Jenkins Security Advisory 2018-09-25

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

CSRF vulnerability in JUnit Plugin

SECURITY-1101 / CVE-2018-1000411
Severity (CVSS): low
Affected plugin: junit
Description:

A URL used to allow setting the description of a test object in JUnit Plugin did not require POST requests, resulting in a cross-site request forgery vulnerability.

That URL now requires POST requests be sent.

CSRF vulnerability and missing permission checks in Jira Plugin allowed capturing credentials

SECURITY-1029 / CVE-2018-1000412
Severity (CVSS): medium
Affected plugin: jira
Description:

Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer (for globally defined sites) or Item/Configure permissions (for sites defined for a folder).

Stored XSS vulnerability in Config File Provider Plugin

SECURITY-1080 / CVE-2018-1000413
Severity (CVSS): medium
Affected plugin: config-file-provider
Description:

Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting (XSS) vulnerability.

Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI.

CSRF vulnerability in Config File Provider Plugin

SECURITY-938 / CVE-2018-1000414
Severity (CVSS): medium
Affected plugin: config-file-provider
Description:

A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability.

This URL now requires POST requests.

Stored XSS vulnerability in Rebuild Plugin

SECURITY-130 / CVE-2018-1000415
Severity (CVSS): medium
Affected plugin: rebuild
Description:

Rebuild Plugin did not escape parameter descriptions shown on the rebuild form page, resulting in a stored Cross-Site Scripting (XSS) vulnerability exploitable by users with the permission to configure jobs.

Rebuild Plugin now applies the configured markup formatter to the parameter descriptions it displays.

Reflected XSS vulnerability in Job Config History Plugin

SECURITY-1130 / CVE-2018-1000416
Severity (CVSS): medium
Affected plugin: jobConfigHistory
Description:

Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting (XSS) vulnerability.

Job Config History Plugin now globally applies variable escaping to its pages.

CSRF vulnerability in Email Extension Template Plugin

SECURITY-1125 / CVE-2018-1000417
Severity (CVSS): medium
Affected plugin: emailext-template
Description:

Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates.

These URLs now require POST requests.

CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials

SECURITY-984 (1) / CVE-2018-1000418
Severity (CVSS): medium
Affected plugin: hipchat
Description:

HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method, capturing credentials stored in Jenkins, and submitting messages to HipChat.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permissions.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in HipChat Plugin

SECURITY-984 (2) / CVE-2018-1000419
Severity (CVSS): medium
Affected plugin: hipchat
Description:

HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin

SECURITY-1013 (1) / CVE-2018-1000420
Severity (CVSS): medium
Affected plugin: mesos
Description:

Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Server-side request forgery vulnerability in Mesos Plugin

SECURITY-1013 (2) / CVE-2018-1000421
Severity (CVSS): medium
Affected plugin: mesos
Description:

A missing permission check in a form validation method in Mesos Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Server-side request forgery vulnerability in Crowd 2 Integration Plugin

SECURITY-1067 / CVE-2018-1000422
Severity (CVSS): medium
Affected plugin: crowd2
Description:

Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Crowd 2 Integration Plugin stored credentials in plain text

SECURITY-1068 / CVE-2018-1000423
Severity (CVSS): low
Affected plugin: crowd2
Description:

Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in MQ Notifier Plugin

SECURITY-972
Severity (CVSS): medium
Affected plugin: mq-notifier
Description:

Users with Overall/Read permission were able to access MQ Notifier Plugin’s form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

Stored XSS vulnerability in Metadata Plugin

SECURITY-1075
Severity (CVSS): medium
Affected plugin: metadata
Description:

A stored cross-site scripting (XSS) vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages.

As of publication of this advisory, there is no fix.

Missing permission check in Metadata Plugin allows unauthorized users to change Metadata Plugin configuration

SECURITY-1135
Severity (CVSS): medium
Affected plugin: metadata
Description:

Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin’s configuration.

As of publication of this advisory, there is no fix.

Artifactory Plugin stored old directly entered credentials unencrypted on disk

SECURITY-265 / CVE-2018-1000424
Severity (CVSS): low
Affected plugin: artifactory
Description:

Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system.

Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using the Credentials Plugin integration.

PAM Authentication Plugin did not properly validate user accounts

SECURITY-813 / CVE-2017-12197
Severity (CVSS): medium
Affected plugin: pam-auth
Description:

The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts.

The bundled version of the library was updated to include the fix for this.

SonarQube Scanner Plugin stored server authentication token in plain text

SECURITY-1163 / CVE-2018-1000425
Severity (CVSS): low
Affected plugin: sonar
Description:

SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Stored XSS vulnerability in Git Changelog Plugin

SECURITY-1122 / CVE-2018-1000426
Severity (CVSS): medium
Affected plugin: git-changelog
Description:

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with commit access to specific Git repositories.

Git Changelog Plugin 2.7 and newer escape Git commit messages shown on the UI.

Arachni Scanner Plugin stored credentials in plain text

SECURITY-948
Severity (CVSS): low
Affected plugin: arachni-scanner
Description:

Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin. Existing configurations are migrated.

CSRF vulnerability and missing permission checks in Argus Notifier Plugin allowed capturing credentials

SECURITY-1011 (1)
Severity (CVSS): medium
Affected plugin: argus-notifier
Description:

Argus Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permission.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Argus Notifier Plugin

SECURITY-1011 (2)
Severity (CVSS): medium
Affected plugin: argus-notifier
Description:

Argus Notifier Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in Chatter Notifier Plugin allowed capturing credentials

SECURITY-1050 (1)
Severity (CVSS): medium
Affected plugin: chatter-notifier
Description:

Chatter Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Item/Configure permission on the job being configured.

Unprivileged users with Overall/Read access are able to enumerate credential IDs in Chatter Notifier Plugin

SECURITY-1050 (2)
Severity (CVSS): medium
Affected plugin: chatter-notifier
Description:

Chatter Notifier Plugin provides a list of applicable credential IDs to allow users configuring the plugin’s functionality to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Item/Configure permission for the job being configured.

Dimensions Plugin stored credentials in plain text

SECURITY-1065
Severity (CVSS): medium
Affected plugin: dimensionsscm
Description:

Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in Dimensions Plugin

SECURITY-1108
Severity (CVSS): medium
Affected plugin: dimensionsscm
Description:

Users with Overall/Read permission were able to access Dimensions Plugin’s form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

Publish Over Dropbox Plugin stored credentials in plain text

SECURITY-845
Severity (CVSS): low
Affected plugin: publish-over-dropbox
Description:

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system.

Additionally, the authorization code was not masked from view using a password form field.

The plugin now stores these secrets encrypted in the configuration files on disk and no longer transfers the authorization code to users viewing the configuration form in plain text.

XML External Entity Processing Vulnerability in Monitoring Plugin

SECURITY-1156 / CVE-2018-15531
Severity (CVSS): high
Affected plugin: monitoring
Description:

The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity (XXE) processing vulnerability.

This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.

Monitoring plugin 1.74 updates its JavaMelody dependency to fix the issue.

The Jenkins security team and the maintainer of Monitoring Plugin have been unable to reproduce the issue in Jenkins, but we still recommend updating.

Severity

Affected Versions

  • Arachni Scanner Plugin up to and including 0.9.7
  • Argus Notifier Plugin up to and including 1.0.1
  • Artifactory Plugin up to and including 2.16.1
  • Chatter Notifier Plugin up to and including 2.0.4
  • Config File Provider Plugin up to and including 3.1
  • crowd2 Plugin up to and including 2.0.0
  • Dimensions Plugin up to and including 0.8.14
  • Email Extension Template Plugin up to and including 1.0
  • Git Changelog Plugin up to and including 2.6
  • HipChat Plugin up to and including 2.2.0
  • Jira Plugin up to and including 3.0.1
  • Job Configuration History Plugin up to and including 2.18
  • JUnit Plugin up to and including 1.25
  • Mesos Cloud Plugin up to and including 0.17.1
  • Metadata Plugin up to and including 1.1.0b
  • Monitoring Plugin up to and including 1.73.1
  • MQ Notifier Plugin up to and including 1.2.6
  • PAM Authentication Plugin up to and including 1.3
  • Publish Over Dropbox Plugin up to and including 1.2.4
  • Rebuilder Plugin up to and including 1.28
  • SonarQube Scanner Plugin up to and including 2.8

Fix

  • Arachni Scanner Plugin should be updated to version 1.0.0
  • Argus Notifier Plugin should be updated to version 1.0.2
  • Artifactory Plugin should be updated to version 2.16.2
  • Chatter Notifier Plugin should be updated to version 2.0.5
  • Config File Provider Plugin should be updated to version 3.2
  • crowd2 Plugin should be updated to version 2.0.1
  • Dimensions Plugin should be updated to version 0.8.15
  • Email Extension Template Plugin should be updated to version 1.1
  • Git Changelog Plugin should be updated to version 2.7
  • HipChat Plugin should be updated to version 2.2.1
  • Jira Plugin should be updated to version 3.0.2
  • Job Configuration History Plugin should be updated to version 2.18.1
  • JUnit Plugin should be updated to version 1.26
  • Mesos Cloud Plugin should be updated to version 0.18
  • Monitoring Plugin should be updated to version 1.74.0
  • MQ Notifier Plugin should be updated to version 1.2.7
  • PAM Authentication Plugin should be updated to version 1.4
  • Publish Over Dropbox Plugin should be updated to version 1.2.5
  • Rebuilder Plugin should be updated to version 1.29
  • SonarQube Scanner Plugin should be updated to version 2.8.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Metadata Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-130, SECURITY-938, SECURITY-1108, SECURITY-1122, SECURITY-1125, SECURITY-1130, SECURITY-1135
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1011 (1), SECURITY-1011 (2), SECURITY-1013 (1), SECURITY-1013 (2), SECURITY-1101
  • Steve Marlowe of Cisco ASIG for SECURITY-265
  • The CJE team from ABN-AMRO for SECURITY-1163
  • Viktor Gazdag for SECURITY-845, SECURITY-948, SECURITY-972, SECURITY-984 (1), SECURITY-1065, SECURITY-1067, SECURITY-1068
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1029
  • Zhouyuan Yang of Fortinet's FortiGuard Labs for SECURITY-1075, SECURITY-1080