Jenkins Security Advisory 2020-08-12

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in help icons

SECURITY-1955 / CVE-2020-2229

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.

This results in a stored cross-site scripting (XSS) vulnerability.

Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.

Stored XSS vulnerability in project naming strategy

SECURITY-1957 / CVE-2020-2230

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

Stored XSS vulnerability in 'Trigger builds remotely'

SECURITY-1960 / CVE-2020-2231

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.

SMTP password transmitted and displayed in plain text by Email Extension Plugin

SECURITY-1975 / CVE-2020-2232

Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password.

Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

Missing permission check in Pipeline Maven Integration Plugin allows enumerating credentials IDs

SECURITY-1794 (1) / CVE-2020-2233

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

CSRF vulnerability and missing permission check in Pipeline Maven Integration Plugin allow capturing credentials

SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

Stored XSS vulnerability in Yet Another Build Visualizer Plugin

SECURITY-1940 / CVE-2020-2236

Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

Yet Another Build Visualizer Plugin 1.12 escapes tooltip content.

CSRF vulnerability in Flaky Test Handler Plugin

SECURITY-1763 / CVE-2020-2237

Flaky Test Handler Plugin 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.251
  • Jenkins LTS up to and including 2.235.3
  • Email Extension Plugin up to and including 2.73
  • Flaky Test Handler Plugin up to and including 1.0.4
  • Pipeline Maven Integration Plugin up to and including 3.8.2
  • Yet Another Build Visualizer Plugin up to and including 1.11

Fix

  • Jenkins weekly should be updated to version 2.252
  • Jenkins LTS should be updated to version 2.235.4
  • Email Extension Plugin should be updated to version 2.74
  • Pipeline Maven Integration Plugin should be updated to version 3.8.3
  • Yet Another Build Visualizer Plugin should be updated to version 1.12

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Flaky Test Handler Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Bjoern Kasteleiner for SECURITY-1975
  • Pierre Beitz, CloudBees, Inc. for SECURITY-1957
  • Tim Jacomb for SECURITY-1794 (1), SECURITY-1794 (2)
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1763, SECURITY-1940, SECURITY-1955, SECURITY-1960