Jenkins Security Advisory 2019-04-17

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

CSRF vulnerability and missing permission checks in GitLab Plugin allowed capturing credentials

SECURITY-1357 / CVE-2019-10300 (CSRF) and CVE-2019-10301 (permission check)

GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

jira-ext Plugin stored credentials in plain text

SECURITY-836 / CVE-2019-10302

jira-ext Plugin stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

jira-ext Plugin now stores credentials encrypted.

Azure PublisherSettings Credentials Plugin stored credentials in plain text

SECURITY-844 / CVE-2019-10303

Azure PublisherSettings Credentials Plugin stored the service management certificate unencrypted in credentials.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Azure PublisherSettings Credentials Plugin has been deprecated. Azure PublisherSettings Credentials Plugin 1.5 no longer provides any user features and we recommend the plugin be uninstalled.

CSRF vulnerability and missing permission check in XebiaLabs XL Deploy Plugin

SECURITY-983 / CVE-2019-10304 (CSRF) and CVE-2019-10305 (permission check)

A missing permission check in a form validation method in XebiaLabs XL Deploy Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Sandbox bypass in ontrack Jenkins Plugin

SECURITY-1341 / CVE-2019-10306

ontrack Jenkins Plugin supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.

This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

ontrack Jenkins Plugin now uses Script Security APIs that apply sandbox protection during these phases.

Severity

Affected Versions

  • Azure PublisherSettings Credentials Plugin up to and including 1.2
  • GitLab Plugin up to and including 1.5.11
  • jira-ext Plugin up to and including 0.8
  • ontrack Jenkins Plugin up to and including 3.4
  • XebiaLabs XL Deploy Plugin up to and including 7.5.3

Fix

  • Azure PublisherSettings Credentials Plugin should be updated to version 1.5
  • GitLab Plugin should be updated to version 1.5.12
  • jira-ext Plugin should be updated to version 0.9
  • ontrack Jenkins Plugin should be updated to version 3.4.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • XebiaLabs XL Deploy Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Peter Adkins of Cisco Umbrella for SECURITY-1357
  • Viktor Gazdag for SECURITY-836, SECURITY-844, SECURITY-983