This advisory announces vulnerabilities in the following Jenkins deliverables:
Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
Script Security and Pipeline: Groovy have been hardened to prevent these methods of bypassing sandbox protection.
Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting (XSS) vulnerability.
The plugin now properly escapes resource names in its scripts.
Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).
ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml
files and its global configuration file on the Jenkins controller.
This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Additionally, the API token was not masked from view using a password form field.
The plugin now stores the API token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability.
The form validation methods now require POST requests and perform a permission check.
PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.
The plugin now stores the password encrypted in the configuration files on disk.
Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs' config.xml
files on the Jenkins controller.
This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
The plugin now integrates with Credentials Plugin.
Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.
This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: