Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3694
Jenkins Security Advisory 2019-10-01
2 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10435 CVE-2019-10434 CVE-2019-10433
CVE-2019-10432 CVE-2019-10431
Original Bulletin:
https://jenkins.io/security/advisory/2019-10-01/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2019-10-01
This advisory announces vulnerabilities in the following Jenkins
deliverables:
* Dingding Plugin https://plugins.jenkins.io/dingding-notifications
* HTML Publisher Plugin https://plugins.jenkins.io/htmlpublisher
* LDAP Email Plugin https://plugins.jenkins.io/ldapemail
* Script Security Plugin https://plugins.jenkins.io/script-security
* SourceGear Vault Plugin https://plugins.jenkins.io/vault-scm-plugin
Descriptions
Sandbox bypass vulnerability in Script Security Plugin
SECURITY-1579 / CVE-2019-10431
Sandbox protection in Script Security Plugin could be circumvented through
default parameter expressions in constructors.
This allowed attackers able to specify and run sandboxed scripts to
execute arbitrary code in the context of the Jenkins master JVM.
These expressions are now subject to sandbox protection.
Stored XSS vulnerability in HTML Publisher Plugin
SECURITY-1590 / CVE-2019-10432
HTML Publisher Plugin did not escape the project or build display name
shown in the frame HTML page. This resulted in a cross-site scripting
vulnerability exploitable by attackers able to control the project or
build display name, typically users with Job/Configure or Build/Update
permission.
HTML Publisher Plugin now escapes the display name displayed in the frame
HTML page.
Dingding Plugin stores credentials in plain text
SECURITY-1423 / CVE-2019-10433
Dingding Plugin stores an access token unencrypted in job
config.xml files on the Jenkins master. This token can be viewed by users
with Extended Read permission, or access to the master file system.
As of publication of this advisory, there is no fix.
LDAP Email Plugin shows plain text password in configuration form
SECURITY-1515 / CVE-2019-10434
LDAP Email Plugin stores an LDAP bind password in its global Jenkins
configuration.
While the password is stored encrypted on disk, it is transmitted in plain
text as part of the configuration form. This can result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.
As of publication of this advisory, there is no fix.
SourceGear Vault Plugin shows plain text password in configuration form
SECURITY-1524 / CVE-2019-10435
SourceGear Vault Plugin stores an SCM password in job configurations.
While the password is stored encrypted on disk, it is transmitted in plain
text as part of the configuration form. This can result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.
As of publication of this advisory, there is no fix.
Severity
* SECURITY-1423: Low
* SECURITY-1515: Low
* SECURITY-1524: Low
* SECURITY-1579: High
* SECURITY-1590: Medium
Affected Versions
* Dingding Plugin up to and including 1.9
* HTML Publisher Plugin up to and including 1.20
* LDAP Email Plugin up to and including 0.8
* Script Security Plugin up to and including 1.64
* SourceGear Vault Plugin up to and including 1.1.1
Fix
* HTML Publisher Plugin should be updated to version 1.21
* Script Security Plugin should be updated to version 1.65
These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.
As of publication of this advisory, no fixes are available for the
following plugins:
* Dingding Plugin
* LDAP Email Plugin
* SourceGear Vault Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day
Initiative for SECURITY-1423
* James Holderness, IB Boost for SECURITY-1515, SECURITY-1524
* Nils Emmerich of ERNW Research GmbH for SECURITY-1579
* Viktor Gazdag NCC Group for SECURITY-1590
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXZQqiWaOgq3Tt24GAQiORA/9EMlwikWryKK/amBcrImqeMhHlvcIoZ4O
gYJe9jnKomvZPJtg5RHaVdZawjFgfB/gqtTE/HPx6hbZa3fLxxobibF0CKyIRobg
7AlnhxoFDLO1yz3VV9gadXvCKIahDTpXEkyxy7ctiAxBSrV33xT4JVfS8bQnPhYl
ZUgaJeSxIjIol93uLmPshtn5+BWIIsE8a0g06/q/wEDFoCCQYA085P/uM50EdEO7
w4ebhPkzCEskItSMRZL4rdwJczctQkvMVPJc1RxrY7uXrhAw8yyMBWg9GXdPF7s7
zU8sTdGjt/DwYMk4l/8fBtoo4LhaId2WrP94rcKm6Dr85qpQfR9oQff+bAoUPZOM
Kl7N53C7NFUJpvDY8+Q+AhBrVaRFzbF5i6R2dFvt/axmfS//oEd1FWNbxxOeiTfu
QADBjPEDv11vc1nm2MR4HlQIUGc9lm1sr/XerI3PlNJdbvwTf/6Bm4ig2P05AE86
15BlXPJAMGjerNw8D6+xT2g5jpAf2DrgKgJwhjzr+M8bLhWEc2qNUbV2C0ICnShk
mB6udaSee29cKwdIzi0JUvI8BdMg9P95laZF87emtldEdz+UjJWdUk2vMNnn0rgM
0b+dRXwVZTkNVUQNQ2cqAH8WwvWtE9TLT9CF4hh2VqNDsIDeXJ+xLkY+THPVSHUO
YmrIkQYTvoc=
=MSew
-----END PGP SIGNATURE-----