Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <8EA8F86C-34A0-479D-B0E7-1AB8AF3E9FDF@beckweb.net>
Date: Mon, 28 Jan 2019 15:28:48 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Active Directory Plugin 2.11
* Blue Ocean Plugin 1.10.2
* Config File Provider Plugin 3.5
* Git Plugin 3.9.2
* GitHub Authentication Plugin 0.31
* Groovy Plugin 2.1
* Job Import Plugin 3.1
* Kanboard Plugin 1.5.11
* Monitoring Plugin 1.75.0
* OpenId Connect Authentication Plugin 1.5
* Script Security Plugin 1.51
* Token Macro Plugin 2.6
* Warnings Next Generation Plugin 2.1.2
* Warnings Plugin 5.0.1

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-01-28/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1292
Script Security sandbox protection could be circumvented during the script 
compilation phase by applying AST transforming annotations such as `@...b` 
to source code elements.

This affected an HTTP endpoint used to validate a user-submitted Groovy 
script that was not covered in the 2019-01-08 fix for SECURITY-1266 and 
allowed users with Overall/Read permission to bypass the sandbox 
protection and execute arbitrary code on the Jenkins master.


SECURITY-1293
Groovy Plugin has a form validation HTTP endpoint used to validate a user-
submitted Groovy script through compilation, which was not subject to 
sandbox protection. This allowed attackers with Overall/Read access to 
execute arbitrary code on the Jenkins master by applying AST transforming 
annotations such as `@...b` to source code elements.


SECURITY-1295 (1)
Warnings Plugin has a form validation HTTP endpoint used to validate a 
user-submitted Groovy script through compilation, which was not subject to 
sandbox protection. The endpoint checked for the Overall/RunScripts 
permission, but did not require POST requests, so it was vulnerable to 
cross-site request forgery (CSRF). This allowed attackers to execute 
arbitrary code on the Jenkins master by applying AST transforming 
annotations such as `@...b` to source code elements.


SECURITY-1295 (2)
Warnings Next Generation Plugin has a form validation HTTP endpoint used 
to validate a Groovy script through compilation, which was not subject to 
sandbox protection. The endpoint checked for the Overall/RunScripts 
permission, but did not require POST requests, so it was vulnerable to 
cross-site request forgery (CSRF). This allowed attackers to execute 
arbitrary code on the Jenkins master by applying AST transforming 
annotations such as `@...b` to source code elements.


SECURITY-859
Active Directory Plugin performs TLS upgrade (StartTLS) after connecting 
to domain controllers through insecure LDAP. In this mode, certificates 
were not properly validated, effectively trusting all certificates, 
allowing man-in-the-middle attacks.

This only affected TLS upgrades. The LDAPS mode, available by setting the 
system property hudson.plugins.active_directory.
ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.


SECURITY-1095
Git Plugin allows the creation of a tag in a job workspace’s Git 
repository with accompanying metadata attached to a build record.

The HTTP endpoint to create the tag did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-1102
Token Macro Plugin recursively applied token expansion.

This could be used by users able to affect input to token expansion (such 
as change log messages), to inject additional tokens into the input, which 
would then be expanded, resulting in information disclosure (for example 
values of environment variables), or denial of service.


SECURITY-1201
Blue Ocean did not require CSRF tokens ("crumbs") for POST requests with 
the `Content-Type: application/json`, resulting in CSRF vulnerabilities.


SECURITY-1204
Blue Ocean did not properly escape HTML/JavaScript content set on the 
current user’s description field, resulting in a cross-site scripting 
vulnerability exploitable by administrators and other people accessing 
Jenkins with the same user account.


SECURITY-1253
Config File Provider Plugin improperly handled script names in its 
JavaScript-based UI, resulting in a stored cross-site scripting (XSS) 
vulnerability.


SECURITY-905 (1)
Job Import Plugin allows to import jobs from other Jenkins instances. As a 
first step in this process, Job Import Plugin sends a request to another 
Jenkins instance, parsing XML REST API output to obtain a list of jobs 
that could be imported.

Job Import Plugin did not configure the XML parser in a way that would 
prevent XML External Entity (XXE) processing. This allowed attackers able 
to control either the server Jenkins will query, or the URL Jenkins 
queries, to have it parse a maliciously crafted XML response that uses 
external entities for extraction of secrets from the Jenkins master, 
server-side request forgery, or denial-of-service attacks.


SECURITY-905 (2)
Job Import Plugin did not check user permissions on its API endpoint used 
to access remote Jenkins instances. This allowed users with Overall/Read 
access to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing 
credentials stored in Jenkins.


SECURITY-1302
Job Import Plugin did not require that POST requests are sent to its 
/import URL, which processes requests to import jobs. This resulted in a 
cross-site request forgery (CSRF) vulnerability that could be exploited to 
create or replace jobs on the local instance if the remote Jenkins 
instance has different ones with the same name, or to install additional 
plugins, if jobs on the remote Jenkins instance reference them in their 
configuration.


SECURITY-602
GitHub Authentication Plugin stores the client secret in the global 
Jenkins configuration.

While the client secret is stored encrypted on disk, it was transmitted in 
plain text as part of the configuration form and displayed without masking.
 This could result in exposure of the client secret through browser 
extensions, cross-site scripting vulnerabilities, and similar situations.


SECURITY-797
GitHub Authentication Plugin did not invalidate the previous session and 
create a new one upon successful login, allowing attackers able to control 
or obtain another user’s pre-login session ID to impersonate them.


SECURITY-818
Kanboard Plugin did not perform permission checks on a method implementing 
form validation. This allowed users with Overall/Read access to Jenkins to 
submit a GET request to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, 
resulting in a CSRF vulnerability.


SECURITY-886
OpenId Connect Authentication Plugin stores the client secret in the 
global Jenkins configuration.

While the client secret is stored encrypted on disk, it was transmitted in 
plain text as part of the configuration form and displayed without masking.
 This could result in exposure of the client secret through browser 
extensions, cross-site scripting vulnerabilities, and similar situations.


SECURITY-1153
Monitoring Plugin provides a standalone JavaMelody servlet with an 
independent CSRF protection configuration. Even if Jenkins had CSRF 
protection enabled, Monitoring Plugin may not have it enabled.


SECURITY-1154
Monitoring Plugin did not set the X-Frame-Options header, allowing its 
pages to be embedded. This could result in clickjacking attacks.


SECURITY-1271
Warnings Next Generation Plugin did not properly escape HTML content in 
warnings displayed on the Jenkins UI, resulting in a cross-site scripting 
vulnerability exploitable by users able to control warnings parser input.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.