Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <8E8091B7-344D-458B-A6C5-D3E0F71666AA@beckweb.net>
Date: Thu, 5 Apr 2018 12:37:58 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins


> On 26. Mar 2018, at 13:22, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-261
> GitHub Pull Request Builder Plugin stored serialized objects in `build.xml` 
> files that contained the credential used to poll Jenkins. This can be used 
> by users with master file system access to obtain GitHub credentials.
> 
> Since 1.40.0, the plugin no longer stores serialized objects containing the 
> credential on disk.
> 
> Builds started before the plugin was updated to 1.40.0 will retain the 
> encoded credentials on disk. We strongly recommend revoking old GitHub 
> credentials used in Jenkins.

CVE-2018-1000142


> SECURITY-262
> GitHub Pull Request Builder Plugin stored the webhook secret shared between 
> Jenkins and GitHub in plain text.
> 
> This allowed users with Jenkins master local file system access and Jenkins 
> administrators to retrieve the stored password. The latter could result in 
> exposure of the passwords through browser extensions, cross-site scripting 
> vulnerabilities, and similar situations.
> 
> GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook 
> secret encrypted on disk.

CVE-2018-1000143


> SECURITY-308
> Cucumber Living Documentation Plugin disabled the 'Content-Security-Policy' 
> HTTP header XSS protection for files served by Jenkins until Jenkins was 
> restarted whenever a Cucumber peport was viewed by any user.
> 
> This has been addressed in version 1.1.0 of the plugin, and it will now 
> request that users manually change the Content-Security-Policy option in 
> Jenkins.

CVE-2018-1000144


> SECURITY-373
> Perforce Plugin encrypts its credentials using DES and a public key stored 
> in its public source code, so it only serves as basic obfuscation. This 
> allowed users with Jenkins master local file system access and Jenkins 
> administrators to retrieve the stored password. The latter could result in 
> exposure of the passwords through browser extensions, cross-site scripting 
> vulnerabilities, and similar situations.
> 
> As of publication of this advisory, there is no fix. The plugin has been 
> removed from publication at the request of its former maintainers.

CVE-2018-1000145


> SECURITY-504
> vSphere Plugin disabled SSL/TLS certificate validation unconditionally,
> allowing potential man-in-the-middle attacks.
> 
> vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by
> default.

CVE-2018-1000151


> SECURITY-519
> Liquibase Runner Plugin allows users with Job/Configure permission to 
> configure its build step in a way that loads arbitrary class files into the 
> Jenkins master JVM, resulting in arbitrary code execution.
> 
> As of publication of this advisory, there is no fix.

CVE-2018-1000146


> SECURITY-536
> Perforce Plugin implements its own credential encryption using DES and an 
> encryption key stored in its public source code. This is not considered a 
> secret by Jenkins, resulting in potential exposure of Perforce credentials 
> stored in job configurations to users with Extended Read permission.
> While these are encrypted, this can only be considered basic obfuscation 
> due to the hard-coded public encryption key used.
> 
> As of publication of this advisory, there is no fix.

CVE-2018-1000147


> SECURITY-545
> Copy To Slave Plugin allows users with Job/Configure permissions to 
> configure it in such a way that it allows obtaining arbitrary files 
> accessible to the Jenkins master process from the Jenkins master file
> system.
> 
> As of publication of this advisory, there is no fix.

CVE-2018-1000148


> SECURITY-630
> Ansible Plugin disabled host key verification by default, having it only as 
> an opt-in option.
> 
> Ansible Plugin 1.0 now enables host key verification by default, adding 
> options allowing users to opt out.
> 
> Existing configurations that previously did not opt into host key 
> verification will have host key verification enabled after update, possibly 
> resulting in failures.

CVE-2018-1000149


> SECURITY-736
> Reverse Proxy Auth Plugin persisted a cache of granted authorities (group 
> memberships) on disk.
> 
> This could allow users with local Jenkins master file system access to 
> obtain group membership information of Jenkins users.

CVE-2018-1000150


> SECURITY-745
> vSphere Plugin did not perform permission checks on methods implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> perform various actions such as:
> 
> * Connect to an attacker-specified vSphere server using attacker-specified 
>  credentials IDs obtained through another method, capturing credentials 
>  stored in Jenkins
> * Connect to configured vSphere servers and looking up information, 
>  potentially resulting in denial of service
> 
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.
> 
> These form validation methods now require POST requests and appropriate 
> user permissions.

CVE-2018-1000152 (improper authorization) and CVE-2018-1000153 (CSRF)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.