Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <B9DB968B-E225-4245-85BE-6BB6CCD8791F@beckweb.net>
Date: Tue, 30 Apr 2019 14:17:30 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Ansible Tower Plugin 0.9.2
* Aqua MicroScanner Plugin 1.0.6
* Azure AD Plugin 0.3.4
* GitHub Authentication Plugin 0.32
* SiteMonitor Plugin 0.6
* Static Analysis Utilities Plugin 1.96

Additionally, these plugin have security vulnerabilities that have been made
public, but have no releases containing a fix yet:

* Koji Plugin
* Self-Organizing Swarm Plug-in Modules Plugin
* Twitter Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-04-30/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1100 / CVE-2019-10307 (CSRF) and CVE-2019-10308 (permission check)
Static Analysis Utilities Plugin has the capability to allow other plugins to 
display trend graphs for their static analysis results. Static Analysis 
Utilities Plugin provides the configuration form for the default settings of 
each graph.

The configuration form and form submission handler did not perform a 
permission check, allowing attackers with Job/Read access to change the 
per-job graph configuration defaults for all users.

Additionally, the form submission handler did not require POST requests, 
resulting in a cross-site request forgery vulnerability.

Static Analysis Utilities Plugin now requires Job/Configure permission and 
POST requests to configure the per-job graph defaults for all users.


SECURITY-930 / CVE-2019-10317
SiteMonitor Plugin unconditionally disables SSL/TLS certificate validation for 
the entire Jenkins master JVM.

SiteMonitor Plugin no longer does that. Instead, it now has an opt-in option 
to ignore SSL/TLS errors for each site check individually.


SECURITY-1252 / CVE-2019-10309
Self-Organizing Swarm Plug-in Modules Plugin allows clients to auto-discover 
Jenkins instances on the same network through a UDP discovery request. 
Responses to this request are XML documents.

Self-Organizing Swarm Plug-in Modules Plugin does not configure the XML parser 
in a way that would prevent XML External Entity (XXE) processing. This allows 
unauthenticated attackers on the same network to have Swarm clients parse a 
maliciously crafted XML response that uses external entities to read arbitrary 
files from the Swarm client or denial-of-service attacks.

As of publication of this advisory, there is no fix.


SECURITY-1355 (1) / CVE-2019-10310 (CSRF) and CVE-2019-10311 (permission check)
Ansible Tower Plugin did not perform permission checks on a method 
implementing form validation. This allowed users with Overall/Read access to 
Jenkins to connect to an attacker-specified URL using attacker-specified 
credentials IDs obtained through another method, capturing credentials stored 
in Jenkins.

Additionally, this form validation method did not require POST requests, 
resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer 
permissions.


SECURITY-1355 (2) / CVE-2019-10312
Ansible Tower Plugin provides a list of applicable credential IDs to allow 
users configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with 
Overall/Read permission to get a list of valid credentials IDs. Those could be 
used as part of an attack to capture the credentials using another 
vulnerability.

An enumeration of credentials IDs in this plugin now requires 
Overall/Administer permission.


SECURITY-1390 / CVE-2019-10318
Azure AD Plugin stored the client secret unencrypted in the global config.xml 
configuration file on the Jenkins master. These credentials could be viewed by 
users with access to the master file system.

Azure AD Plugin now stores the client secret encrypted.


SECURITY-1143 / CVE-2019-10313
Twitter Plugin stores credentials unencrypted in its global configuration file 
on the Jenkins master. These credentials could be viewed by users with access 
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-936 / CVE-2019-10314
Koji Plugin unconditionally disables SSL/TLS certificate validation for the 
entire Jenkins master JVM.

As of publication of this advisory, there is no fix.


SECURITY-443 / CVE-2019-10315
GitHub Authentication Plugin did not manage the state parameter of OAuth to 
prevent CSRF. This allowed an attacker to catch the redirect URL provided 
during the authentication process using OAuth and send it to the victim. If 
the victim was already connected to Jenkins, their Jenkins account would be 
attached to the attacker’s GitHub account.

The state parameter is now correctly managed.


SECURITY-1380 / CVE-2019-10316
Aqua MicroScanner Plugin stored credentials unencrypted in its global 
configuration file on the Jenkins master. These credentials could be viewed by 
users with access to the master file system.

Aqua MicroScanner Plugin now stores credentials encrypted.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.