Jenkins Security Advisory 2019-02-19

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Sandbox Bypasses in Script Security Plugin

SECURITY-1320 / CVE-2019-1003024

The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features:

  • Use of AnnotationCollector

  • Import aliasing

  • Referencing annotation types using their full class name

This allowed users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Using AnnotationCollector is now newly prohibited in sandboxed scripts such as Pipelines. Importing any of the annotations considered unsafe will now result in an error. During the compilation phase, both simple and full class names of prohibited annotations are rejected for element annotations.

CSRF vulnerability and missing permission checks in Cloud Foundry Plugin allowed capturing credentials

SECURITY-876 / CVE-2019-1003025

Cloud Foundry Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).

SSRF vulnerability due to missing permission check in Mattermost Notification Plugin

SECURITY-985 / CVE-2019-1003026

A missing permission check in a form validation method in Mattermost Notification Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified Mattermost server and room and posting a message.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a permission check.

SSRF vulnerability due to missing permission check in OctopusDeploy Plugin

SECURITY-817 / CVE-2019-1003027

A missing permission check in a form validation method in OctopusDeploy Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP HEAD request to an attacker-specified URL, returning HTTP response code if successful, or exception error message otherwise.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a permission check.

SSRF vulnerability due to missing permission check in JMS Messaging Plugin

SECURITY-1033 / CVE-2019-1003028

A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a permission check.

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

SECURITY-937

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.

ElectricFlow Plugin 1.1.5 and newer no longer do that.

Acunetix Plugin stored API key in plain text

SECURITY-951

Acunetix Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins controller. This key could be viewed by users with access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin.

SSRF vulnerability due to missing permission check in Acunetix Plugin

SECURITY-980

A missing permission check in a form validation method in Acunetix Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP GET request to an attacker-specified URL, adding a /me suffix, returning whether the connection could be established and whether the HTTP response code is 200.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and performs a permission check.

Arxan MAM Publisher Plugin stored password in plain text

SECURITY-1070

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.

The plugin now integrates with Credentials Plugin.

Severity

Affected Versions

  • Acunetix Plugin up to and including 1.0.0
  • Cloud Foundry Plugin up to and including 2.3.1
  • CloudBees CD Plugin up to and including 1.1.4
  • Digital.ai App Management Publisher Plugin up to and including 1.2.12
  • JMS Messaging Plugin up to and including 1.1.1
  • Mattermost Notification Plugin up to and including 2.6.2
  • Octopus Deploy Plugin up to and including 1.8.1
  • Script Security Plugin up to and including 1.52

Fix

  • Acunetix Plugin should be updated to version 1.1.0
  • Cloud Foundry Plugin should be updated to version 2.3.2
  • CloudBees CD Plugin should be updated to version 1.1.5
  • Digital.ai App Management Publisher Plugin should be updated to version 2.0
  • JMS Messaging Plugin should be updated to version 1.1.2
  • Mattermost Notification Plugin should be updated to version 2.6.3
  • Octopus Deploy Plugin should be updated to version 1.9.0
  • Script Security Plugin should be updated to version 1.53

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-937, SECURITY-1320
  • Thomas de Grenier de Latour for SECURITY-817, SECURITY-876
  • Viktor Gazdag for SECURITY-951, SECURITY-980, SECURITY-985, SECURITY-1033, SECURITY-1070