This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI.
This allows attackers with Agent/Extended Read permission to view encrypted values of secrets.
| This issue is related to SECURITY-266 in the 2016-05-11 security advisory. |
Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in agent config.xml accessed via REST API or CLI for users lacking Agent/Configure permission.
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.
This allows attackers with View/Read permission to view encrypted values of secrets.
| This issue is related to SECURITY-266 in the 2016-05-11 security advisory. |
Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets (e.g., Build Queue and Build Executor Status widgets), resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to have users toggle their collapsed/expanded status of sidepanel widgets.
Additionally, as the API accepts any string as the identifier of the panel ID to be toggled, attacker-controlled content can be stored in the victim’s user profile in Jenkins.
Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected HTTP endpoint.
Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limits redirections to safe URLs (neither absolute nor scheme-relative/network-path reference).
In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects starting with backslash (\) characters are considered safe.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site, because browsers interpret these characters as part of scheme-relative redirects.
Jenkins 2.500, LTS 2.492.2 considers redirects to URLs starting with backslash (\) characters to be unsafe, rejecting such redirects.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: