Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <F54052A4-CAAC-4E9A-BB5F-9EF3699E56B1@beckweb.net>
Date: Wed, 13 Jun 2018 17:58:25 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins and Jenkins
 plugins


> On 9. May 2018, at 11:45, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-771
> Users with Overall/Read permission were able use the list-plugins CLI
> command and view the About Jenkins page to list all installed plugins.

CVE-2018-1000192

> SECURITY-786
> The built-in Jenkins user database optionally allows user registration.
> This feature did not properly sanitize user names, allowing registration of
> user names containing control characters. This could be used to confuse
> administrators (appearing to be a different user) while preventing deletion
> of such users through the UI.

CVE-2018-1000193

> SECURITY-788
> The agent to master security subsystem ensures that the Jenkins master is
> protected from maliciously configured agents. A path traversal vulnerability
> allowed agents to escape whitelisted directories to read and write to files
> they should not be able to access.

CVE-2018-1000194

> SECURITY-794
> The form validation code for a tool installer improperly checked
> permissions, allowing any user with Overall/Read permission to submit a
> HTTP GET request to any user specified URL, and learn whether the response
> was successful (HTTP 200) or not.
> 
> Additionally, this functionality did not require POST requests be used,
> thereby allowing the above to be performed without direct access to Jenkins
> via Cross-Site Request Forgery attacks.

CVE-2018-1000195

> SECURITY-263
> Gitlab Hook Plugin does not encrypt the Gitlab API token used to access
> Gitlab. This can be used by users with master file system access to obtain
> GitHub credentials.
> 
> Additionally, the Gitlab API token round-trips in its plaintext form, and
> is displayed in a regular text field to users with Overall/Administer
> permission. This exposes the API token to people viewing a Jenkins
> administrator’s screen, browser extensions, cross-site scripting
> vulnerabilities, etc.

CVE-2018-1000196

> SECURITY-670
> Black Duck Hub Plugin did not perform permission checks for its config.xml
> API endpoint. This allowed any user with Overall/Read permission to both
> read and write the plugin configuration XML.

CVE-2018-1000197

> SECURITY-671
> Black Duck Hub Plugin config.xml API endpoint was affected by an XML
> External Entity (XXE) processing vulnerability. This allowed an attacker
> with Overall/Read access to have Jenkins parse a maliciously crafted file
> that uses external entities for extraction of secrets from the Jenkins
> master, server-side request forgery, or denial-of-service attacks.

CVE-2018-1000198

> SECURITY-821 / CVE pending
> Groovy Postbuild Plugin did not properly escape badge content from user
> input, resulting in a stored cross-site scripting vulnerability.

CVE-2018-1000202

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.