Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3694 Jenkins Security Advisory 2019-10-01 2 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10435 CVE-2019-10434 CVE-2019-10433 CVE-2019-10432 CVE-2019-10431 Original Bulletin: https://jenkins.io/security/advisory/2019-10-01/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2019-10-01 This advisory announces vulnerabilities in the following Jenkins deliverables: * Dingding Plugin https://plugins.jenkins.io/dingding-notifications * HTML Publisher Plugin https://plugins.jenkins.io/htmlpublisher * LDAP Email Plugin https://plugins.jenkins.io/ldapemail * Script Security Plugin https://plugins.jenkins.io/script-security * SourceGear Vault Plugin https://plugins.jenkins.io/vault-scm-plugin Descriptions Sandbox bypass vulnerability in Script Security Plugin SECURITY-1579 / CVE-2019-10431 Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM. These expressions are now subject to sandbox protection. Stored XSS vulnerability in HTML Publisher Plugin SECURITY-1590 / CVE-2019-10432 HTML Publisher Plugin did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission. HTML Publisher Plugin now escapes the display name displayed in the frame HTML page. Dingding Plugin stores credentials in plain text SECURITY-1423 / CVE-2019-10433 Dingding Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system. As of publication of this advisory, there is no fix. LDAP Email Plugin shows plain text password in configuration form SECURITY-1515 / CVE-2019-10434 LDAP Email Plugin stores an LDAP bind password in its global Jenkins configuration. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. As of publication of this advisory, there is no fix. SourceGear Vault Plugin shows plain text password in configuration form SECURITY-1524 / CVE-2019-10435 SourceGear Vault Plugin stores an SCM password in job configurations. While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. As of publication of this advisory, there is no fix. Severity * SECURITY-1423: Low * SECURITY-1515: Low * SECURITY-1524: Low * SECURITY-1579: High * SECURITY-1590: Medium Affected Versions * Dingding Plugin up to and including 1.9 * HTML Publisher Plugin up to and including 1.20 * LDAP Email Plugin up to and including 0.8 * Script Security Plugin up to and including 1.64 * SourceGear Vault Plugin up to and including 1.1.1 Fix * HTML Publisher Plugin should be updated to version 1.21 * Script Security Plugin should be updated to version 1.65 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: * Dingding Plugin * LDAP Email Plugin * SourceGear Vault Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative for SECURITY-1423 * James Holderness, IB Boost for SECURITY-1515, SECURITY-1524 * Nils Emmerich of ERNW Research GmbH for SECURITY-1579 * Viktor Gazdag NCC Group for SECURITY-1590 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXZQqiWaOgq3Tt24GAQiORA/9EMlwikWryKK/amBcrImqeMhHlvcIoZ4O gYJe9jnKomvZPJtg5RHaVdZawjFgfB/gqtTE/HPx6hbZa3fLxxobibF0CKyIRobg 7AlnhxoFDLO1yz3VV9gadXvCKIahDTpXEkyxy7ctiAxBSrV33xT4JVfS8bQnPhYl ZUgaJeSxIjIol93uLmPshtn5+BWIIsE8a0g06/q/wEDFoCCQYA085P/uM50EdEO7 w4ebhPkzCEskItSMRZL4rdwJczctQkvMVPJc1RxrY7uXrhAw8yyMBWg9GXdPF7s7 zU8sTdGjt/DwYMk4l/8fBtoo4LhaId2WrP94rcKm6Dr85qpQfR9oQff+bAoUPZOM Kl7N53C7NFUJpvDY8+Q+AhBrVaRFzbF5i6R2dFvt/axmfS//oEd1FWNbxxOeiTfu QADBjPEDv11vc1nm2MR4HlQIUGc9lm1sr/XerI3PlNJdbvwTf/6Bm4ig2P05AE86 15BlXPJAMGjerNw8D6+xT2g5jpAf2DrgKgJwhjzr+M8bLhWEc2qNUbV2C0ICnShk mB6udaSee29cKwdIzi0JUvI8BdMg9P95laZF87emtldEdz+UjJWdUk2vMNnn0rgM 0b+dRXwVZTkNVUQNQ2cqAH8WwvWtE9TLT9CF4hh2VqNDsIDeXJ+xLkY+THPVSHUO YmrIkQYTvoc= =MSew -----END PGP SIGNATURE-----