Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <13E3F1F3-822B-405C-A12B-CB6BB2E62F4C@beckweb.net>
Date: Mon, 4 Jun 2018 14:37:28 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* AbsInt Astrée 1.0.7
* Black Duck Detect 1.4.1
* Black Duck Hub 4.0.1
* CAS 1.4.2
* Git 3.9.1
* GitHub 1.29.1
* GitHub Branch Source 2.3.5
* GitHub Pull Request Builder 1.42.0
* Kubernetes 1.7.1

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-06-04/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-810
Various form validation methods in Git Plugin did not check the permission 
of the user accessing them, allowing anyone with Overall/Read access to 
Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-799
A form validation method in GitHub Plugin did not check the permission of 
the user accessing it, allowing anyone with Overall/Read access to Jenkins 
to cause Jenkins to send a POST request to a specified URL.

If that request’s HTTP response code indicates success, the form 
validation is returning a generic success message, otherwise the HTTP 
status code is returned.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-804
GitHub Plugin did not perform permission checks on a method implementing 
form validation. This allowed users with Overall/Read access to Jenkins to 
connect to an attacker-specified URL using attacker-specified credentials 
IDs obtained through another method, capturing credentials stored in 
Jenkins.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-806
A form validation method in GitHub Branch Source Plugin did not check the 
permission of the user accessing them, allowing anyone with Overall/Read 
access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-805
GitHub Pull Request Builder Plugin did not perform permission checks on 
methods implementing form validation. This allowed users with Overall/Read 
access to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing 
credentials stored in Jenkins, and to cause Jenkins to submit HTTP 
requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-883
Kubernetes Plugin printed sensitive build variables, like passwords, to 
the build log and master log, when using pipeline steps like
withDockerRegistry.


SECURITY-809
A form validation method in GitHub Branch Source Plugin did not check the 
permission of the user accessing them, allowing anyone with Overall/Read 
access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-807
AbsInt Astrée Plugin did not perform permission checks on a method 
implementing form validation. This allowed users with Overall/Read access 
to Jenkins to run a user-specified program on the Jenkins master.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-865
Black Duck Hub Plugin did not perform permission checks on methods 
implementing form validation. This allowed users with Overall/Read access 
to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing 
credentials stored in Jenkins, and to cause Jenkins to submit HTTP 
requests to attacker-specified URLs. 

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-866
Black Duck Detect Plugin did not perform permission checks on methods 
implementing form validation. This allowed users with Overall/Read access 
to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing 
credentials stored in Jenkins, and to cause Jenkins to submit HTTP 
requests to attacker-specified URLs. 

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.