This advisory announces vulnerabilities in the following Jenkins deliverables:
Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation.
This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.
Sonargraph Integration Plugin 3.0.1 escapes the affected part of the error message.
Fortify on Demand Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions in Fortify on Demand Plugin 6.0.0 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Fortify on Demand Plugin 6.0.1 now requires the appropriate permissions.
Fortify on Demand Plugin 5.0.1 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs obtained through another method.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
This form validation method requires appropriate permission in Fortify on Demand Plugin 6.0.0.
VncRecorder Plugin 1.25 and earlier does not escape a tool path in the checkVncServ
form validation endpoint accessed e.g. via job configuration forms.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.
VncRecorder Plugin 1.35 escapes the tool path.
VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ
form validation endpoint output.
This results in a reflected cross-site scripting (XSS) vulnerability.
VncRecorder Plugin 1.35 escapes the parameter value in the output.
VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ
form validation endpoint output.
This results in a reflected cross-site scripting (XSS) vulnerability.
VncViewer Plugin 1.8 escapes the parameter value in the output.
Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml
files as part of its configuration.
This secret can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml
files as part of its configuration.
This password can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Stash Branch Parameter Plugin stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml
on the Jenkins controller as part of its configuration.
While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Stash Branch Parameter Plugin 0.3.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.
This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.
As of publication of this advisory, there is no fix.
ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to ElasticBox Jenkins Kubernetes CI/CD Plugin’s build step.
As of publication of this advisory, there is no fix.
GitHub Coverage Reporter Plugin 1.8 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml
.
This token can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
White Source Plugin 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml
and job config.xml
files on the Jenkins controller.
These credentials could be viewed by users with Extended Read permission (in the case of job config.xml
files) or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts.
ZAP Pipeline Plugin 1.9 and earlier globally disables the Content-Security-Policy
header for static files served by Jenkins.
This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:
Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from Content-Security-Policy
header.
Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL.
Jenkins 2.227 and older, 2.204.5 and older, don’t have XSS protection for file parameter values, see SECURITY-1793.
As of publication of this advisory, there is no fix.
Zephyr for JIRA Test Management Plugin 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection
form validation endpoint.
This allows attackers able to update the configured document in MongoDB to inject the payload.
This results in a reflected cross-site scripting (XSS) vulnerability.
As of publication of this advisory, there is no fix.
HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml
.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Link Column Plugin allows users with View/Configure permission to add a new column to list views that contains a user-configurable link.
Link Column Plugin 1.0 and earlier does not filter the URL for these links, allowing the javascript:
scheme.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure list views.
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: