This advisory announces vulnerabilities in the following Jenkins deliverables:
When using the sshagent
step inside a withDockerContainer
block in Pipeline, the resulting logging of the ssh-add
command included the SSH key passphrase in plain text.
The plugin no longer logs the ssh-add
invocation that would reveal the passphrase.
Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource.
Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability.
This API endpoint now requires POST requests and Overall/Administer permissions.
Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now require POST requests and Overall/Administer permissions.
Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system.
The plugin now integrates with Credentials Plugin. Existing configurations are not migrated and will need to be reconfigured.
TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.
TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plugin.
TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation.
This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info
appended.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability.
Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI.
Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system.
Additionally, the API key was not masked from view using a password form field.
The plugin now stores the API Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration.
Additionally, the API endpoint did not require POST requests, resulting in a CSRF vulnerability.
This API endpoint now requires POST requests and Overall/Administer permissions.
Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.
The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.
The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.
The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: