Jenkins Security Advisory 2018-02-26

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Environment Injector Plugin before 1.91 stored sensitive build variables

SECURITY-248

EnvInject plugin stores environment variables in order to visualize them in the "Injected Environment Variables" view. Sensitive build variables, typically passwords, are exempt from this behavior. Plugin versions older than 1.91 (released on Mar 08, 2015) however did not exempt sensitive variables, and persisted them on disk too. Such persisted sensitive variables may be displayed by any release of this plugin for builds run before it was updated to version 1.91 or newer.

While the bug persisting sensitive build variables has been addressed in release 1.91, there is no fix addressing this problem for historical build data.

You may be affected by this sensitive data exposure issue if all of the following are true:

  • You define sensitive environment variables globally, per node, or per job.

  • You have ever used Environment Injector Plugin 1.90 or older.

  • You still have build records created while Environment Injector Plugin 1.90 or older was installed and enabled.

To prevent the further exposure of sensitive build variables, we recommend that you take the following steps if you are affected by this:

  • Disable the visualization of Injected Environment variables in the global configuration. After this change the data will be accessible only to those ones who have access to raw build.xml files. This is a reversible action that can be applied immediately, and can be reverted once you’ve purged the data on disk (below).

  • Remove the sensitive data from disk by manually removing corresponding entries from injectedEnvVars.txt files, or deleting the injectedEnvVars.txt files in old build directories.

  • Rotate all secrets that have potentially been exposed.

Coverity Plugin stored keystore and private key passwords in plain text

SECURITY-260 / CVE-2018-1000104

The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations.

The Coverity Plugin now integrates with Credentials Plugin to store passwords, and automatically migrates existing passwords.

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information

SECURITY-402 / CVE-2018-1000105

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible.

The missing permission check has been added.

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to modify global Gerrit Server configurations

SECURITY-403 / CVE-2018-1000106

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to perform the following actions:

  • Configure Gerrit servers

  • Connect and disconnect configured Gerrit servers

The missing permission checks have been added.

Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin

SECURITY-498 / CVE-2018-1000107

Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API (POST config.xml).

This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job ownership metadata, and users with Computer/Configure but without ManageOwnership/Nodes to change node ownership metadata.

Changes to job or node ownership metadata via remote API now require ManageOwnership/Jobs or ManageOwnership/Nodes permission, respectively. Changes to job or node ownership via CLI require Overall/Administer permission.

Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability

SECURITY-554 / CVE-2015-5262

The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262.

As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers.

Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin

SECURITY-712 / CVE-2018-1000108

CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability.

Report name and graph name are now properly escaped.

Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin

SECURITY-715 / CVE-2018-1000109

Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they’d like to use to authenticate with the Google Play API.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credential IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

Additionally, a related form validation function would allow verification whether a specified credential is valid for use with the Google Play API.

Enumeration of credentials IDs and validation of specified credentials in this plugin now requires the permission to have the ExtendedRead permission (when that permission is enabled; otherwise Configure permission) to the job in whose context credentials are being accessed.

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Git Plugin

SECURITY-723 / CVE-2018-1000110

The class handling unauthenticated Git post-commit hook notification requests at the /git/ path unnecessarily extended another type that handled requests to the …/search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (built-in node and agents).

The class handling requests to /git/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail.

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin

SECURITY-724 / CVE-2018-1000111

The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (built-in node and agents).

The class handling requests to /subversion/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail.

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin

SECURITY-726 / CVE-2018-1000112

The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the …/search/ sub-path.

This allowed submission of search queries to Jenkins, and getting a list of search results usually available to anyone with Overall/Read permission. In current Jenkins releases, those are typically the names of known users (both actual users of Jenkins, and known SCM committers) and nodes (built-in node and agents).

The class handling requests to /mercurial/ no longer extends the class handling requests to the …/search/ sub-path, therefore any such requests will fail.

Stored cross-site scripting vulnerability in TestLink Plugin

SECURITY-731 / CVE-2018-1000113

Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names.

The plugin now properly escapes its HTML output.

Promoted Builds Plugin allowed unauthorized users to run some promotion processes

SECURITY-746 / CVE-2018-1000114

Users with Job/Read access were able to approve and re-execute promotion processes with a manual promotion condition that did not specify a list of users allowed to manually approve the promotion.

The plugin now requires users to have the Promotion/Promote permission to be able to approve or re-execute a promotion with manual condition that does not specify a list of users allowed to approve it.

The following additional changes to permission enforcement were implemented in this update to make condition enforcement consistent for the three actions Approve, Re-Execute, and Force:

Some of these changes allow users to act on some promotions they were not able to act on in 2.x releases of this plugin.
  1. Users with just the Promotion/Promote permission are no longer allowed to re-execute or force promotions with a manual condition that specifies a list of users, unless the user is on that list.

  2. Administrators are now able to approve any promotion with a manual condition.

  3. Users specified in a manual promotion condition are now allowed to force this promotion.

Severity

Affected Versions

  • Azure Slave Plugin up to and including 0.3.4
  • Coverity Plugin up to and including 1.10.0
  • CppNCSS Plugin up to and including 1.1
  • Environment Injector Plugin up to and including 1.90
  • Gerrit Trigger Plugin up to and including 2.27.4
  • Git Plugin up to and including 3.7.0
  • Google Play Android Publisher Plugin up to and including 1.6
  • Job and Node ownership Plugin up to and including 0.11.0
  • Mercurial Plugin up to and including 2.2
  • promoted builds Plugin up to and including 2.31.1
  • Subversion Plugin up to and including 2.10.2
  • TestLink Plugin up to and including 3.12

Fix

  • Coverity Plugin should be updated to version 1.11.0
  • CppNCSS Plugin should be updated to version 1.2
  • Environment Injector Plugin should be updated to version 1.91
  • Gerrit Trigger Plugin should be updated to version 2.27.5
  • Git Plugin should be updated to version 3.8.0
  • Google Play Android Publisher Plugin should be updated to version 1.7
  • Job and Node ownership Plugin should be updated to version 0.12.0
  • Mercurial Plugin should be updated to version 2.3
  • promoted builds Plugin should be updated to version 3.0
  • Subversion Plugin should be updated to version 2.10.3
  • TestLink Plugin should be updated to version 3.13

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Azure Slave Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Christopher Orr for SECURITY-715
  • Daniel Beck, CloudBees, Inc. for SECURITY-402, SECURITY-403
  • Devin Nusbaum, CloudBees, Inc. for SECURITY-746
  • Jonathan Claudius of Mozilla for SECURITY-248
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-498, SECURITY-712, SECURITY-731
  • Spencer Gietzen of Rhino Security Labs for SECURITY-723
  • Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-260