Jenkins Security Advisory 2018-04-16

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Session fixation vulnerability in Google Login Plugin

SECURITY-442 / CVE-2018-1000173
Severity (CVSS): medium
Affected plugin: google-login
Description:

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user’s pre-login session ID to impersonate them.

Google Login Plugin now invalidates the previous session during login, and creates a new one.

Open redirect vulnerability in Google Login Plugin

SECURITY-684 / CVE-2018-1000174
Severity (CVSS): medium
Affected plugin: google-login
Description:

Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks.

Google Login Plugin now only performs redirects to relative URLs.

Email Extension Plugin showed plain text SMTP password in configuration form field

SECURITY-729 / CVE-2018-1000176
Severity (CVSS): low
Affected plugin: email-ext
Description:

Email Extension Plugin stores an SMTP password in the global Jenkins configuration.

While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Email Extension now encrypts the SMTP password transmitted to administrators viewing the global configuration form.

Stored XSS vulnerability in S3 Publisher Plugin

SECURITY-730 / CVE-2018-1000177
Severity (CVSS): medium
Affected plugin: s3
Description:

S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files.

S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly.

Path traversal vulnerability allows arbitrary file writing in HTML Publisher Plugin

SECURITY-784 / CVE-2018-1000175
Severity (CVSS): medium
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins controller without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the build directory.

Non-alphanumeric characters in report names are now escaped for use as part of a URL and as a directory name.

Severity

Affected Versions

  • Email Extension Plugin up to and including 2.61
  • Google Login Plugin up to and including 1.3
  • HTML Publisher Plugin up to and including 1.15
  • S3 publisher Plugin up to and including 0.10.12

Fix

  • Email Extension Plugin should be updated to version 2.62
  • Google Login Plugin should be updated to version 1.3.1
  • HTML Publisher Plugin should be updated to version 1.16
  • S3 publisher Plugin should be updated to version 0.11.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Emeric Vernat for SECURITY-442
  • Kalle Niemitalo, Procomp Solutions Oy for SECURITY-784
  • Matthias Nodeland for SECURITY-729
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-730
  • Suhas Sunil Gaikwad of Postman @postmanclient for SECURITY-684