Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Multiple vulnerabilities in Jenkins and Jenkins plugins

Related Vulnerabilities: CVE-2020-2160   CVE-2020-2161   CVE-2020-2162   CVE-2020-2163   CVE-2020-2164   CVE-2020-2165   CVE-2020-2166   CVE-2020-2167   CVE-2020-2168   CVE-2020-2169   CVE-2020-2170   CVE-2020-2171  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Multiple vulnerabilities in Jenkins and Jenkins plugins

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Daniel Beck &lt;ml () beckweb net&gt;

Date: Wed, 25 Mar 2020 16:58:05 +0100

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.228
* Jenkins LTS 2.204.6 and 2.222.1
* Artifactory Plugin 3.6.0 and 3.6.1
* Azure Container Service Plugin 1.0.2
* OpenShift Pipeline Plugin 1.0.57
* Pipeline: AWS Steps Plugin 1.41
* Queue cleanup Plugin 1.4
* RapidDeploy Plugin 4.2.1

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2020-03-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1774 / CVE-2020-2160
An extension point in Jenkins allows selectively disabling cross-site
request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation
of the URL path than the Stapler web framework uses to dispatch requests in
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy
allowed attackers to craft URLs that would bypass the CSRF protection of
any target URL.

SECURITY-1781 / CVE-2020-2161
Users with Agent/Configure permissions can define labels for nodes. These
labels can be referenced in job configurations to restrict where a job can
be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation
for label expressions in job configuration forms did not properly escape
label names, resulting in a stored cross-site scripting (XSS) vulnerability
exploitable by users able to define node labels.

SECURITY-1793 / CVE-2020-2162
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as
file parameters to a build without specifying appropriate
`Content-Security-Policy` HTTP headers. This resulted in a stored
cross-site scripting (XSS) vulnerability exploitable by users with
permissions to build a job with file parameters.

SECURITY-1796 / CVE-2020-2163
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded
in list view column headers. This resulted in a stored cross-site scripting
(XSS) vulnerability exploitable by users able to control the content of
column headers.

The following plugins are known to allow users to define column headers:

* Warnings NG
* Maven Info
* Link Column

Further plugins may also allow users to define column headers.

SECURITY-1542 (1) / CVE-2020-2164
Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password
in plain text in the global configuration file
`org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by
users with access to the Jenkins master file system.

SECURITY-1542 (2) / CVE-2020-2165
Artifactory Plugin stores Artifactory server passwords in its global
configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml` on the Jenkins
master as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin
3.6.0, it is transmitted in plain text as part of the configuration form by
Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.

SECURITY-1741 / CVE-2020-2166
Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML
parser to prevent the instantiation of arbitrary types. This results in a
remote code execution (RCE) vulnerability exploitable by users able to
provide YAML input files to Pipeline: AWS Steps Plugin's build steps.

SECURITY-1739 / CVE-2020-2167
OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML
parser to prevent the instantiation of arbitrary types. This results in a
remote code execution (RCE) vulnerability exploitable by users able to
provide YAML input files to OpenShift Pipeline Plugin's build step.

SECURITY-1732 / CVE-2020-2168
Azure Container Service Plugin 1.0.1 and earlier does not configure its
YAML parser to prevent the instantiation of arbitrary types. This results
in a remote code execution (RCE) vulnerability exploitable by users able to
provide YAML input files to Azure Container Service Plugin's build step.

SECURITY-1724 / CVE-2020-2169
A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier
does not escape a query parameter displayed in an error message. This
results in a reflected cross-site scripting vulnerability (XSS).

SECURITY-1676 / CVE-2020-2170
RapidDeploy Plugin 4.2 and earlier does not escape package names in its
displayed table of packages obtained from a remote server. This results in
a stored cross-site scripting (XSS) vulnerability exploitable by users able
to configure jobs.

SECURITY-1677 / CVE-2020-2171
RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy
deployment package build' build or post-build step to have Jenkins parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins master, server-side request forgery, or denial-of-service attacks.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Jan 29)

&lt;Possible follow-ups&gt;
Multiple vulnerabilities in Jenkins and Jenkins plugins Daniel Beck (Mar 25)

 

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started