Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <65BCED7D-3903-40C3-97C7-27E0BF1E7A48@beckweb.net>
Date: Thu, 28 Mar 2019 19:53:45 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins



> On 25. Mar 2019, at 16:09, Daniel Beck <ml@...kweb.net> wrote:
> 
> SECURITY-1353
> Sandbox projection in the Script Security and Pipeline: Groovy Plugins 
> could be circumvented through methods supporting type casts and type 
> coercion. This allowed attackers to invoke constructors for arbitrary types.

CVE-2019-1003040 (Script Security) and CVE-2019-1003041 (Pipeline: Groovy)

> SECURITY-1361
> Lockable Resources Plugin did not properly escape resource names in 
> generated JavaScript code, thus leading to a cross-site scripting (XSS) 
> vulnerability.

CVE-2019-1003042

> SECURITY-976
> [Slack Notification Plugin] did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified URL using attacker-specified 
> credentials IDs obtained through another method, capturing credentials 
> stored in Jenkins.

CVE-2019-1003043

> Additionally, this form validation method did not require POST requests, 
> resulting in a cross-site request forgery vulnerability.

CVE-2019-1003044

> SECURITY-846
> ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml 
> files and its global configuration file on the Jenkins master. This token 
> could be viewed by users with Extended Read permission, or access to the 
> master file system.

CVE-2019-1003045

> SECURITY-992
> A missing permission check in multiple form validation methods in Fortify 
> on Demand Uploader Plugin allowed users with Overall/Read permission to 
> initiate a connection test to an attacker-specified server.

CVE-2019-1003047

> Additionally, the form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003046

> SECURITY-1089
> PRQA Plugin stored a password unencrypted in its global configuration file 
> on the Jenkins master. This password could be viewed by users with access 
> to the master file system.

CVE-2019-1003048

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.