Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <E00DE545-C35C-4E5F-8AEF-022602DEB087@beckweb.net>
Date: Mon, 25 Jun 2018 16:10:22 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* AWS CodeBuild 0.27
* AWS CodeDeploy 1.20
* AWS CodePipeline 0.37
* Badge 1.5
* CollabNet 2.0.5
* Configuration as Code 0.8-alpha
* Fortify CloudScan 1.5.2
* GitHub 1.29.2
* IBM z/OS Connector 2.0.0
* Openstack Cloud 2.36
* SAML 1.0.7
* SSH Credentials 1.14
* URLTrigger 0.43

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-06-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-915
A form action method in GitHub Plugin did not check the permission of the 
user accessing it, allowing anyone with Overall/Read access to Jenkins to 
cause Jenkins to send a GitHub API request to create an API token to a an 
attacker specified URL.

This allowed users with Overall/Read access to Jenkins to connect to an 
attacker-specified URL using attacker-specified credentials IDs obtained 
through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-440
SSH Credentials Plugin allowed the creation of SSH credentials with keys 
"From a file on Jenkins master". Credentials Binding Plugin 1.13 and newer 
allows binding SSH credentials to environment variables. In combination, 
these two features allow users with the permission to configure a job to 
read arbitrary files on the Jenkins master by creating an SSH credential 
referencing an arbitrary file on the Jenkins master, and binding it to an 
environment variable in a job.


SECURITY-916
SAML Plugin did not invalidate the previous session and create a new one 
upon successful login, allowing attackers able to control or obtain 
another user’s pre-login session ID to impersonate them.


SECURITY-808
Openstack Cloud Plugin did not perform permission checks on methods 
implementing form validation. This allowed users with Overall/Read access 
to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing 
credentials stored in Jenkins, and to cause Jenkins to submit HTTP 
requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-825 / CVE-2018-1000402
AWS CodeDeploy Plugin could persist environment variables from the last 
run of any project with the post-build step configured in the job’s
config.xml file.

In some cases, this allowed users with file system access or Extended Read 
permission to obtain those potentially sensitive environment variables by 
accessing the project’s config.xml.


SECURITY-833 / CVE-2018-1000403
AWS CodeDeploy Plugin stored the AWS Secret Key in its configuration 
unencrypted in jobs' config.xml files on the Jenkins master. This key 
could be viewed by users with Extended Read permission, or access to the 
master file system.

While masked from view using a password form field, the AWS Secret Key was 
transferred in plain text to users when accessing the job configuration 
form.


SECURITY-834 / CVE-2018-1000404
AWS CodeBuild Plugin stored the AWS Secret Key in its configuration 
unencrypted in jobs' config.xml files on the Jenkins master. This key 
could be viewed by users with Extended Read permission, or access to the 
master file system.

While masked from view using a password form field, the AWS Secret Key was 
transferred in plain text to users when accessing the job configuration 
form.


SECURITY-967 / CVE-2018-1000401
AWS CodePipeline Plugin stored the AWS Secret Key in its configuration 
unencrypted in jobs' config.xml files on the Jenkins master. This key 
could be viewed by users with Extended Read permission, or access to the 
master file system.

While masked from view using a password form field, the AWS Secret Key was 
transferred in plain text to users when accessing the job configuration 
form.


SECURITY-906
Badge Plugin stored and displayed user-provided HTML for badges and 
summaries unprocessed, allowing users with the ability to control badge 
content to store malicious HTML to be displayed within Jenkins.


SECURITY-941
CollabNet Plugin disabled SSL/TLS certificate validation for the entire 
Jenkins master JVM by default.


SECURITY-819
A form validation method in URLTrigger Plugin did not check the permission 
of the user accessing them, allowing anyone with Overall/Read access to 
Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-870
Fortify CloudScan Plugin did not validate file names in rulepack ZIP 
archives it extracts, resulting in an arbitrary file write vulnerability.


SECURITY-950
IBM z/OS Connector Plugin did not encrypt password credentials stored in 
its configuration. This could be used by users with master file system 
access to obtain the password.

While masked from view using a password form field, the AWS Secret Key was 
transferred in plain text to administrators when accessing the global 
configuration form.


SECURITY-927
Configuration as Code Plugin lacked a permission check in the method 
handling the URL exporting the system configuration. This allows users 
with Overall/Read access to Jenkins to obtain this YAML export.


SECURITY-929
Configuration as Code Plugin logged secrets set via its configuration to 
the Jenkins master system log in plain text. This allowed users with 
access to the Jenkins log files to obtain these passwords and similar 
secrets.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.