Operating System:

[WIN][UNIX/Linux]

Published:

05 June 2020

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2020.1973 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1973
                   Jenkins Security Advisory 2020-06-03
                                5 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery -- Existing Account            
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Existing Account            
                   Reduced Security           -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-2200 CVE-2020-2199 CVE-2020-2198
                   CVE-2020-2197 CVE-2020-2196 CVE-2020-2195
                   CVE-2020-2194 CVE-2020-2193 CVE-2020-2192
                   CVE-2020-2191 CVE-2020-2190 

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2020-06-03/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2020-06-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

  * Compact Columns Plugin
  * ECharts API Plugin
  * Play Framework Plugin
  * Project Inheritance Plugin
  * Script Security Plugin
  * Selenium Plugin
  * Self-Organizing Swarm Plug-in Modules Plugin
  * Subversion Partial Release Manager Plugin

Descriptions

Stored XSS vulnerability in Script Security Plugin

SECURITY-1866 / CVE-2020-2190

Script Security Plugin 1.72 and earlier does not correctly escape pending or
approved classpath entries on the In-process Script Approval page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by users able to configure sandboxed scripts.

Script Security Plugin 1.73 escapes pending and approved classpath entries
before rendering them in the Jenkins UI.

CSRF vulnerability and improper permission checks in Self-Organizing Swarm
Plug-in Modules Plugin

SECURITY-1200 / CVE-2020-2191 (permission checks), CVE-2020-2192 (CSRF)

Self-Organizing Swarm Plug-in Modules Plugin adds API endpoints to add or
remove agent labels. In Self-Organizing Swarm Plug-in Modules Plugin 3.20 and
earlier these only require a global Swarm secret to use, and no regular
permission check is performed. This allows users with Agent/Create permission
to add or remove labels of any agent.

Additionally, these API endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

Self-Organizing Swarm Plug-in Modules Plugin 3.21 requires POST requests and
Agent/Configure permission for the affected agent to these endpoints. It no
longer uses the global Swarm secret for these API endpoints.

Stored XSS vulnerability in ECharts API Plugin

SECURITY-1841 / CVE-2020-2193

ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier
when rendering charts.

This results in a stored cross-site scripting (XSS) vulnerability that can be
exploited by users with Job/Configure permission.

ECharts API Plugin 4.7.0-4 escapes the parser identifier.

Stored XSS vulnerability in ECharts API Plugin

SECURITY-1842 / CVE-2020-2194

ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the
builds in the trend chart.

This results in a stored cross-site scripting (XSS) vulnerability that can be
exploited by users with Run/Update permission.

ECharts API Plugin 4.7.0-4 escapes the display name.

Stored XSS vulnerability in Compact Columns Plugin

SECURITY-1837 / CVE-2020-2195

Compact Columns Plugin 1.11 and earlier displays the unprocessed job
description in tooltips.

This results in a stored cross-site scripting vulnerability that can be
exploited by users with Job/Configure permission.

Compact Columns Plugin 1.12 applies the configured markup formatter to the job
description shown in tooltips.

Complete lack of CSRF protection in Selenium Plugin can lead to OS command
injection

SECURITY-1766 / CVE-2020-2196

Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP
endpoints.

This allows attackers to perform the following actions:

  * Restart the Selenium Grid hub.

  * Delete or replace the plugin configuration.

  * Start, stop, or restart Selenium configurations on specific nodes.

Through carefully chosen configuration parameters, these actions can result in
OS command injection on the Jenkins master.

As of publication of this advisory, there is no fix.

Missing permission check in Project Inheritance Plugin

SECURITY-1582 / CVE-2020-2197 (permission check), CVE-2020-2198 (unredacted
encrypted secrets)

Jenkins limits access to job configuration XML data (config.xml) to users with
Job/ExtendedRead permission, typically implied by Job/Configure permission.
Project Inheritance Plugin has several job inspection features, including the
API URL /job/??/getConfigAsXML for its Inheritance Project job type that does
something similar.

Project Inheritance Plugin 19.08.02 and earlier does not check permissions for
this new endpoint, granting access to job configuration XML data to every user
with Job/Read permission.

Additionally, the encrypted values of secrets stored in the job configuration
are not redacted, as they would be by the config.xml API for users without Job/
Configure permission.

As of publication of this advisory, there is no fix.

XSS vulnerability in Subversion Partial Release Manager Plugin

SECURITY-1726 / CVE-2020-2199

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the
error message for the repository URL field form validation.

This results in a reflected cross-site scripting (XSS) vulnerability that can
also be exploited similar to a stored cross-site scripting vulnerability by
users with Job/Configure permission.

As of publication of this advisory, there is no fix.

OS command injection vulnerability in Play Framework Plugin

SECURITY-1879 / CVE-2020-2200

A form validation endpoint in Play Framework Plugin executes the play command
to validate a given input file.

Play Framework Plugin 1.0.2 and earlier lets users specify the path to the play
command on the Jenkins master. This results in an OS command injection
vulnerability exploitable by users able to store such a file on the Jenkins
master (e.g. through archiving artifacts).

As of publication of this advisory, there is no fix.

Severity

  * SECURITY-1200: Medium
  * SECURITY-1582: Medium
  * SECURITY-1726: Medium
  * SECURITY-1766: High
  * SECURITY-1837: Medium
  * SECURITY-1841: Medium
  * SECURITY-1842: Medium
  * SECURITY-1866: Medium
  * SECURITY-1879: High

Affected Versions

  * Compact Columns Plugin up to and including 1.11
  * ECharts API Plugin up to and including 4.7.0-3
  * Play Framework Plugin up to and including 1.0.2
  * Project Inheritance Plugin up to and including 19.08.02
  * Script Security Plugin up to and including 1.72
  * Selenium Plugin up to and including 3.141.59
  * Self-Organizing Swarm Plug-in Modules Plugin up to and including 3.20
  * Subversion Partial Release Manager Plugin up to and including 1.0.1

Fix

  * Compact Columns Plugin should be updated to version 1.12
  * ECharts API Plugin should be updated to version 4.7.0-4
  * Script Security Plugin should be updated to version 1.73
  * Self-Organizing Swarm Plug-in Modules Plugin should be updated to version
    3.21

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  * Play Framework Plugin
  * Project Inheritance Plugin
  * Selenium Plugin
  * Subversion Partial Release Manager Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  * Daniel Beck, CloudBees, Inc. for SECURITY-1879
  * Daniel Beck, CloudBees, Inc. and, independently, Markus Winter, SAP SE for
    SECURITY-1582
  * Oleg Nenashev, CloudBees, Inc. for SECURITY-1200
  * Tobias Gruetzmacher for SECURITY-1837
  * Wadeck Follonier, CloudBees, Inc. for SECURITY-1726, SECURITY-1841,
    SECURITY-1842, SECURITY-1866
  * Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for
    SECURITY-1766

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXtm9G+NLKJtyKPYoAQhdIA/+JjS3X1nCo/d1XXr0kQon8Z/ZAYF4jjym
9T4dAWvPXMqmBWe+L/9+43Ip563x/ScaK3668IdANMUsr0VW26hGM7NQs2ZZedUG
nsQUPwrZqelfOdypmLK8Tu8E00k0dz2FyYYYoZzb+22BDubgoE38dUqgl42pyqDR
QuheiTDHdj8hriMQpdD8DOt4vpzG5bd3rr4j5EyXmm71ShSfHfI0c6bwjWmJpN0j
EZqO0FsbvlLTOWF37IDDKS9DHb9OTKahqmuZrAhUD0X1P3z+kQmYPUgCPdOQn7b2
+xOQq+PeDaXLypqRMM61dsr1Yb9bANMwu37TF8cydlA+ZiRfNfuE8f/WRqPmRolR
Cnf4Hxq+rxyIoUL6Vr19VFj63AHEoRg+xDTzLRO70D46XZNHHda85AxAZjen/AoG
UfZQWn7pA28bocrgyrOKaWtki1YD/4WCP1yNzXfXRsLybh0+VZFTmERS2Um76u/T
jUVh19On7/QbqboTr8sz8MKxVxND0ioRjhxO+Ad14cKwVZygDDGvmmOa46LJZEdX
P+t/oB94Qufrt33PODG8yvlU3JxvmL3JEyJL+dWVciovdjW9wPfXBB5FbMUpwTTN
99ENsTewi8DdYGOjLOjDGydDKDeA7YxsMpQHi9m7m48n/qj6gOSp+1WEdTUcCDUM
qOry6O6UM8c=
=pb6J
-----END PGP SIGNATURE-----