Operating System:

[WIN][UNIX/Linux]

Published:

12 July 2019

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2019.2572 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2572
                   Jenkins Security Advisory 2019-07-11
                               12 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Existing Account            
                   Reduced Security           -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10351 CVE-2019-10350 CVE-2019-10349
                   CVE-2019-10348 CVE-2019-10347 CVE-2019-10346
                   CVE-2019-10342 CVE-2019-10341 CVE-2019-10340

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-07-11/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-07-11  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Caliper CI Plugin
  o Dependency Graph Viewer Plugin
  o Docker Plugin
  o Embeddable Build Status Plugin
  o Gogs Plugin
  o Mashup Portlets Plugin
  o Port Allocator Plugin

Descriptions  

CSRF vulnerability and missing permission check in Docker Plugin allowed
capturing credentials  

SECURITY-1010 / CVE-2019-10340 (CSRF), CVE-2019-10341 (permission check)

Docker Plugin did not perform permission checks on a method implementing form
validation. This allowed users with Overall/Read access to Jenkins to connect
to an attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests,
resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer
or Item/Configure permission, as appropriate.

Users with Overall/Read access could enumerate credential IDs in Docker Plugin 
 

SECURITY-1400 / CVE-2019-10342

Docker Plugin provides a list of applicable credential IDs to allow users
configuring the plugin to select the one to use.

This functionality did not correctly check permissions, allowing any user with
Overall/Read permission to get a list of valid credentials IDs. Those could be
used as part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in this plugin now requires the appropriate
permission, typically Overall/Administer or Item/Configure.

Reflected XSS vulnerability in Embeddable Build Status Plugin  

SECURITY-1419 / CVE-2019-10346

Embeddable Build Status Plugin did not sanitize arguments provided in the query
string, resulting in a reflected cross-site scripting vulnerability.

Arguments are now sanitized.

Mashup Portlets Plugin stored credentials in plain text  

SECURITY-775 / CVE-2019-10347

Mashup Portlets Plugin stored SonarQube credentials unencrypted on the Jenkins
master. These credentials could be viewed by users with access to the master
file system.

Mashup Portlets Plugin now stores these credentials encrypted.

Gogs Plugin stored credentials in plain text  

SECURITY-1438 / CVE-2019-10348

Gogs Plugin stored credentials unencrypted in job config.xml files on the
Jenkins master. These credentials could be viewed by users with Extended Read
permission, or access to the master file system.

Gogs Plugin now stores credentials encrypted.

Stored XSS vulnerability in Dependency Graph Viewer Plugin  

SECURITY-1177 / CVE-2019-10349

Dependency Graph Viewer Plugin does not correctly escape the Display Name value
for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

Port Allocator Plugin stores credentials in plain text  

SECURITY-1441 / CVE-2019-10350

Port Allocator Plugin stores credentials unencrypted in job config.xml files on
the Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

As of publication of this advisory, there is no fix.

Caliper CI Plugin stores credentials in plain text  

SECURITY-1437 / CVE-2019-10351

Caliper CI Plugin stores credentials unencrypted in job config.xml files on the
Jenkins master. These credentials can be viewed by users with Extended Read
permission, or access to the master file system.

As of publication of this advisory, there is no fix.

Severity  

  o SECURITY-775: Medium
  o SECURITY-1010: Medium
  o SECURITY-1177: Medium
  o SECURITY-1400: Medium
  o SECURITY-1419: Medium
  o SECURITY-1437: Medium
  o SECURITY-1438: Medium
  o SECURITY-1441: Medium

Affected Versions  

  o Caliper CI Plugin up to and including 2.3
  o Dependency Graph Viewer Plugin up to and including 0.13
  o Docker Plugin up to and including 1.1.6
  o Embeddable Build Status Plugin up to and including 2.0.1
  o Gogs Plugin up to and including 1.0.14
  o Mashup Portlets Plugin up to and including 1.0.9
  o Port Allocator Plugin up to and including 1.8

Fix  

  o Docker Plugin should be updated to version 1.1.7
  o Embeddable Build Status Plugin should be updated to version 2.0.2
  o Gogs Plugin should be updated to version 1.0.15
  o Mashup Portlets Plugin should be updated to version 1.1.0

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Caliper CI Plugin
  o Dependency Graph Viewer Plugin
  o Port Allocator Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o David Fiser of Trend Micro Nebula for SECURITY-1437, SECURITY-1438,
    SECURITY-1441
  o Dhiru Pandey for SECURITY-1419
  o Ishaq Mohammed (https://about.me/security-prince) for SECURITY-1177
  o Oleg Nenashev, CloudBees, Inc. for SECURITY-1010

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSf+VmaOgq3Tt24GAQioXw//aYAvMUr7T2PFPZWKuuGwa/xkQb3N8BN0
xM2gQvxbyMemwbXfB8PVVcf/0IMXfQydKClHEyTp4+R1zLyGzTX1pc2jievwz46S
COUSLxJ71eAHtKFUc+kzuVhoroIHg5vJnPpLx8qz4gfNKbQ67djgcPCMl4T5QrgR
2uJcy8Q3SnZy+7RYN88L39s2wS+yfRUvHKXhkLT9fW5KizBlkc7gxU8h1eAQooqz
8XKwv/itKR2w3VkZo+6YKJyYRZH10cEb3PAO+6U9OvtwhHmYzlrJ3D3VqOOjLleQ
KdczXUYtHRaltH+LwTFSf9WAN3CqKuNMVpnnhhI93RgplQEV8BbRxiHUUNpYV3xZ
AnFeWzk56JQ8tBLov+HsfHOdUd3szCejW4EHrbSquSdY0XlB59aD1wagFGEhej8F
sdlZkGunvQbvBn2qEzVVC+i/+h5Fb3/JlkCB22JXGsE8okudcdmsqtAz1LLfsPDa
f3H0v5b1ZOAcyOYKTJ0T03mjEBWCZ69ylW5NnUx8zb9Wwk42dETj7IYY+q/Xti6w
peIUBn/K7lR8Iss2MT18Mh6LkOdgUWTukBTO3F+0UAk245M3QfBYPQDwKOQK1c7W
AhWBNA3fVXB45kXuLNCmAPOA8jseASUnrWyovkFM2cXz79uJlP3qii71uWSSbRP7
sRd+vPfZwuE=
=KInV
-----END PGP SIGNATURE-----