Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <818F7702-B078-4C30-95A9-0732819CFF96@beckweb.net>
Date: Thu, 2 Jul 2020 16:02:59 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Fortify on Demand Plugin 6.0.1
* Fortify on Demand Plugin 6.0.0
* Sonargraph Integration Plugin 3.0.1
* VncRecorder Plugin 1.35
* VncViewer Plugin 1.8

Additionally, we announce unresolved security issues in the following
plugins:

* Compatibility Action Storage Plugin
* ElasticBox Jenkins Kubernetes CI/CD Plugin
* GitHub Coverage Reporter Plugin
* HP ALM Quality Center Plugin
* Link Column Plugin
* Slack Upload Plugin
* Stash Branch Parameter Plugin
* TestComplete support Plugin
* White Source Plugin
* ZAP Pipeline Plugin
* Zephyr for JIRA Test Management Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2020-07-02/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1775 / CVE-2020-2201
Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file
path for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability that can
be exploited by users with Job/Configure permission.


SECURITY-1690 / CVE-2020-2202
Fortify on Demand Plugin provides a list of applicable credentials IDs to
allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions in Fortify on
Demand Plugin 6.0.0 and earlier, allowing any user with Overall/Read
permission to get a list of valid credentials IDs. Those can be used as
part of an attack to capture the credentials using another vulnerability.


SECURITY-1691 / CVE-2020-2203 (CSRF) & CVE-2020-2204 (missing permission check)
Fortify on Demand Plugin 5.0.1 and earlier does not perform permission
checks on a method implementing form validation. This allows users with
Overall/Read access to Jenkins to connect to the globally configured
Fortify on Demand endpoint using attacker-specified credentials IDs
obtained through another method.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1728 (1) / CVE-2020-2205
VncRecorder Plugin 1.25 and earlier does not escape a tool path in the
`checkVncServ` form validation endpoint accessed e.g. via job configuration
forms.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by Jenkins administrators.


SECURITY-1728 (2) / CVE-2020-2206
VncRecorder Plugin 1.25 and earlier does not escape a parameter value in
the `checkVncServ` form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.


SECURITY-1776 / CVE-2020-2207
VncViewer Plugin 1.7 and earlier does not escape a parameter value in the
`checkVncServ` form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.


SECURITY-1627 / CVE-2020-2208
Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job
`config.xml` files as part of its configuration. This secret can be viewed
by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1686 / CVE-2020-2209
TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted
in job `config.xml` files as part of its configuration. This password can
be viewed by users with Extended Read permission or access to the master
file system.

As of publication of this advisory, there is no fix.


SECURITY-1656 / CVE-2020-2210
Stash Branch Parameter Plugin stores Stash API passwords in its global
configuration file
`org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml`
on the Jenkins master as part of its configuration.

While the password is stored encrypted on disk, it is transmitted in plain
text as part of the configuration form by Stash Branch Parameter Plugin
0.3.0 and earlier. This can result in exposure of the password through
browser extensions, cross-site scripting vulnerabilities, and similar
situations.

As of publication of this advisory, there is no fix.


SECURITY-1738 / CVE-2020-2211
ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not
configure its YAML parser to prevent the instantiation of arbitrary types.
This results in a remote code execution (RCE) vulnerability exploitable by
users able to provide YAML input files to ElasticBox Jenkins Kubernetes
CI/CD Plugin's build step.

As of publication of this advisory, there is no fix.


SECURITY-1632 / CVE-2020-2212
GitHub Coverage Reporter Plugin 1.8 and earlier stores a GitHub access
token in plain text in its global configuration file
`io.jenkins.plugins.gcr.PluginConfiguration.xml`. This can be viewed by
users with access to the Jenkins master file system.

As of publication of this advisory, there is no fix.


SECURITY-1630 / CVE-2020-2213
White Source Plugin 19.1.1 and earlier stores credentials in plain text as
part of its global configuration file
`org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml` and job
`config.xml` files on the Jenkins master. These credentials could be viewed
by users with Extended Read permission (in the case of job `config.xml`
files) or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1811 / CVE-2020-2214
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts.

ZAP Pipeline Plugin 1.9 and earlier globally disables the
`Content-Security-Policy` header for static files served by Jenkins. This
allows cross-site scripting (XSS) attacks by users with the ability to
control files in workspaces, archived artifacts, etc.

As of publication of this advisory, there is no fix.


SECURITY-1762 / CVE-2020-2215 (CSRF) & CVE-2020-2216 (missing permission check)
Zephyr for JIRA Test Management Plugin 1.5 and earlier does not perform a
permission check in a method implementing form validation. This allows
users with Overall/Read access to Jenkins to connect to an
attacker-specified host using attacker-specified username and password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1771 / CVE-2020-2217
Compatibility Action Storage Plugin 1.0 and earlier does not escape the
content coming from the MongoDB in the `testConnection` form validation
endpoint. This allows attackers able to update the configured document in
MongoDB to inject the payload.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1576 / CVE-2020-2218
HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain
text in its global configuration file
`org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml`. This
password can be viewed by users with access to the Jenkins master file
system.

As of publication of this advisory, there is no fix.


SECURITY-1803 / CVE-2020-2219
Link Column Plugin allows users with View/Configure permission to add a new
column to list views that contains a user-configurable link.

Link Column Plugin 1.0 and earlier does not filter the URL for these links,
allowing the `javascript:` scheme. This results in a stored cross-site
scripting (XSS) vulnerability exploitable by users able to configure list
views.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.