbitrary HTML into this view.


SECURITY-587 / CVE-2017-1000110
Blue Ocean allows the creation of GitHub organization folders that are set 
up to scan a GitHub organization for repositories and branches containing a 
Jenkinsfile, and create corresponding pipelines in Jenkins.

It did not properly check the current user's authentication and 
authorization when configuring existing GitHub organization folders. This 
allowed users with read access to the GitHub organization folder to 
reconfigure it, including changing the GitHub API endpoint for the 
organization folder to an attacker-controlled server to obtain the GitHub 
access token, if the organization folder was initially created using Blue 
Ocean.


SECURITY-559 / CVE-2017-1000113
The Deploy to container Plugin stored passwords unencrypted as part of its 
configuration. This allowed users with Jenkins master local file system 
access, or users with Extended Read access to the jobs it is used in, to 
retrieve those passwords. The Deploy to container Plugin now integrates with 
Credentials Plugin to store passwords securely, and automatically migrates 
existing passwords.


SECURITY-579 / CVE-2017-1000114
The Datadog Plugin stores an API key to access the Datadog service in the 
global Jenkins configuration. While the API key is stored encrypted on disk, 
it was transmitted in plain text as part of the configuration form. This 
could result in exposure of the API key for example through browser 
extensions or cross-site scripting vulnerabilities. The Datadog Plugin now 
encrypts the API key transmitted to administrators viewing the global 
configuration form.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.