Jenkins Security Advisory 2019-12-17

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XXE vulnerability in Maven Release Plug-in Plugin

SECURITY-1681 / CVE-2019-16549 (XXE), CVE-2019-16550 (CSRF)

Maven Release Plug-in Plugin retrieves XML from Nexus repository manager APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be exploited via man-in-the-middle attacks, especially if it’s not an HTTPS URL.

Additionally, a connection test form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability. Combined, these two vulnerabilities allow attackers to have Jenkins parse crafted XML documents that use external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

Maven Release Plug-in Plugin 0.16.2 configures its XML parser to prevent XML external entity (XXE) attacks. It also now requires that requests to the connection test form validation method are done via POST, which protects from cross-site request forgery attacks.

CSRF vulnerability and missing permission checks in Gerrit Trigger Plugin

SECURITY-1527 / CVE-2019-16551 (CSRF), CVE-2019-16552 (missing permission check)

Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins master file system.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Gerrit Trigger Plugin 2.30.2 requires POST requests and Overall/Administer permission for the affected form validation methods.

CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow ReDoS

SECURITY-1651 / CVE-2019-16553 (CSRF), CVE-2019-16554 (missing permission check), CVE-2019-16555 (resource consumption)

Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests, resulting in a CSRF vulnerability.

Build Failure Analyzer Plugin 1.24.2 requires POST requests and implements a permission check for the affected form validation methods so that only authorized users are able to submit regular expressions.

Additionally, the regular expression is implemented in an interruptible way, so that unintentionally expensive regular expression processing can be interrupted.

Stored XSS vulnerability in Pipeline Aggregator View Plugin

SECURITY-1593 / CVE-2019-16564

Pipeline Aggregator View Plugin 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names.

This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the information shown by Pipeline Aggregator View Plugin.

Pipeline Aggregator View Plugin 1.9 escapes user-controlled information on the view it provides.

Rundeck Plugin stored credentials in plain text

SECURITY-1636 / CVE-2019-16556

Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins master. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.

Rundeck Plugin 3.6.6 stores credentials in its configuration encrypted once global and/or job configurations are saved again.

Redgate SQL Change Automation Plugin stores credentials in plain text

SECURITY-1598 / CVE-2019-16557

Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the master file system.

Redgate SQL Change Automation Plugin 2.0.4 stores its credentials encrypted once job configurations are saved again.

SSL/TLS certificate validation globally and unconditionally disabled by Spira Importer Plugin

SECURITY-1580 / CVE-2019-16558

Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins master JVM.

Spira Importer Plugin 3.2.4 no longer disables SSL/TLS certificate validation.

CSRF vulnerability and missing permission checks in WebSphere Deployer Plugin

SECURITY-1371 / CVE-2019-16559 (permission check), CVE-2019-16560 (CSRF)

WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins master file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

SSL/TLS certificate validation globally and unconditionally disabled by WebSphere Deployer Plugin

SECURITY-1581 / CVE-2019-16561

WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins master JVM, or specify a new Java keystore from a file stored on the Jenkins master filesystem.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in buildgraph-view Plugin

SECURITY-1591 / CVE-2019-16562

buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Mission Control Plugin

SECURITY-1592 / CVE-2019-16563

Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Team Concert Plugin allows capturing credentials

SECURITY-1605 (1) / CVE-2019-16565 (CSRF), CVE-2019-16566 (missing permission check)

Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

Users with Overall/Read access can enumerate credential IDs in Team Concert Plugin

SECURITY-1605 (2) / CVE-2019-16567

Team Concert Plugin 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

SCTMExecutor Plugin stores credentials in plain text

SECURITY-1521 / CVE-2019-16568

SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files.

While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

CSRF vulnerability in Mantis Plugin

SECURITY-1603 / CVE-2019-16569

Mantis Plugin 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in RapidDeploy Plugin allow SSRF

SECURITY-1604 / CVE-2019-16570 (CSRF), CVE-2019-16571 (missing permission check)

RapidDeploy Plugin 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

Weibo Plugin stores credentials in plain text

SECURITY-1597 / CVE-2019-16572

Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins master. This credential can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Alauda DevOps Pipeline Plugin allows capturing credentials

SECURITY-1600 / CVE-2019-16573 (CSRF), CVE-2019-16574 (missing permission check)

Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability in Alauda Kubernetes Suport Plugin

SECURITY-1602 / CVE-2019-16575 (CSRF), CVE-2019-16576 (missing permission check)

Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Alauda DevOps Pipeline Plugin up to and including 2.3.2
  • Alauda Kubernetes Suport Plugin up to and including 2.3.0
  • Build Failure Analyzer Plugin up to and including 1.24.1
  • buildgraph-view Plugin up to and including 1.8
  • Gerrit Trigger Plugin up to and including 2.30.1
  • Mantis Plugin up to and including 0.26
  • Maven Release Plug-in Plugin up to and including 0.16.1
  • Mission Control Plugin up to and including 0.9.16
  • Pipeline Aggregator View Plugin up to and including 1.8
  • RapidDeploy Plugin up to and including 4.1
  • Redgate SQL Change Automation Plugin up to and including 2.0.3
  • Rundeck Plugin up to and including 3.6.5
  • SCTMExecutor Plugin up to and including 2.2
  • Spira Importer Plugin up to and including 3.2.3
  • Team Concert Plugin up to and including 1.3.0
  • WebSphere Deployer Plugin up to and including 1.6.1
  • Weibo Plugin up to and including 1.0.1

Fix

  • Build Failure Analyzer Plugin should be updated to version 1.24.2
  • Gerrit Trigger Plugin should be updated to version 2.30.2
  • Maven Release Plug-in Plugin should be updated to version 0.16.2
  • Pipeline Aggregator View Plugin should be updated to version 1.9
  • Redgate SQL Change Automation Plugin should be updated to version 2.0.4
  • Rundeck Plugin should be updated to version 3.6.6
  • Spira Importer Plugin should be updated to version 3.2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Alauda DevOps Pipeline Plugin
  • Alauda Kubernetes Suport Plugin
  • buildgraph-view Plugin
  • Mantis Plugin
  • Mission Control Plugin
  • RapidDeploy Plugin
  • SCTMExecutor Plugin
  • Team Concert Plugin
  • WebSphere Deployer Plugin
  • Weibo Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Alex Earl (@alexcearl), Marvell Semiconductor, Inc. for SECURITY-1527
  • Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/ for SECURITY-1681
  • Daniel Beck, CloudBees, Inc. for SECURITY-1371, SECURITY-1580, SECURITY-1581, SECURITY-1651
  • James Holderness, IB Boost for SECURITY-1521
  • Viktor Gazdag NCC Group for SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1598, SECURITY-1600, SECURITY-1602, SECURITY-1603, SECURITY-1604, SECURITY-1605 (1), SECURITY-1605 (2)
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1636