Jenkins Security Advisory 2018-07-30

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline

SECURITY-704 / CVE-2018-1999036

When using the sshagent step inside a withDockerContainer block in Pipeline, the resulting logging of the ssh-add command included the SSH key passphrase in plain text.

The plugin no longer logs the ssh-add invocation that would reveal the passphrase.

CSRF vulnerability and missing permission checks in Resource Disposer Plugin

SECURITY-997 / CVE-2018-1999037

Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource.

Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin

SECURITY-975 / CVE-2018-1999038

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Confluence Publisher Plugin

SECURITY-982 / CVE-2018-1999039

Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Kubernetes Plugin allowed capturing credentials

SECURITY-1016 / CVE-2018-1999040

Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Tinfoil Security Plugin stored API Secret Key in plain text

SECURITY-840 / CVE-2018-1999041

Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin. Existing configurations are not migrated and will need to be reconfigured.

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

SECURITY-932 / CVE-2018-1999025

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.

TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plugin.

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery

SECURITY-994 / CVE-2018-1999026

TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in SaltStack Plugin allowed capturing credentials

SECURITY-1009 / CVE-2018-1999027

SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials

SECURITY-1021 / CVE-2018-1999028

Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

SECURITY-1001 / CVE-2018-1999029

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability.

Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI.

CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials

SECURITY-1022 / CVE-2018-1999030

Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

meliora-testlab Plugin stored API Key in plain text

SECURITY-847 / CVE-2018-1999031

meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system.

Additionally, the API key was not masked from view using a password form field.

The plugin now stores the API Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in Agiletestware Pangolin Connector for TestRail Plugin allowed overriding plugin configuration

SECURITY-995 / CVE-2018-1999032

Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration.

Additionally, the API endpoint did not require POST requests, resulting in a CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer permissions.

Anchore Container Image Scanner Plugin stored password in plain text

SECURITY-1039 / CVE-2018-1999033

Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation

SECURITY-933 / CVE-2018-1999034

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

SECURITY-935 / CVE-2018-1999035

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.

Severity

Affected Versions

  • AccuRev Plugin up to and including 0.7.16
  • Agiletestware Pangolin Connector for TestRail Plugin up to and including 2.1
  • Anchore Container Image Scanner Plugin up to and including 1.0.16
  • Confluence Publisher Plugin up to and including 2.0.1
  • Inedo BuildMaster Plugin Plugin up to and including 1.3
  • Inedo ProGet Plugin Plugin up to and including 0.8
  • Kubernetes Plugin up to and including 1.10.1
  • Maven Artifact ChoiceListProvider (Nexus) Plugin up to and including 1.3.1
  • meliora-testlab Plugin up to and including 1.14
  • Publish Over CIFS Plugin up to and including 0.10
  • Resource Disposer Plugin up to and including 0.11
  • SaltStack Plugin up to and including 3.1.6
  • Shelve Project Plugin up to and including 1.5
  • SSH Agent Plugin up to and including 1.15
  • Tinfoil Security Plugin up to and including 1.6.1
  • TraceTronic ECU-TEST Plugin up to and including 2.3

Fix

  • AccuRev Plugin should be updated to version 0.7.17
  • Agiletestware Pangolin Connector for TestRail Plugin should be updated to version 2.2
  • Anchore Container Image Scanner Plugin should be updated to version 1.0.17
  • Confluence Publisher Plugin should be updated to version 2.0.2
  • Inedo BuildMaster Plugin Plugin should be updated to version 2.0
  • Inedo ProGet Plugin Plugin should be updated to version 1.0
  • Kubernetes Plugin should be updated to version 1.10.2
  • Maven Artifact ChoiceListProvider (Nexus) Plugin should be updated to version 1.3.2
  • meliora-testlab Plugin should be updated to version 1.15
  • Publish Over CIFS Plugin should be updated to version 0.11
  • Resource Disposer Plugin should be updated to version 0.12
  • SaltStack Plugin should be updated to version 3.1.7
  • Shelve Project Plugin should be updated to version 2.0
  • SSH Agent Plugin should be updated to version 1.16
  • Tinfoil Security Plugin should be updated to version 2.0
  • TraceTronic ECU-TEST Plugin should be updated to version 2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-932, SECURITY-933, SECURITY-935
  • Jan Hollevoet for SECURITY-704
  • Oleg Nenashev for SECURITY-1001, SECURITY-1009, SECURITY-1016, SECURITY-1021, SECURITY-1022
  • Viktor Gazdag for SECURITY-840, SECURITY-847, SECURITY-975, SECURITY-982, SECURITY-994, SECURITY-995, SECURITY-1039