<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Multiple vulnerabilities in Jenkins plugins
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Daniel Beck <ml () beckweb net>
Date: Thu, 21 Nov 2019 15:06:02 +0100
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:
* Anchore Container Image Scanner Plugin 1.0.20
* Google Compute Engine Plugin 4.2.0
* JIRA Plugin 3.0.11
* QMetry for JIRA - Test Management Plugin 1.13
* Script Security Plugin 1.68
* Spira Importer Plugin 3.2.3
* Support Core Plugin 2.64
Additionally, we announce unresolved security issues in the following
plugins:
* QMetry for JIRA - Test Management Plugin
Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-11-21/
We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories
If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities
---
SECURITY-1658 / CVE-2019-16538
Sandbox protection in Script Security Plugin could be circumvented through
closure default parameter expressions.
This allowed attackers able to specify and run sandboxed scripts to
execute arbitrary code in the context of the Jenkins master JVM.
SECURITY-1634 / CVE-2019-16539 (permission check), CVE-2019-16540 (path traversal)
Support Core Plugin did not validate the paths submitted for the "Delete
Support Bundles" feature. This allowed users to delete arbitrary files on
the Jenkins master file system accessible to the OS user account running
Jenkins.
Additionally, this endpoint did not perform a permission check, allowing
users with Overall/Read permission to delete support bundles, and any
arbitrary other file, with a known name/path.
SECURITY-1106 / CVE-2019-16541
JIRA Plugin allows the definition of per-folder Jira sites.
The credentials lookup for this feature did not set the appropriate
context, allowing the use of System-scoped credentials otherwise reserved
for use in the global configuration. This allowed users with Item/Configure
permission on the folder to access credentials they’re not entitled to,
and potentially capture them.
SECURITY-1539 / CVE-2019-16542
Anchore Container Image Scanner Plugin stored an Anchore.io service
password unencrypted in job config.xml files as part of its configuration.
This credential could be viewed by users with Extended Read permission or
access to the master file system.
SECURITY-1554 / CVE-2019-16543
Spira Importer Plugin stored a credential unencrypted in its global
configuration file com.inflectra.spiratest.plugins.SpiraBuilder.xml on the
Jenkins master. This credential could be viewed by users with access to
the master file system.
SECURITY-1584 / CVE-2019-16546
Google Compute Engine Plugin did not use SSH host key verification when
connecting to VMs launched by the plugin. This lack of verification could
be abused by a MitM attacker to intercept these connections to
attacker-specified build agents without warning.
SECURITY-1585 / CVE-2019-16547
Google Compute Engine Plugin did not verify permissions on multiple
auto-complete API endpoints. This allowed users with Overall/Read
permissions to view various metadata about the running cloud environment.
SECURITY-1586 / CVE-2019-16548
Google Compute Engine Plugin did not require POST requests on an API
endpoint. This CSRF vulnerability allowed attackers to provision new
agents.
SECURITY-727 (1) / CVE-2019-16544
QMetry for JIRA - Test Management Plugin stored credentials unencrypted in
job config.xml files on the Jenkins master as part of its post-build step
configuration. This credential could be viewed by users with Extended Read
permission or access to the master file system.
SECURITY-727 (2) / CVE-2019-16545
QMetry for JIRA - Test Management Plugin stores a credential as part of
its post-build step configuration.
While the password is stored encrypted on disk since QMetry for JIRA -
Test Management Plugin 1.13, it is transmitted in plain text as part of
the configuration form. This can result in exposure of the password
through browser extensions, cross-site scripting vulnerabilities, and
similar situations.
As of publication of this advisory, there is no fix.
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 01)
<Possible follow-ups>
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 16)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 21)
Multiple vulnerabilities in Jenkins plugins Daniel Beck (Dec 17)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->