Jenkins Security Advisory 2019-07-17

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Jenkins (core)

Descriptions

Arbitrary file write vulnerability using file parameter definitions

SECURITY-1424 / CVE-2019-10352

Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins controller, resulting in an arbitrary file write vulnerability.

File parameters that escape the base directory are no longer accepted and the build will fail.

This vulnerability is the result of an incomplete fix for SECURITY-1074.

CSRF protection tokens did not expire

SECURITY-626 / CVE-2019-10353

By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim’s IP address remained unchanged.

CSRF tokens will now also check the web session ID to confirm they were created in the same session. Once that’s invalidated or expired, corresponding CSRF tokens will become invalid as well.

This fix may impact scripts that obtain a crumb from the crumb issuer API. They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide.

We also publish the Strict Crumb Issuer Plugin which contains additional protection mechanisms that give administrators more fine-grained control over the validity of CSRF tokens. We plan to improve the built-in default crumb issuer based on user feedback of this implementation.

Unauthorized view fragment access

SECURITY-534 / CVE-2019-10354

Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content.

In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.

The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation.

Most views in Jenkins and Jenkins plugins should be compatible with this change. We track known affected plugins and their status in the Jenkins wiki.

In rare cases, it may be desirable to disable this fix. To do so, set the Java system property jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn more about system properties in Jenkins.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.185
  • Jenkins LTS up to and including 2.176.1

Fix

  • Jenkins weekly should be updated to version 2.186
  • Jenkins LTS should be updated to version 2.176.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Conor O'Neill of Tenable for SECURITY-1424
  • Jesse Glick, CloudBees, Inc. for SECURITY-534