[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E9AC7759-6DB8-4293-A90A-58174CDC637F@beckweb.net>
Date: Thu, 8 Oct 2020 14:36:42 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.
The following releases contain fixes for security vulnerabilities:
* Active Choices Plugin 2.5
* Audit Trail Plugin 3.7
* couchdb-statistics Plugin 0.4
* Role-based Authorization Strategy Plugin 3.1
Additionally, we announce unresolved security issues in the following
plugins:
* Maven Cascade Release Plugin
* Nerrvana Plugin
* Persona Plugin
* Release Plugin
* Shared Objects Plugin
* SMS Notification Plugin
Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2020-10-08/
We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories
If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities
---
SECURITY-1767 / CVE-2020-2286
Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to
speed up permission lookups.
In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is
not invalidated properly when an administrator changes the permission
configuration. This can result in permissions being granted long after the
configuration was changed to no longer grant them.
SECURITY-1815 / CVE-2020-2287
Audit Trail Plugin logs requests whose URL path matches an admin-configured
regular expression.
A discrepancy between the behavior of the plugin and the Stapler web
framework in parsing URL paths allows attackers to craft URLs that would
bypass request logging in Audit Trail Plugin 3.6 and earlier.
SECURITY-1846 / CVE-2020-2288
Audit Trail Plugin uses regular expressions to match requested URLs whose
dispatch should be logged.
In Audit Trail Plugin 3.6 and earlier, the default regular expression
pattern could be bypassed in many cases by adding a suffix to the URL that
would be ignored during request handling.
SECURITY-1954 / CVE-2020-2289
Active Choices Plugin 2.4 and earlier does not escape the name and
description of build parameters.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.
SECURITY-2008 / CVE-2020-2290
Active Choices Plugin 2.4 and earlier does not escape `List` and `Map`
return values of sandboxed scripts for _Reactive Reference Parameter_.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.
SECURITY-2065 / CVE-2020-2291
couchdb-statistics Plugin 0.3 and earlier stores its server password
unencrypted in its global configuration file
`org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml` on the Jenkins
controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller
file system.
SECURITY-1928 / CVE-2020-2292
Release Plugin 2.10.2 and earlier does not escape the release version in
the badge tooltip.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Release/Release permission.
As of publication of this advisory, there is no fix.
SECURITY-2046 / CVE-2020-2293
Persona Plugin 2.4 and earlier allows users with Overall/Read permission to
read arbitrary files on the Jenkins controller.
As of publication of this advisory, there is no fix.
SECURITY-2049 / CVE-2020-2294 (permission check) & CVE-2020-2295 (CSRF)
Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission
checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to start cascade builds
and layout builds, and reconfigure the plugin.
Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
SECURITY-2052 / CVE-2020-2296
Shared Objects Plugin 0.44 and earlier does not require POST requests for
an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.
This vulnerability allows attackers to configure shared objects.
As of publication of this advisory, there is no fix.
SECURITY-2054 / CVE-2020-2297
SMS Notification Plugin 1.2 and earlier stores an access token unencrypted
in its global configuration file
`com.hoiio.jenkins.plugin.SMSNotification.xml` on the Jenkins controller as
part of its configuration.
This access token can be viewed by users with access to the Jenkins
controller file system.
As of publication of this advisory, there is no fix.
SECURITY-2097 / CVE-2020-2298
Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read permission to have Jenkins parse a
crafted HTTP request with XML data that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.
Additionally, XML parsing is exposed as a form validation endpoint that
does not require POST requests, allowing exploitation by users without
Overall/Read permission via CSRF.
As of publication of this advisory, there is no fix.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
