Jenkins Security Advisory 2019-10-23

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Mattermost Notification Plugin stored webhook endpoint token in plain text

SECURITY-1628 / CVE-2019-10459

Mattermost allows the definition of incoming (from the perspective of the service) webhook URLs. These contain what is effectively a secret token as part of the URL.

Mattermost Notification Plugin stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Mattermost Notification Plugin now stores these URLs encrypted. As they combine configuration and secret token, they are still shown on the UI.

Bitbucket OAuth Plugin stored credentials in plain text

SECURITY-1546 / CVE-2019-10460

Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Bitbucket OAuth Plugin now stores this credential encrypted.

Zulip Plugin stored credentials in plain text

SECURITY-1621 / CVE-2019-10476

Zulip Plugin stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Zulip Plugin now stores this credential encrypted in its global configuration file. The legacy configuration file is deleted when saving the plugin configuration.

Dynatrace Application Monitoring Plugin stored credentials in plain text

SECURITY-1477 / CVE-2019-10461

Dynatrace Application Monitoring Plugin stored a credential unencrypted in its global configuration file com.dynatrace.jenkins.dashboard.TAGlobalConfiguration.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Dynatrace Application Monitoring Plugin now stores this credential encrypted.

CSRF vulnerability in Dynatrace Application Monitoring Plugin

SECURITY-1483 (1) / CVE-2019-10462

Dynatrace Application Monitoring Plugin did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Dynatrace Application Monitoring Plugin now requires POST requests for this form validation method.

Missing permission check in Dynatrace Application Monitoring Plugin

SECURITY-1483 (2) / CVE-2019-10463

Dynatrace Application Monitoring Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in Deploy WebLogic Plugin

SECURITY-820 / CVE-2019-10464 (CSRF), CVE-2019-10465 (permission check)

Deploy WebLogic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

XXE vulnerability in 360 FireLine Plugin

SECURITY-822 / CVE-2019-10466

360 FireLine Plugin accepts XML for part of its configuration. It does not configure the XML parser to prevent XML external entity (XXE) attacks.

A form validation method that accepts XML does not perform permission checks. This allows users with Overall/Read permission to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

As of publication of this advisory, there is no fix.

Sonar Gerrit Plugin stored credentials in plain text

SECURITY-1003 / CVE-2019-10467

Sonar Gerrit Plugin stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in kubernetes-ci Plugin allowed capturing credentials

SECURITY-1005 (1) / CVE-2019-10468 (CSRF), CVE-2019-10469 (permission check)

kubernetes-ci Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

Users with Overall/Read access could enumerate credential IDs in kubernetes-ci Plugin

SECURITY-1005 (2) / CVE-2019-10470

kubernetes-ci Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Libvirt Agents Plugin allowed capturing credentials

SECURITY-1014 (1) / CVE-2019-10471 (CSRF), CVE-2019-10472 (permission check)

Libvirt Agents Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

Users with Overall/Read access could enumerate credential IDs in Libvirt Agents Plugin

SECURITY-1014 (2) / CVE-2019-10473

Libvirt Agents Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

Missing permission check in Global Post Script Plugin allowed obtaining configuration data

SECURITY-1073 / CVE-2019-10474

Global Post Script Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read permission to list the files contained in $JENKINS_HOME/global-post-script that can be used by the plugin.

As of publication of this advisory, there is no fix.

Reflected XSS vulnerability in build-metrics Plugin

SECURITY-1490 / CVE-2019-10475

build-metrics Plugin does not properly escape the label query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • 360 FireLine Plugin up to and including 1.7.2
  • Bitbucket OAuth Plugin up to and including 0.9
  • build-metrics Plugin up to and including 1.3
  • Deploy WebLogic Plugin up to and including 4.1
  • Dynatrace Application Monitoring Plugin up to and including 2.1.3
  • Dynatrace Application Monitoring Plugin up to and including 2.1.4
  • Global Post Script Plugin up to and including 1.1.4
  • kubernetes-ci Plugin up to and including 1.3
  • Libvirt Agents Plugin up to and including 1.8.5
  • Mattermost Notification Plugin up to and including 2.7.0
  • Sonar Gerrit Plugin up to and including 2.3
  • Zulip Plugin up to and including 1.1.0

Fix

  • Bitbucket OAuth Plugin should be updated to version 0.10
  • Dynatrace Application Monitoring Plugin should be updated to version 2.1.4
  • Mattermost Notification Plugin should be updated to version 2.7.1
  • Zulip Plugin should be updated to version 1.1.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • 360 FireLine Plugin
  • build-metrics Plugin
  • Deploy WebLogic Plugin
  • Dynatrace Application Monitoring Plugin
  • Global Post Script Plugin
  • kubernetes-ci Plugin
  • Libvirt Agents Plugin
  • Sonar Gerrit Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • James Holderness, IB Boost for SECURITY-1546
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1003, SECURITY-1005 (1), SECURITY-1005 (2), SECURITY-1014 (1), SECURITY-1014 (2), SECURITY-1073
  • Thomas de Grenier de Latour for SECURITY-820, SECURITY-822
  • Viktor Gazdag NCC Group for SECURITY-1477, SECURITY-1483 (1), SECURITY-1483 (2), SECURITY-1490
  • Wasin Saengow for SECURITY-1621, SECURITY-1628