Jenkins Security Advisory 2020-09-01

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Git Parameter Plugin

SECURITY-1884 / CVE-2020-2238

Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Git Parameter Plugin 0.9.13 escapes the repository field on the 'Build with Parameters' page.

Secret stored in plain text by Parameterized Remote Trigger Plugin

SECURITY-1625 / CVE-2020-2239

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

CSRF vulnerability in Database Plugin

SECURITY-1023 / CVE-2020-2240

Database Plugin 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary SQL scripts.

Database Plugin 1.7 removes the database console.

CSRF vulnerability and missing permission checks in Database Plugin

SECURITY-1024 / CVE-2020-2241 (CSRF), CVE-2020-2242 (permission check)

Database Plugin 1.6 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Database Plugin 1.7 requires POST requests and Overall/Administer permission for the affected form validation method.

Stored XSS vulnerability in Cadence vManager Plugin

SECURITY-1936 / CVE-2020-2243

Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

Cadence vManager Plugin 3.0.5 removes affected tooltips.

XSS vulnerability in Build Failure Analyzer Plugin

SECURITY-1770 / CVE-2020-2244

Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.

Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.

XXE vulnerability in Valgrind Plugin

SECURITY-1829 / CVE-2020-2245

Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.  

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Valgrind Plugin

SECURITY-1830 / CVE-2020-2246

Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.

As of publication of this advisory, there is no fix.

XXE vulnerability in Klocwork Analysis Plugin

SECURITY-1831 / CVE-2020-2247

Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Reflected XSS vulnerability in JSGames Plugin

SECURITY-1905 / CVE-2020-2248

JSGames Plugin 0.2 and earlier evaluates part of a URL as code.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by tfs Plugin

SECURITY-1506 / CVE-2020-2249

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Passwords stored in plain text by ReadyAPI Functional Testing Plugin

SECURITY-1631 (1) / CVE-2020-2250

ReadyAPI Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system.

ReadyAPI Functional Testing Plugin 1.4 stores project passwords encrypted once affected job configurations are saved again.

Passwords transmitted in plain text by ReadyAPI Functional Testing Plugin

SECURITY-1631 (2) / CVE-2020-2251

ReadyAPI Functional Testing Plugin stores project passwords in job config.xml files on the Jenkins controller as part of its configuration.

While these passwords are stored encrypted on disk since ReadyAPI Functional Testing Plugin 1.4, they are transmitted in plain text as part of the global configuration form by ReadyAPI Functional Testing Plugin 1.5 and earlier. These passwords can be viewed by attackers with Extended Read permission.

This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Build Failure Analyzer Plugin up to and including 1.27.0
  • Cadence vManager Plugin up to and including 3.0.4
  • Database Plugin up to and including 1.6
  • Git Parameter Plugin up to and including 0.9.12
  • JSGames Plugin up to and including 0.2
  • Klocwork Analysis Plugin up to and including 2020.2.1
  • Parameterized Remote Trigger Plugin up to and including 3.1.3
  • ReadyAPI Functional Testing Plugin up to and including 1.3
  • ReadyAPI Functional Testing Plugin up to and including 1.5
  • tfs Plugin up to and including 5.157.1
  • Valgrind Plugin up to and including 0.28

Fix

  • Build Failure Analyzer Plugin should be updated to version 1.27.1
  • Cadence vManager Plugin should be updated to version 3.0.5
  • Database Plugin should be updated to version 1.7
  • Git Parameter Plugin should be updated to version 0.9.13
  • Parameterized Remote Trigger Plugin should be updated to version 3.1.4
  • ReadyAPI Functional Testing Plugin should be updated to version 1.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • JSGames Plugin
  • Klocwork Analysis Plugin
  • ReadyAPI Functional Testing Plugin
  • tfs Plugin
  • Valgrind Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Federico Pellegrin for SECURITY-1829, SECURITY-1830, SECURITY-1831
  • James Holderness, IB Boost for SECURITY-1506
  • Jonathan Leitschuh for SECURITY-1905
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1023, SECURITY-1024
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1770, SECURITY-1884, SECURITY-1936
  • Wasin Saengow for SECURITY-1625, SECURITY-1631 (1), SECURITY-1631 (2)