Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0857
Jenkins Security Advisory 2020-03-09
10 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2159 CVE-2020-2158 CVE-2020-2157
CVE-2020-2156 CVE-2020-2155 CVE-2020-2154
CVE-2020-2153 CVE-2020-2152 CVE-2020-2151
CVE-2020-2150 CVE-2020-2149 CVE-2020-2148
CVE-2020-2147 CVE-2020-2146 CVE-2020-2145
CVE-2020-2144 CVE-2020-2143 CVE-2020-2142
CVE-2020-2141 CVE-2020-2140 CVE-2020-2139
CVE-2020-2138 CVE-2020-2137 CVE-2020-2136
CVE-2020-2135 CVE-2020-2134
Original Bulletin:
https://jenkins.io/security/advisory/2020-03-09/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-03-09
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Audit Trail Plugin
o Backlog Plugin
o Cobertura Plugin
o CryptoMove Plugin
o DeployHub Plugin
o Git Plugin
o Literate Plugin
o Logstash Plugin
o Mac Plugin
o OpenShift Deployer Plugin
o P4 Plugin
o Quality Gates Plugin
o Repository Connector Plugin
o Rundeck Plugin
o Script Security Plugin
o Skytap Cloud CI Plugin
o Sonar Quality Gates Plugin
o Subversion Release Manager Plugin
o Timestamper Plugin
o Zephyr Enterprise Test Management Plugin
o Zephyr for JIRA Test Management Plugin
Descriptions
Sandbox bypass vulnerability in Script Security Plugin
SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135
(GroovyInterceptable)
Sandbox protection in Script Security Plugin 1.70 and earlier can be
circumvented through:
o Crafted constructor calls and bodies (due to an incomplete fix of
SECURITY-582)
o Crafted method calls on objects that implement GroovyInterceptable
This allows attackers able to specify and run sandboxed scripts to execute
arbitrary code in the context of the Jenkins master JVM.
Script Security Plugin 1.71 has additional restrictions and sanity checks to
ensure that super constructors cannot be constructed without being intercepted
by the sandbox. In addition, it also intercepts method calls on objects that
implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String,
Object), which is a blacklisted method.
Stored XSS vulnerability in Git Plugin
SECURITY-1723 / CVE-2020-2136
Git Plugin 4.2.0 and earlier does not escape the error message for the
repository URL for Microsoft TFS field form validation.
This results in a stored cross-site scripting vulnerability that can be
exploited by users with Job/Configure permission.
Git Plugin 4.2.1 escapes the affected part of the error message.
Stored XSS vulnerability in Timestamper Plugin
SECURITY-1784 / CVE-2020-2137
Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML
formatting used to display the timestamps in console output for builds.
This results in a stored cross-site scripting vulnerability that can be
exploited by users with Overall/Administer permission.
Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only
allows basic, safe HTML formatting.
XXE vulnerability in Cobertura Plugin
SECURITY-1700 / CVE-2020-2138
Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.
This allows a user able to control the input files for the 'Publish Cobertura
Coverage Report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins master or
server-side request forgery.
Cobertura Plugin 1.16 disables external entity resolution for its XML parser.
Arbitrary file write vulnerability in Cobertura Plugin
SECURITY-1668 / CVE-2020-2139
Cobertura Plugin 1.15 and earlier does not validate file paths from the XML
file it parses.
This allows attackers able to control the coverage report content to overwrite
any file on the Jenkins master file system.
Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base
directory.
XSS vulnerability in Audit Trail Plugin
SECURITY-1722 / CVE-2020-2140
Audit Trail Plugin 3.2 and earlier does not escape the error message for the
URL Patterns field form validation.
This results in a reflected cross-site scripting vulnerability that can also be
exploited similar to a stored cross-site scripting vulnerability by users with
Overall/Administer permission.
Audit Trail Plugin 3.3 escapes the affected part of the error message.
CSRF vulnerability and missing permission checks in P4 Plugin
SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)
P4 Plugin 1.10.10 and earlier does not perform permission checks in several
HTTP endpoints. This allows users with Overall/Read access to trigger builds or
add labels in the Perforce repository.
Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for
the affected HTTP endpoints.
Credentials transmitted in plain text by Logstash Plugin
SECURITY-1516 / CVE-2020-2143
Logstash Plugin stores credentials in its global configuration file
jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins master as
part of its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Logstash Plugin 2.3.1 and
earlier. This can result in exposure of the credential through browser
extensions, cross-site scripting vulnerabilities, and similar situations.
Logstash Plugin 2.3.2 transmits the credentials in its global configuration
encrypted.
XXE vulnerability in Rundeck Plugin
SECURITY-1702 / CVE-2020-2144
Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.
This allows a user with Overall/Read access to have Jenkins parse a crafted
HTTP request with XML data that uses external entities for extraction of
secrets from the Jenkins master or server-side request forgery.
Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.
Credentials stored in plain text by Zephyr Enterprise Test Management Plugin
SECURITY-1596 / CVE-2020-2145
Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr
password in plain text in the global configuration file
com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed
by users with access to the Jenkins master file system.
Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials
Plugin.
Missing SSH host key validation in Mac Plugin
SECURITY-1692 / CVE-2020-2146
Mac Plugin 1.1.0 and earlier does not use SSH host key validation when
connecting to Mac Cloud host launched by the plugin. This lack of validation
could be abused using a man-in-the-middle attack to intercept these connections
to build agents.
Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.
CSRF vulnerability and missing permission checks in Mac Plugin
SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)
Mac Plugin 1.1.0 and earlier does not perform permission checks on a method
implementing form validation. This allows users with Overall/Read access to
Jenkins to connect to an attacker-specified SSH host using attacker-specified
credentials IDs obtained through another method, capturing credentials stored
in Jenkins.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
This form validation method requires POST requests and Overall/Administer
permission in Mac Plugin 1.2.0.
Credentials transmitted in plain text by Repository Connector Plugin
SECURITY-1520 / CVE-2020-2149
Repository Connector Plugin stores credentials in its global configuration file
org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the
Jenkins master as part of its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Repository Connector Plugin
1.2.6 and earlier. This can result in exposure of the credential through
browser extensions, cross-site scripting vulnerabilities, and similar
situations.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by Sonar Quality Gates Plugin
SECURITY-1523 / CVE-2020-2150
Sonar Quality Gates Plugin stores credentials in its global configuration file
org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins master as part
of its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Sonar Quality Gates Plugin
1.3.1 and earlier. This can result in exposure of the credential through
browser extensions, cross-site scripting vulnerabilities, and similar
situations.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by Quality Gates Plugin
SECURITY-1519 / CVE-2020-2151
Quality Gates Plugin stores credentials in its global configuration file
quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins master as part of
its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Quality Gates Plugin 2.5 and
earlier. This can result in exposure of the credential through browser
extensions, cross-site scripting vulnerabilities, and similar situations.
As of publication of this advisory, there is no fix.
XSS vulnerability in Subversion Release Manager Plugin
SECURITY-1727 / CVE-2020-2152
Subversion Release Manager Plugin 1.2 and earlier does not escape the error
message for the Repository URL field form validation.
This results in a reflected cross-site scripting vulnerability that can also be
exploited similar to a stored cross-site scripting vulnerability by users with
Job/Configure permission.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by Backlog Plugin
SECURITY-1510 / CVE-2020-2153
Backlog Plugin stores credentials in job config.xml files as part of its
configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Backlog Plugin 2.4 and earlier.
These credentials could be viewed by users with Extended Read permission.
As of publication of this advisory, there is no fix.
Credentials stored in plain text by Zephyr for JIRA Test Management Plugin
SECURITY-1550 / CVE-2020-2154
Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials
unencrypted in its global configuration file
com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins master. These
credentials can be viewed by users with access to the master file system.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by OpenShift Deployer Plugin
SECURITY-1518 / CVE-2020-2155
OpenShift Deployer Plugin stores credentials in its global configuration file
org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins master as
part of its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0
and earlier. This can result in exposure of the credential through browser
extensions, cross-site scripting vulnerabilities, and similar situations.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by DeployHub Plugin
SECURITY-1511 / CVE-2020-2156
DeployHub Plugin stores credentials in job config.xml files as part of its
configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by DeployHub Plugin 8.0.14 and
earlier. These credentials could be viewed by users with Extended Read
permission.
As of publication of this advisory, there is no fix.
Credentials transmitted in plain text by Skytap Cloud CI Plugin
SECURITY-1522 / CVE-2020-2157
Skytap Cloud CI Plugin stores credentials in job config.xml files as part of
its configuration.
While the credentials are stored encrypted on disk, they are transmitted in
plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and
earlier. These credentials could be viewed by users with Extended Read
permission.
As of publication of this advisory, there is no fix.
RCE vulnerability in Literate Plugin
SECURITY-1750 / CVE-2020-2158
Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent
the instantiation of arbitrary types. This results in a remote code execution
vulnerability exploitable by users able to provide YAML input files to Literate
Plugin's build step.
As of publication of this advisory, there is no fix.
OS command injection in CryptoMove Plugin
SECURITY-1635 / CVE-2020-2159
CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command
to execute as part of its build step configuration.
This command will be executed on the Jenkins master as the OS user account
running Jenkins, allowing user with Job/Configure permission to execute an
arbitrary OS command on the Jenkins master.
As of publication of this advisory, there is no fix.
Severity
o SECURITY-1510: Low
o SECURITY-1511: Low
o SECURITY-1516: Low
o SECURITY-1518: Low
o SECURITY-1519: Low
o SECURITY-1520: Low
o SECURITY-1522: Low
o SECURITY-1523: Low
o SECURITY-1550: Low
o SECURITY-1596: Low
o SECURITY-1635: High
o SECURITY-1668: Medium
o SECURITY-1692: Medium
o SECURITY-1700: High
o SECURITY-1702: High
o SECURITY-1722: Medium
o SECURITY-1723: Medium
o SECURITY-1727: Medium
o SECURITY-1750: High
o SECURITY-1754: High
o SECURITY-1761: Medium
o SECURITY-1765: Medium
o SECURITY-1784: Medium
Affected Versions
o Audit Trail Plugin up to and including 3.2
o Backlog Plugin up to and including 2.4
o Cobertura Plugin up to and including 1.15
o CryptoMove Plugin up to and including 0.1.33
o DeployHub Plugin up to and including 8.0.14
o Git Plugin up to and including 4.2.0
o Literate Plugin up to and including 1.0
o Logstash Plugin up to and including 2.3.1
o Mac Plugin up to and including 1.1.0
o OpenShift Deployer Plugin up to and including 1.2.0
o P4 Plugin up to and including 1.10.10
o Quality Gates Plugin up to and including 2.5
o Repository Connector Plugin up to and including 1.2.6
o Rundeck Plugin up to and including 3.6.6
o Script Security Plugin up to and including 1.70
o Skytap Cloud CI Plugin up to and including 2.07
o Sonar Quality Gates Plugin up to and including 1.3.1
o Subversion Release Manager Plugin up to and including 1.2
o Timestamper Plugin up to and including 1.11.1
o Zephyr Enterprise Test Management Plugin up to and including 1.9.1
o Zephyr for JIRA Test Management Plugin up to and including 1.5
Fix
o Audit Trail Plugin should be updated to version 3.3
o Cobertura Plugin should be updated to version 1.16
o Git Plugin should be updated to version 4.2.1
o Logstash Plugin should be updated to version 2.3.2
o Mac Plugin should be updated to version 1.2.0
o P4 Plugin should be updated to version 1.10.11
o Rundeck Plugin should be updated to version 3.6.7
o Script Security Plugin should be updated to version 1.71
o Timestamper Plugin should be updated to version 1.11.2
o Zephyr Enterprise Test Management Plugin should be updated to version 1.10
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Backlog Plugin
o CryptoMove Plugin
o DeployHub Plugin
o Literate Plugin
o OpenShift Deployer Plugin
o Quality Gates Plugin
o Repository Connector Plugin
o Skytap Cloud CI Plugin
o Sonar Quality Gates Plugin
o Subversion Release Manager Plugin
o Zephyr for JIRA Test Management Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com
/ for SECURITY-1702
o Federico Pellegrin for SECURITY-1668, SECURITY-1700
o Ian Williams for SECURITY-1596
o James Holderness, IB Boost for SECURITY-1510, SECURITY-1511, SECURITY-1516,
SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523,
SECURITY-1550
o Nils Emmerich of ERNW Research GmbH for SECURITY-1754
o Raihaan Shouhell, Autodesk, Inc for SECURITY-1692
o Wadeck Follonier, CloudBees, Inc. for SECURITY-1722, SECURITY-1723,
SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
o Wasin Saengow for SECURITY-1635
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXmgOTmaOgq3Tt24GAQgaXRAAzbcRK/KYuY4KRi56hU6Ry+1nJ/rlPYGq
tvSsLw3HqaDBC4Ib+zRzULPtDl+06Mfb2LLvgFC6Mq/n/un4dtjoraomoavbaATn
T4zbg5T9Drt7xTW/ReXIRNIpCgsm7sl9EZXqBcNx1W7Mae0BB8BxMspzZxf8Qb66
53NYFmikQ38rEQVBtHx+rH4NzcwR6pFUM9QCYC2JvWeJDJxJqcw8p3fjaSSnyzSe
FlriS0MCGVvT2l13kG9ls6Gj+cYacRYbrNytwut2xa6aveUK353loji+trm/bpGz
Q/HIElDTvktd5fQpH60HXPzIH1KlpQhAiuC5ksNTa+IOEyTCg0yODJdL/K8P4/D+
Z/QIG0sdV3fTR8eMfy2PbvHpQOqVBcKS03BzzUOpeK+zGKUVyb7cTZk0kC4CiE4D
FKcJdJv51fHnSmMXipY7tnGOGscM7wJTRV4fF5g6aYafZo9RXj9bdYGCVuAmDMaX
opIJMRpuhg0h4gn5pTmIXQd9N9Y1E3+Ls+2v3cWADGDZkV1eCDHCRzZ8amaA16k8
IHF2lTLlr7QK3u6/JjGoeB+u7umBww59hw4C/72ck19brbd6h8jXsNCX/SN4rXyr
88HCAd9snFYh4/gLHuQ5KglAsFj1IG881nu5p974EkSSciJMOyVyo9ziVekM2m0L
rarDjYPY5Jg=
=X6ZM
-----END PGP SIGNATURE-----