ESB-2019.1148 - [Win][UNIX/Linux] Jenkins plugins: Multiple vulnerabilities 2019-04-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1148
                   Jenkins Security Advisory 2019-04-03
                               4 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Remote/Unauthenticated
                   Access Confidential Data   -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1003099 CVE-2019-1003098 CVE-2019-1003097
                   CVE-2019-1003096 CVE-2019-1003095 CVE-2019-1003094
                   CVE-2019-1003093 CVE-2019-1003092 CVE-2019-1003091
                   CVE-2019-1003090 CVE-2019-1003089 CVE-2019-1003088
                   CVE-2019-1003087 CVE-2019-1003086 CVE-2019-1003085
                   CVE-2019-1003084 CVE-2019-1003083 CVE-2019-1003082
                   CVE-2019-1003081 CVE-2019-1003080 CVE-2019-1003079
                   CVE-2019-1003078 CVE-2019-1003077 CVE-2019-1003076
                   CVE-2019-1003075 CVE-2019-1003074 CVE-2019-1003073
                   CVE-2019-1003072 CVE-2019-1003071 CVE-2019-1003070
                   CVE-2019-1003069 CVE-2019-1003068 CVE-2019-1003067
                   CVE-2019-1003066 CVE-2019-1003065 CVE-2019-1003064
                   CVE-2019-1003063 CVE-2019-1003062 CVE-2019-1003061
                   CVE-2019-1003060 CVE-2019-1003059 CVE-2019-1003058
                   CVE-2019-1003057 CVE-2019-1003056 CVE-2019-1003055
                   CVE-2019-1003054 CVE-2019-1003053 CVE-2019-1003052
                   CVE-2019-1003051 CVE-2019-10299 CVE-2019-10298
                   CVE-2019-10297 CVE-2019-10296 CVE-2019-10295
                   CVE-2019-10294 CVE-2019-10293 CVE-2019-10292
                   CVE-2019-10291 CVE-2019-10290 CVE-2019-10289
                   CVE-2019-10288 CVE-2019-10287 CVE-2019-10286
                   CVE-2019-10285 CVE-2019-10284 CVE-2019-10283
                   CVE-2019-10282 CVE-2019-10281 CVE-2019-10280
                   CVE-2019-10279 CVE-2019-10278 CVE-2019-10277

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-04-03/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-04-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Amazon SNS Build Notifier Plugin
  o Aqua Security Scanner Plugin
  o Assembla Auth Plugin
  o Audit to Database Plugin
  o AWS CloudWatch Logs Publisher Plugin
  o AWS Elastic Beanstalk Publisher Plugin
  o aws-device-farm Plugin
  o Bitbucket Approve Plugin
  o Bugzilla Plugin
  o Chef Sinatra Plugin
  o CloudCoreo DeployTime Plugin
  o CloudShare Docker-Machine Plugin
  o crittercism-dsym Plugin
  o Crowd Integration Plugin
  o DeployHub Plugin
  o Diawi Upload Plugin
  o Fabric Beta Publisher Plugin
  o FTP publisher Plugin
  o Gearman Plugin
  o HockeyApp Plugin
  o Hyper.sh Commons Plugin
  o IRC Plugin
  o Jabber Server Plugin
  o jenkins-cloudformation-plugin Plugin
  o jenkins-reviewbot Plugin
  o Jira Issue Updater Plugin
  o Klaros-Testmanagement Plugin
  o Kmap Plugin
  o Koji Plugin
  o mabl Plugin
  o Minio Storage Plugin
  o Netsparker Cloud Scan Plugin
  o Nomad Plugin
  o OctopusDeploy Plugin
  o Official OWASP ZAP Plugin
  o Open STF Plugin
  o openid Plugin
  o OpenShift Deployer Plugin
  o Perfecto Mobile Plugin
  o Relution Enterprise Appstore Publisher Plugin
  o Sametime Plugin
  o Serena SRA Deploy Plugin
  o SOASTA CloudTest Plugin
  o StarTeam Plugin
  o TestFairy Plugin
  o Trac Publisher Plugin
  o Upload to pgyer Plugin
  o veracode-scanner Plugin
  o VMware Lab Manager Slaves Plugin
  o VMware vRealize Automation Plugin
  o VS Team Services Continuous Deployment Plugin
  o WebSphere Deployer Plugin
  o WildFly Deployer Plugin
  o youtrack-plugin Plugin
  o Zephyr Enterprise Test Management Plugin

Descriptions

IRC Plugin stores credentials in plain text

SECURITY-829 / CVE-2019-1003051

IRC Plugin stores credentials unencrypted in its global configuration file
hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These credentials
can be viewed by users with access to the master file system.

AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text

SECURITY-831 / CVE-2019-1003052

AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its
global configuration file
org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

HockeyApp Plugin stores credentials in plain text

SECURITY-839 / CVE-2019-1003053

HockeyApp Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

Jira Issue Updater Plugin stores credentials in plain text

SECURITY-837 / CVE-2019-1003054

Jira Issue Updater Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with
Extended Read permission, or access to the master file system.

FTP publisher Plugin stores credentials in plain text

SECURITY-954 / CVE-2019-1003055

FTP publisher Plugin stores credentials unencrypted in its global configuration
file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.

WebSphere Deployer Plugin stores credentials in plain text

SECURITY-956 / CVE-2019-1003056

WebSphere Deployer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with
Extended Read permission, or access to the master file system.

Bitbucket Approve Plugin stores credentials in plain text

SECURITY-965 / CVE-2019-1003057

Bitbucket Approve Plugin stores credentials unencrypted in its global
configuration file
org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

CSRF vulnerability and missing permission check in FTP publisher Plugin allow
connecting to arbitrary FTP servers

SECURITY-974 / CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)

A missing permission check in a form validation method in FTP publisher Plugin
allows users with Overall/Read permission to initiate a connection test to an
attacker-specified FTP server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

Official OWASP ZAP Plugin stores credentials in plain text

SECURITY-1041 / CVE-2019-1003060

Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global
configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

jenkins-cloudformation-plugin Plugin stores credentials in plain text

SECURITY-1042 / CVE-2019-1003061

jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job
config.xml files on the Jenkins master. These credentials can be viewed by
users with Extended Read permission, or access to the master file system.

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

SECURITY-830 / CVE-2019-1003062

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its
global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on
the Jenkins master. These credentials can be viewed by users with access to the
master file system.

Amazon SNS Build Notifier Plugin stores credentials in plain text

SECURITY-832 / CVE-2019-1003063

Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global
configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the
Jenkins master. These credentials can be viewed by users with access to the
master file system.

aws-device-farm Plugin stores credentials in plain text

SECURITY-835 / CVE-2019-1003064

aws-device-farm Plugin stores credentials unencrypted in its global
configuration file
org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

CloudShare Docker-Machine Plugin stores credentials in plain text

SECURITY-838 / CVE-2019-1003065

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global
configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the
Jenkins master. These credentials can be viewed by users with access to the
master file system.

Bugzilla Plugin stores credentials in plain text

SECURITY-841 / CVE-2019-1003066

Bugzilla Plugin stores credentials unencrypted in its global configuration file
hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins master.
These credentials can be viewed by users with access to the master file system.

Trac Publisher Plugin stores credentials in plain text

SECURITY-842 / CVE-2019-1003067

Trac Publisher Plugin stores credentials unencrypted in job config.xml files on
the Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

VMware vRealize Automation Plugin stores credentials in plain text

SECURITY-945 / CVE-2019-1003068

VMware vRealize Automation Plugin stores credentials unencrypted in job
config.xml files on the Jenkins master. These credentials can be viewed by
users with Extended Read permission, or access to the master file system.

Aqua Security Scanner Plugin stores credentials in plain text

SECURITY-949 / CVE-2019-1003069

Aqua Security Scanner Plugin stores credentials unencrypted in its global
configuration file
org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to
the master file system.

veracode-scanner Plugin stores credentials in plain text

SECURITY-952 / CVE-2019-1003070

veracode-scanner Plugin stores credentials unencrypted in its global
configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
on the Jenkins master. These credentials can be viewed by users with access to
the master file system.

OctopusDeploy Plugin stores credentials in plain text

SECURITY-957 / CVE-2019-1003071

OctopusDeploy Plugin stores credentials unencrypted in its global configuration
file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

WildFly Deployer Plugin stores credentials in plain text

SECURITY-961 / CVE-2019-1003072

WildFly Deployer Plugin stores deployment credentials unencrypted in job
config.xml files on the Jenkins master. These credentials can be viewed by
users with Extended Read permission, or access to the master file system.

VS Team Services Continuous Deployment Plugin stores credentials in plain text

SECURITY-962 / CVE-2019-1003073

VS Team Services Continuous Deployment Plugin stores credentials unencrypted in
job config.xml files on the Jenkins master. These credentials can be viewed by
users with Extended Read permission, or access to the master file system.

Hyper.sh Commons Plugin stores credentials in plain text

SECURITY-964 / CVE-2019-1003074

Hyper.sh Commons Plugin stores credentials unencrypted in its global
configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

Audit to Database Plugin stores credentials in plain text

SECURITY-966 / CVE-2019-1003075

Audit to Database Plugin stores database credentials unencrypted in its global
configuration file audit2db.xml on the Jenkins master. These credentials can be
viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in Audit to Database Plugin
allow connecting to arbitrary databases

SECURITY-977 / CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)

A missing permission check in a form validation method in Audit to Database
Plugin allows users with Overall/Read permission to initiate a JDBC database
connection test to an attacker-specified server with attacker-specified
credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in VMware Lab Manager Slaves
Plugin

SECURITY-979 / CVE-2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)

A missing permission check in a form validation method in VMware Lab Manager
Slaves Plugin allows users with Overall/Read permission to initiate a Lab
Manager connection test to an attacker-specified server with attacker-specified
credentials and settings.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in OpenShift Deployer Plugin

SECURITY-981 / CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)

A missing permission check in a form validation method in OpenShift Deployer
Plugin allows users with Overall/Read permission to initiate a connection test
to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Gearman Plugin

SECURITY-991 / CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)

A missing permission check in a form validation method in Gearman Plugin allows
users with Overall/Read permission to initiate a connection test to an
attacker-specified server.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Zephyr Enterprise Test
Management Plugin allow SSRF

SECURITY-993 / CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)

A missing permission check in a form validation method in Zephyr Enterprise
Test Management Plugin allows users with Overall/Read permission to initiate a
connection test to an attacker-specified server with attacker-specified
credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Chef Sinatra Plugin allow
SSRF

SECURITY-1037 / CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)

A missing permission check in a form validation method in Chef Sinatra Plugin
allows users with Overall/Read permission to initiate a connection test to an
attacker-specified server.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

Fabric Beta Publisher Plugin stores credentials in plain text

SECURITY-1043 / CVE-2019-1003088

Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with
Extended Read permission, or access to the master file system.

Upload to pgyer Plugin stores credentials in plain text

SECURITY-1044 / CVE-2019-1003089

Upload to pgyer Plugin stores credentials unencrypted in job config.xml files
on the Jenkins master. These credentials can be viewed by users with Extended
Read permission, or access to the master file system.

CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin
allow SSRF

SECURITY-1054 / CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)

A missing permission check in a form validation method in SOASTA CloudTest
Plugin allows users with Overall/Read permission to initiate a connection test
to an attacker-specified URL with attacker-specified credentials and SSH key
store options.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF

SECURITY-1058 / CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)

A missing permission check in a form validation method in Nomad Plugin allows
users with Overall/Read permission to initiate a connection test to an
attacker-specified URL.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

Open STF Plugin stores credentials in plain text

SECURITY-1059 / CVE-2019-1003094

Open STF Plugin stores credentials unencrypted in its global configuration file
hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.

Perfecto Mobile Plugin stores credentials in plain text

SECURITY-1061 / CVE-2019-1003095

Perfecto Mobile Plugin stores credentials unencrypted in its global
configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the
Jenkins master. These credentials can be viewed by users with access to the
master file system.

TestFairy Plugin stores credentials in plain text

SECURITY-1062 / CVE-2019-1003096

TestFairy Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

Crowd Integration Plugin stores credentials in plain text

SECURITY-1069 / CVE-2019-1003097

Crowd Integration Plugin stores credentials unencrypted in the global
configuration file config.xml on the Jenkins master. These credentials can be
viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in openid Plugin allow SSRF

SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)

A missing permission check in a form validation method in openid Plugin allows
users with Overall/Read permission to initiate a connection test to an
attacker-specified URL.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

StarTeam Plugin stores credentials in plain text

SECURITY-1085 / CVE-2019-10277

StarTeam Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin
allow SSRF

SECURITY-1091 / CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)

A missing permission check in a form validation method in jenkins-reviewbot
Plugin allows users with Overall/Read permission to initiate a connection test
to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

Assembla Auth Plugin stores credentials in plain text

SECURITY-1093 / CVE-2019-10280

Assembla Auth Plugin stores credentials unencrypted in the global configuration
file config.xml on the Jenkins master. These credentials can be viewed by users
with access to the master file system.

Relution Enterprise Appstore Publisher Plugin stores credentials in plain text

SECURITY-828 / CVE-2019-10281

Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in
its global configuration file
org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
on the Jenkins master. These credentials can be viewed by users with access to
the master file system.

Klaros-Testmanagement Plugin stores credentials in plain text

SECURITY-843 / CVE-2019-10282

Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with
Extended Read permission, or access to the master file system.

mabl Plugin stores credentials in plain text

SECURITY-946 / CVE-2019-10283

mabl Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

Diawi Upload Plugin stores credentials in plain text

SECURITY-947 / CVE-2019-10284

Diawi Upload Plugin stores credentials unencrypted in job config.xml files on
the Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

Minio Storage Plugin stores credentials in plain text

SECURITY-955 / CVE-2019-10285

Minio Storage Plugin stores credentials unencrypted in its global configuration
file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.

DeployHub Plugin stores credentials in plain text

SECURITY-959 / CVE-2019-10286

DeployHub Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

youtrack-plugin Plugin stored credentials in plain text

SECURITY-963 / CVE-2019-10287

youtrack-plugin Plugin stored credentials unencrypted in its global
configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
on the Jenkins master. These credentials could be viewed by users with access
to the master file system.

youtrack-plugin Plugin now stores credentials encrypted.

Jabber Server Plugin stores credentials in plain text

SECURITY-1031 / CVE-2019-10288

Jabber Server Plugin stores credentials unencrypted in its global configuration
file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in Netsparker Cloud Scan Plugin
allowed SSRF

SECURITY-1032 / CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)

A missing permission check in a form validation method in Netsparker Cloud Scan
Plugin allowed users with Overall/Read permission to initiate a connection test
to an attacker-specified server with attacker-specified API token.

Additionally, the form validation method did not require POST requests,
resulting in a CSRF vulnerability.

The form validation method now performs a permission check for Overall/
Administer and requires that requests be sent via POST.

Netsparker Cloud Scan Plugin stored credentials in plain text

SECURITY-1040 / CVE-2019-10291

Netsparker Cloud Scan Plugin stored API tokens unencrypted in its global
configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins
master. These API tokens could be viewed by users with access to the master
file system.

Netsparker Cloud Scan Plugin now stores API tokens encrypted.

CSRF vulnerability and missing permission check in Kmap Plugin allow SSRF

SECURITY-1055 / CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)

A missing permission check in a form validation method in Kmap Plugin allows
users with Overall/Read permission to initiate a connection test to an
attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests,
resulting in a CSRF vulnerability.

Kmap Plugin stores credentials in plain text

SECURITY-1056 / CVE-2019-10294

Kmap Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

crittercism-dsym Plugin stores API key in plain text

SECURITY-1063 / CVE-2019-10295

crittercism-dsym Plugin stores credentials unencrypted in job config.xml files
on the Jenkins master. These credentials can be viewed by users with Extended
Read permission, or access to the master file system.

Serena SRA Deploy Plugin stores credentials in plain text

SECURITY-1066 / CVE-2019-10296

Serena SRA Deploy Plugin stores credentials unencrypted in its global
configuration file
com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on
the Jenkins master. These credentials can be viewed by users with access to the
master file system.

Sametime Plugin stores credentials in plain text

SECURITY-1090 / CVE-2019-10297

Sametime Plugin stores credentials unencrypted in its global configuration file
hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins
master. These credentials can be viewed by users with access to the master file
system.

Koji Plugin stores credentials in plain text

SECURITY-1092 / CVE-2019-10298

Koji Plugin stores credentials unencrypted in its global configuration file
org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.

CloudCoreo DeployTime Plugin stores credentials in plain text

SECURITY-960 / CVE-2019-10299

CloudCoreo DeployTime Plugin stores credentials unencrypted in its global
configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on
the Jenkins master. These credentials can be viewed by users with access to the
master file system.

Severity

  o SECURITY-828: Low
  o SECURITY-829: Low
  o SECURITY-830: Low
  o SECURITY-831: Low
  o SECURITY-832: Low
  o SECURITY-835: Low
  o SECURITY-837: Medium
  o SECURITY-838: Low
  o SECURITY-839: Medium
  o SECURITY-841: Medium
  o SECURITY-842: Medium
  o SECURITY-843: Medium
  o SECURITY-945: Medium
  o SECURITY-946: Medium
  o SECURITY-947: Medium
  o SECURITY-949: Low
  o SECURITY-952: Low
  o SECURITY-954: Low
  o SECURITY-955: Low
  o SECURITY-956: Medium
  o SECURITY-957: Low
  o SECURITY-959: Medium
  o SECURITY-960: Low
  o SECURITY-961: Medium
  o SECURITY-962: Medium
  o SECURITY-963: Low
  o SECURITY-964: Low
  o SECURITY-965: Low
  o SECURITY-966: Low
  o SECURITY-974: Medium
  o SECURITY-977: Medium
  o SECURITY-979: Medium
  o SECURITY-981: Medium
  o SECURITY-991: Medium
  o SECURITY-993: Medium
  o SECURITY-1031: Low
  o SECURITY-1032: Medium
  o SECURITY-1037: Medium
  o SECURITY-1040: Low
  o SECURITY-1041: Low
  o SECURITY-1042: Medium
  o SECURITY-1043: Medium
  o SECURITY-1044: Medium
  o SECURITY-1054: Medium
  o SECURITY-1055: Medium
  o SECURITY-1056: Medium
  o SECURITY-1058: Medium
  o SECURITY-1059: Low
  o SECURITY-1061: Low
  o SECURITY-1062: Medium
  o SECURITY-1063: Medium
  o SECURITY-1066: Low
  o SECURITY-1069: Low
  o SECURITY-1084: Medium
  o SECURITY-1085: Medium
  o SECURITY-1090: Low
  o SECURITY-1091: Medium
  o SECURITY-1092: Low
  o SECURITY-1093: Low

Affected Versions

  o Amazon SNS Build Notifier Plugin (all versions)
  o Aqua Security Scanner Plugin (all versions)
  o Assembla Auth Plugin (all versions)
  o Audit to Database Plugin (all versions)
  o AWS CloudWatch Logs Publisher Plugin (all versions)
  o AWS Elastic Beanstalk Publisher Plugin (all versions)
  o aws-device-farm Plugin (all versions)
  o Bitbucket Approve Plugin (all versions)
  o Bugzilla Plugin (all versions)
  o Chef Sinatra Plugin (all versions)
  o CloudCoreo DeployTime Plugin (all versions)
  o CloudShare Docker-Machine Plugin (all versions)
  o crittercism-dsym Plugin (all versions)
  o Crowd Integration Plugin (all versions)
  o DeployHub Plugin (all versions)
  o Diawi Upload Plugin (all versions)
  o Fabric Beta Publisher Plugin (all versions)
  o FTP publisher Plugin (all versions)
  o Gearman Plugin (all versions)
  o HockeyApp Plugin (all versions)
  o Hyper.sh Commons Plugin (all versions)
  o IRC Plugin (all versions)
  o Jabber Server Plugin (all versions)
  o jenkins-cloudformation-plugin Plugin (all versions)
  o jenkins-reviewbot Plugin (all versions)
  o Jira Issue Updater Plugin (all versions)
  o Klaros-Testmanagement Plugin (all versions)
  o Kmap Plugin (all versions)
  o Koji Plugin (all versions)
  o mabl Plugin (all versions)
  o Minio Storage Plugin (all versions)
  o Netsparker Cloud Scan Plugin up to and including 1.1.5
  o Nomad Plugin (all versions)
  o OctopusDeploy Plugin (all versions)
  o Official OWASP ZAP Plugin (all versions)
  o Open STF Plugin (all versions)
  o openid Plugin (all versions)
  o OpenShift Deployer Plugin (all versions)
  o Perfecto Mobile Plugin (all versions)
  o Relution Enterprise Appstore Publisher Plugin (all versions)
  o Sametime Plugin (all versions)
  o Serena SRA Deploy Plugin (all versions)
  o SOASTA CloudTest Plugin (all versions)
  o StarTeam Plugin (all versions)
  o TestFairy Plugin (all versions)
  o Trac Publisher Plugin (all versions)
  o Upload to pgyer Plugin (all versions)
  o veracode-scanner Plugin (all versions)
  o VMware Lab Manager Slaves Plugin (all versions)
  o VMware vRealize Automation Plugin (all versions)
  o VS Team Services Continuous Deployment Plugin (all versions)
  o WebSphere Deployer Plugin (all versions)
  o WildFly Deployer Plugin (all versions)
  o youtrack-plugin Plugin up to and including 0.7.1
  o Zephyr Enterprise Test Management Plugin (all versions)

Fix

  o Netsparker Cloud Scan Plugin should be updated to version 1.1.6
  o youtrack-plugin Plugin should be updated to version 0.7.2

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Amazon SNS Build Notifier Plugin
  o Aqua Security Scanner Plugin
  o Assembla Auth Plugin
  o Audit to Database Plugin
  o AWS CloudWatch Logs Publisher Plugin
  o AWS Elastic Beanstalk Publisher Plugin
  o aws-device-farm Plugin
  o Bitbucket Approve Plugin
  o Bugzilla Plugin
  o Chef Sinatra Plugin
  o CloudCoreo DeployTime Plugin
  o CloudShare Docker-Machine Plugin
  o crittercism-dsym Plugin
  o Crowd Integration Plugin
  o DeployHub Plugin
  o Diawi Upload Plugin
  o Fabric Beta Publisher Plugin
  o FTP publisher Plugin
  o Gearman Plugin
  o HockeyApp Plugin
  o Hyper.sh Commons Plugin
  o IRC Plugin
  o Jabber Server Plugin
  o jenkins-cloudformation-plugin Plugin
  o jenkins-reviewbot Plugin
  o Jira Issue Updater Plugin
  o Klaros-Testmanagement Plugin
  o Kmap Plugin
  o Koji Plugin
  o mabl Plugin
  o Minio Storage Plugin
  o Nomad Plugin
  o OctopusDeploy Plugin
  o Official OWASP ZAP Plugin
  o Open STF Plugin
  o openid Plugin
  o OpenShift Deployer Plugin
  o Perfecto Mobile Plugin
  o Relution Enterprise Appstore Publisher Plugin
  o Sametime Plugin
  o Serena SRA Deploy Plugin
  o SOASTA CloudTest Plugin
  o StarTeam Plugin
  o TestFairy Plugin
  o Trac Publisher Plugin
  o Upload to pgyer Plugin
  o veracode-scanner Plugin
  o VMware Lab Manager Slaves Plugin
  o VMware vRealize Automation Plugin
  o VS Team Services Continuous Deployment Plugin
  o WebSphere Deployer Plugin
  o WildFly Deployer Plugin
  o Zephyr Enterprise Test Management Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Viktor Gazdag for SECURITY-828, SECURITY-829, SECURITY-830, SECURITY-831,
    SECURITY-832, SECURITY-835, SECURITY-837, SECURITY-838, SECURITY-839,
    SECURITY-841, SECURITY-842, SECURITY-843, SECURITY-945, SECURITY-946,
    SECURITY-947, SECURITY-949, SECURITY-952, SECURITY-954, SECURITY-955,
    SECURITY-956, SECURITY-957, SECURITY-959, SECURITY-960, SECURITY-961,
    SECURITY-962, SECURITY-963, SECURITY-964, SECURITY-965, SECURITY-966,
    SECURITY-974, SECURITY-977, SECURITY-979, SECURITY-981, SECURITY-991,
    SECURITY-993, SECURITY-1031, SECURITY-1032, SECURITY-1037, SECURITY-1040,
    SECURITY-1041, SECURITY-1042, SECURITY-1043, SECURITY-1044, SECURITY-1054,
    SECURITY-1055, SECURITY-1056, SECURITY-1058, SECURITY-1059, SECURITY-1061,
    SECURITY-1062, SECURITY-1063, SECURITY-1066, SECURITY-1069, SECURITY-1084,
    SECURITY-1085, SECURITY-1090, SECURITY-1091, SECURITY-1092, SECURITY-1093



The content driving this site is licensed under the Creative Commons
Attribution-ShareAlike 4.0 license.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKWVc2aOgq3Tt24GAQjwAw//Qs1psaFxrb5IYZ+K5lV/8l87+WR+zOQy
Ht1KE7lAEMpCLToTrEaEhUR+9UhtbkMdbyJ/TsRyjimGgW/EyTynUn571LCkxIMP
WkUJL+ZDTP/D9m6ByGYFPPya4ebRlEKgUM0v1fFOhmG5IxM2tdpiMNCP4MvAEscQ
JE1CK4ZT9ojXqO9FD/EYbn6ZtkTBIxYCA9hJx8PZECqMNV5boo7bJrlWKYMYADae
idhgCjvi/q0wTk1zJralf9LtETidUCrzdjfG1/E7A/xhX7Byu2w//bGleX3sxqTe
HU4gFMVDyuYY1Y6SdAPgtIa3t9b+Pha6LY4MdMwIfkTi74kz4/cZVrqcvThl2L5V
E4edLra2YTh3f6Ble/qrmJukdlx/7R+jo7KwaiFHX04qCBC7cGDbgucgZxj8ZTci
hdm+6UB+xcvOY4wXOJ0ViJO15OCIUq8dQp6iLNHZZVqRMUCrQgpOVngw3j1Npyb8
yffFi+gTrd6kgkvTKnO5gcbC2RT42eAx+Lr9kndzbIsrI/lzb/ZgzMcdC1btHBdb
kT45tVN6SeFxFghyM5yEb+RWPVvG+kVMVG3+5VKI0lZ0DLkXY+20ISi4AffLdQum
0HsvU237NxwD3AESHzXVDoseTK4xtzOv6XzGpZ7gCUiuuMDn+qiwNrnqrjKofJgF
ZyZ3EQlR0aM=
=smMF
-----END PGP SIGNATURE-----

« Back to bulletins