ESB-2018.1449 - [Win][UNIX/Linux] Jenkins: Multiple vulnerabilities 2018-05-11

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                Multiple vulnerabilities patched in Jenkins
                                11 May 2018


        AusCERT Security Bulletin Summary

Product:           Jenkins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Modify Arbitrary Files         -- Existing Account
                   Provide Misleading Information -- Existing Account
                   Access Confidential Data       -- Existing Account
                   Unauthorised Access            -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2018-05-09

This advisory announces vulnerabilities in the following Jenkins deliverables:

  * Jenkins (core)
  * Black Duck Hub Plugin
  * Black Duck Hub Plugin
  * Gitlab Hook Plugin
  * Groovy Postbuild Plugin


CLI and UI allow non-admin users to enumerate installed plugins

SECURITY-771 / CVE pending

Users with Overall/Read permission were able use the list-plugins CLI command
and view the About Jenkins page to list all installed plugins.

Use of the list-plugins CLI command and access to the About Jenkins page now
require Overall/Administer permission.

Users were able to register user names containing control characters

SECURITY-786 / CVE pending

The built-in Jenkins user database optionally allows user registration. This
feature did not properly sanitize user names, allowing registration of user
names containing control characters.

This could be used to confuse administrators (appearing to be a different user)
while preventing deletion of such users through the UI.

User registration in the built-in Jenkins user database now limits user names
to those containing alphanumeric, dash, and underscore characters.
Administrators can customize this restriction by setting the
hudson.model.HudsonPrivateSecurityRealm.ID_REGEX system property to a regular
expression that will be used instead to determine whether a given user name is

Path traversal vulnerability in agent to master security subsystem

SECURITY-788 / CVE pending

The agent to master security subsystem ensures that the Jenkins master is
protected from maliciously configured agents. Learn more.

A path traversal vulnerability allowed agents to escape whitelisted directories
to read and write to files they should not be able to access.

Paths are now normalized before performing the access check to ensure they
don?t escape allowed directories.

Users with Overall/Read permission were able to send GET requests to any URL

SECURITY-794 / CVE pending

The form validation code for a tool installer improperly checked permissions,
allowing any user with Overall/Read permission to submit a HTTP GET request to
any user specified URL, and learn whether the response was successful (HTTP
200) or not.

Additionally, this functionality did not require POST requests be used, thereby
allowing the above to be performed without direct access to Jenkins via
Cross-Site Request Forgery attacks.

The affected form validation code now properly checks permissions, and requires
that POST requests be sent to prevent CSRF attacks.

Gitlab Hook Plugin stores and displays GitLab API token in plain text

SECURITY-263 / CVE pending

Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab.
This can be used by users with master file system access to obtain GitHub

Additionally, the Gitlab API token round-trips in its plaintext form, and is
displayed in a regular text field to users with Overall/Administer permission.
This exposes the API token to people viewing a Jenkins administrator?s screen,
browser extensions, cross-site scripting vulnerabilities, etc.

As of publication of this advisory, there is no fix.

Black Duck Hub Plugin allowed any user with Overall/Read to read and write its

SECURITY-670 / CVE pending

Black Duck Hub Plugin did not perform permission checks for its /
/config.xml API endpoint.

This allowed any user with Overall/Read permission to both read and write the
plugin configuration XML.

Black Duck Hub Plugin 3.1.0 and newer requires Overall/Administer permission to
access this API.

XML Exernal Entitity processing vulnerability in Black Duck Hub Plugin

SECURITY-671 / CVE pending

Black Duck Hub Plugin?s /descriptorByName/
com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API
endpoint was affected by an XML External Entity (XXE) processing vulnerability.
This allowed an attacker with Overall/Read access to have Jenkins parse a
maliciously crafted file that uses external entities for extraction of secrets
from the Jenkins master, server-side request forgery, or denial-of-service

Black Duck Hub Plugin 4.0.0 and newer no longer processes XML External
Entitites in XML documents submitted to this endpoint.

Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin

SECURITY-821 / CVE pending

Groovy Postbuild Plugin did not properly escape badge content from user input,
resulting in a stored cross-site scripting vulnerability.

Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input.


  * SECURITY-771: medium
  * SECURITY-786: low
  * SECURITY-788: high
  * SECURITY-794: low
  * SECURITY-263: low
  * SECURITY-670: medium
  * SECURITY-671: high
  * SECURITY-821: medium

Affected Versions

  * Jenkins weekly up to and including 2.120
  * Jenkins LTS up to and including 2.107.2
  * Black Duck Hub Plugin up to and including 3.0.3
  * Black Duck Hub Plugin up to and including 3.1.0
  * Gitlab Hook Plugin up to and including 1.4.2
  * Groovy Postbuild Plugin up to and including 2.3.1


  * Jenkins weekly should be updated to version 2.121
  * Jenkins LTS should be updated to version 2.107.3
  * Black Duck Hub Plugin should be updated to version 3.1.0
  * Black Duck Hub Plugin should be updated to version 4.0.0
  * Groovy Postbuild Plugin should be updated to version 2.4

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following

  * Gitlab Hook Plugin


The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  * Daniel Beck, CloudBees, Inc. for SECURITY-670
  * Devin Nusbaum, CloudBees, Inc. for SECURITY-771
  * James Nord, CloudBees, Inc. for SECURITY-671
  * Jesse Glick, CloudBees, Inc. and Kalle Niemitalo, Procomp Solutions Oy for
  * Steve Marlowe <> of Cisco ASIG for SECURITY-263
  * Sureshbabu Narvaneni for SECURITY-786
  * Thomas de Grenier de Latour for SECURITY-794

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins