<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Multiple vulnerabilities in Jenkins plugins
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Daniel Beck <ml () beckweb net>
Date: Thu, 28 Mar 2019 19:53:45 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On 25. Mar 2019, at 16:09, Daniel Beck <ml () beckweb net> wrote:
SECURITY-1353
Sandbox projection in the Script Security and Pipeline: Groovy Plugins
could be circumvented through methods supporting type casts and type
coercion. This allowed attackers to invoke constructors for arbitrary types.
CVE-2019-1003040 (Script Security) and CVE-2019-1003041 (Pipeline: Groovy)
SECURITY-1361
Lockable Resources Plugin did not properly escape resource names in
generated JavaScript code, thus leading to a cross-site scripting (XSS)
vulnerability.
CVE-2019-1003042
SECURITY-976
[Slack Notification Plugin] did not perform permission checks on a method
implementing form validation. This allowed users with Overall/Read access
to Jenkins to connect to an attacker-specified URL using attacker-specified
credentials IDs obtained through another method, capturing credentials
stored in Jenkins.
CVE-2019-1003043
Additionally, this form validation method did not require POST requests,
resulting in a cross-site request forgery vulnerability.
CVE-2019-1003044
SECURITY-846
ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml
files and its global configuration file on the Jenkins master. This token
could be viewed by users with Extended Read permission, or access to the
master file system.
CVE-2019-1003045
SECURITY-992
A missing permission check in multiple form validation methods in Fortify
on Demand Uploader Plugin allowed users with Overall/Read permission to
initiate a connection test to an attacker-specified server.
CVE-2019-1003047
Additionally, the form validation methods did not require POST requests,
resulting in a CSRF vulnerability.
CVE-2019-1003046
SECURITY-1089
PRQA Plugin stored a password unencrypted in its global configuration file
on the Jenkins master. This password could be viewed by users with access
to the master file system.
CVE-2019-1003048
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jan 28)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 06)
<Possible follow-ups>
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 19)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 23)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 28)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->