Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <C421ACBB-3B9C-49FC-A8D5-D122C448BB07@beckweb.net>
Date: Wed, 9 May 2018 11:45:54 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Jenkins (weekly) 2.121
* Jenkins (LTS) 2.107.3
* Black Duck Hub Plugin 4.0.0
* Groovy Postbuild Plugin 2.4

Additionally, these plugin have security vulnerabilities that have been made
public, but have no releases containing a fix yet:

* Gitlab Hook Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-05-09/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-771
Users with Overall/Read permission were able use the list-plugins CLI
command and view the About Jenkins page to list all installed plugins.


SECURITY-786
The built-in Jenkins user database optionally allows user registration.
This feature did not properly sanitize user names, allowing registration of
user names containing control characters. This could be used to confuse
administrators (appearing to be a different user) while preventing deletion
of such users through the UI.


SECURITY-788
The agent to master security subsystem ensures that the Jenkins master is
protected from maliciously configured agents. A path traversal vulnerability
allowed agents to escape whitelisted directories to read and write to files
they should not be able to access.


SECURITY-794
The form validation code for a tool installer improperly checked
permissions, allowing any user with Overall/Read permission to submit a
HTTP GET request to any user specified URL, and learn whether the response
was successful (HTTP 200) or not.

Additionally, this functionality did not require POST requests be used,
thereby allowing the above to be performed without direct access to Jenkins
via Cross-Site Request Forgery attacks.


SECURITY-263
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access
Gitlab. This can be used by users with master file system access to obtain
GitHub credentials.

Additionally, the Gitlab API token round-trips in its plaintext form, and
is displayed in a regular text field to users with Overall/Administer
permission. This exposes the API token to people viewing a Jenkins
administrator’s screen, browser extensions, cross-site scripting
vulnerabilities, etc.


SECURITY-670
Black Duck Hub Plugin did not perform permission checks for its config.xml
API endpoint. This allowed any user with Overall/Read permission to both
read and write the plugin configuration XML.


SECURITY-671
Black Duck Hub Plugin config.xml API endpoint was affected by an XML
External Entity (XXE) processing vulnerability. This allowed an attacker
with Overall/Read access to have Jenkins parse a maliciously crafted file
that uses external entities for extraction of secrets from the Jenkins
master, server-side request forgery, or denial-of-service attacks.


SECURITY-821 / CVE pending
Groovy Postbuild Plugin did not properly escape badge content from user
input, resulting in a stored cross-site scripting vulnerability.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.