Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2435
Jenkins 2.245 and LTS 2.235.2 receive security updates
16 July 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins
Jenkins LTS
Jenkins plugins
Publisher: Jenkins project
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Existing Account
Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2228 CVE-2020-2227 CVE-2020-2226
CVE-2020-2225 CVE-2020-2224 CVE-2020-2223
CVE-2020-2222 CVE-2020-2221 CVE-2020-2220
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-07-15/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-07-15
This advisory announces vulnerabilities in the following Jenkins deliverables:
* Jenkins (core)
* Deployer Framework Plugin
* Gitlab Authentication Plugin
* Matrix Authorization Strategy Plugin
* Matrix Project Plugin
Descriptions
Stored XSS vulnerability in job build time trend
SECURITY-1868 / CVE-2020-2220
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent
name on build time trend pages. This results in a stored cross-site scripting
(XSS) vulnerability exploitable by users with Agent/Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the agent name.
Stored XSS vulnerability in upstream cause
SECURITY-1901 / CVE-2020-2221
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream
job?s display name shown as part of a build cause. This results in a stored
cross-site scripting (XSS) vulnerability exploitable by users with Job/
Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the job display name.
Stored XSS vulnerability in 'keep forever' badge icons
SECURITY-1902 / CVE-2020-2222
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name
in the 'Keep this build forever' badge tooltip. This results in a stored
cross-site scripting (XSS) vulnerability exploitable by users able to configure
job names.
As job names do not generally support the character set needed for XSS, this is
believed to be difficult to exploit in common configurations.
Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build
forever' badge tooltip.
Stored XSS vulnerability in console links
SECURITY-1945 / CVE-2020-2223
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href
attribute of links to downstream jobs displayed in the build console page. This
results in a stored cross-site scripting (XSS) vulnerability exploitable by
users with Job/Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.
Stored XSS vulnerability in single axis builds tooltips in Matrix Project
Plugin
SECURITY-1924 / CVE-2020-2224
Matrix Project Plugin 1.16 and earlier does not escape node names shown in
tooltips on the overview page of builds with a single axis. This results in a
stored cross-site scripting (XSS) vulnerability exploitable by users with Agent
/Configure permission.
Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.
Stored XSS vulnerability in multiple axis builds tooltips in Matrix Project
Plugin
SECURITY-1925 / CVE-2020-2225
Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in
tooltips on the overview page of builds with multiple axes. This results in a
stored cross-site scripting (XSS) vulnerability exploitable by users with Job/
Configure permission.
Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.
Stored XSS vulnerability in Matrix Authorization Strategy Plugin
SECURITY-1909 / CVE-2020-2226
Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user
names shown in the permission table. This results in a stored cross-site
scripting (XSS) vulnerability. When using project-based matrix authorization,
this vulnerability can be exploited by a user with Job/Configure or Agent/
Configure permission, otherwise by users with Overall/Administer permission.
Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission
table.
Stored XSS vulnerability in Deployer Framework Plugin
SECURITY-1915 / CVE-2020-2227
Deployer Framework Plugin is a framework plugin allowing other plugins to
provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier
does not escape the URL displayed in the build home page. This results in a
stored cross-site scripting (XSS) vulnerability exploitable by users able to
provide the location.
The exploitability of this vulnerability depends on the specific implementation
using Deployer Framework Plugin. The Jenkins security team is not aware of any
exploitable implementation.
Deployer Framework Plugin 1.3 escapes the URL.
Improper authorization of users and groups with the same base name in Gitlab
Authentication Plugin
SECURITY-1792 / CVE-2020-2228
Gitlab Authentication Plugin 1.5 and earlier does not differentiate between
user names and hierarchical group names when performing authorization. This
allows an attacker with permissions to create groups in GitLab to gain the
privileges granted to another user or group.
Gitlab Authentication Plugin 1.6 performs user name and group name
authorization checks using the appropriate GitLab APIs.
Severity
* SECURITY-1792: High
* SECURITY-1868: High
* SECURITY-1901: High
* SECURITY-1902: High
* SECURITY-1909: High
* SECURITY-1915: High
* SECURITY-1924: High
* SECURITY-1925: High
* SECURITY-1945: High
Affected Versions
* Jenkins weekly up to and including 2.244
* Jenkins LTS up to and including 2.235.1
* Deployer Framework Plugin up to and including 1.2
* Gitlab Authentication Plugin up to and including 1.5
* Matrix Authorization Strategy Plugin up to and including 2.6.1
* Matrix Project Plugin up to and including 1.16
Fix
* Jenkins weekly should be updated to version 2.245
* Jenkins LTS should be updated to version 2.235.2
* Deployer Framework Plugin should be updated to version 1.3
* Gitlab Authentication Plugin should be updated to version 1.6
* Matrix Authorization Strategy Plugin should be updated to version 2.6.2
* Matrix Project Plugin should be updated to version 1.17
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* Oleg Nenashev, CloudBees, Inc. for SECURITY-1945
* Wadeck Follonier, CloudBees, Inc. for SECURITY-1868, SECURITY-1901,
SECURITY-1902, SECURITY-1909, SECURITY-1915, SECURITY-1924, SECURITY-1925
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXw/r0eNLKJtyKPYoAQgVaA/+MUavHIzAxsMUDawslVJELUjnMqBb/8xW
oo1FuDg3gXOK9njiZfVriBI4D9PsSXRDj/lJVmocLmUePTACd9M/NZTGGV6TVmxz
bj2Yr7nYWgPhhMuQ+jAtnKScgcKH31ATOICSC8YjtLR4bjf0IvKUcYi6KJ6C++u8
5Z2YhXpbRXAM2jfCrQMBWXTtgFKMkBNjLrTvXOsQS1JzC0PboyfF0/FGHhfMiqU5
Sji0X3/CM896Hz+B8LRj7/L1TaWoUeFUnSXg6ao2GnYlLBh/++sRaho0YCD5Pv4a
4j7uMDHULGaXjm5P9fpOEcvOSuwH1RIdLliyOVaUuFMMVBSCYsf6Tw+nW8JP8xRX
iTFiAD9OfRlg+KdsbstAmXAdhTkiwj1QTBxV7JF5iJ9i8iLLWueI0N3qrqQDuKtg
MbvqPTMx5OfjOSakXyxKRWuEw9V/JIz0qBmVyMPbHrfJFFccWgs70/0jcoirA7F6
7YPHYp70YoWnL+VXOfeBPSvTOq/dM9G5vbA0FvbEevCXS6WLRVOZbvt316XnZadc
pREBHE5a3+iy4oBs575biZhYauPBCsByo1SOn4CjXcFME2DoQAnaZRJA+G3jygKD
/zEODBqy8Fh6OoJ+KrShv9vS1C5SrQigjT0jO+iql7QzrCHP9SboC/4Z6Bj0eVTg
/1vm+6Y/CQA=
=04aa
-----END PGP SIGNATURE-----