Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2809
Jenkins 2.235.4 and 2.252, plus plugins, contain security fixes
14 August 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins core
Jenkins plugin: Email Extension
Jenkins plugin: Flaky Test Handler
Jenkins plugin: Pipeline Maven Integration
Jenkins plugin: Yet Another Build Visualizer
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Existing Account
Cross-site Scripting -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2237 CVE-2020-2236 CVE-2020-2235
CVE-2020-2234 CVE-2020-2233 CVE-2020-2232
CVE-2020-2231 CVE-2020-2230 CVE-2020-2229
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-08-12/
Comment: Fixes are available for all components other than the Flaky Test
Handler plugin.
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-08-12
This advisory announces vulnerabilities in the following Jenkins deliverables:
* Jenkins (core)
* Email Extension Plugin
* Flaky Test Handler Plugin
* Pipeline Maven Integration Plugin
* Yet Another Build Visualizer Plugin
Descriptions
Stored XSS vulnerability in help icons
SECURITY-1955 / CVE-2020-2229
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip
content of help icons. Tooltip values can be contributed by plugins, some of
which use user-specified values.
This results in a stored cross-site scripting (XSS) vulnerability.
Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
Stored XSS vulnerability in project naming strategy
SECURITY-1957 / CVE-2020-2230
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project
naming strategy description that is displayed on item creation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by users with Overall/Manage permission.
Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
Stored XSS vulnerability in 'Trigger builds remotely'
SECURITY-1960 / CVE-2020-2231
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote
address of the host starting a build via 'Trigger builds remotely'.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by users with Job/Configure permission or knowledge of the Authentication
Token.
Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.
SMTP password transmitted and displayed in plain text by Email Extension Plugin
SECURITY-1975 / CVE-2020-2232
Email Extension Plugin stores an SMTP password in its global configuration file
hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins master as
part of its configuration.
While this password is stored encrypted on disk, it is transmitted and
displayed in plain text as part of the configuration form by Email Extension
Plugin 2.72 and 2.73. This can result in exposure of the password.
Email Extension Plugin 2.74 transmits the SMTP password in its global
configuration encrypted and masks it using a password field.
Missing permission check in Pipeline Maven Integration Plugin allows
enumerating credentials IDs
SECURITY-1794 (1) / CVE-2020-2233
Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a
permission check in an HTTP endpoint.
This allows attackers with Overall/Read access to Jenkins to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as part of
an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3
requires the appropriate permissions.
CSRF vulnerability and missing permission check in Pipeline Maven Integration
Plugin allow capturing credentials
SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)
Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a
permission check in a method implementing form validation.
This allows users with Overall/Read access to Jenkins to connect to an
attacker-specified JDBC URL using attacker-specified credentials IDs obtained
through another method, potentially capturing credentials stored in Jenkins.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/
Configure permission for the affected form validation method.
Stored XSS vulnerability in Yet Another Build Visualizer Plugin
SECURITY-1940 / CVE-2020-2236
Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip
content.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by users with Run/Update permission.
Yet Another Build Visualizer Plugin 1.12 escapes tooltip content.
CSRF vulnerability in Flaky Test Handler Plugin
SECURITY-1763 / CVE-2020-2237
Flaky Test Handler Plugin 1.0.4 and earlier does not require POST requests for
the "Deflake this build" feature, resulting in a cross-site request forgery
(CSRF) vulnerability.
This vulnerability allows attackers to rebuild a project at a previous git
revision where the tests were failing.
As of publication of this advisory, there is no fix.
Severity
* SECURITY-1763: Medium
* SECURITY-1794 (1): Medium
* SECURITY-1794 (2): High
* SECURITY-1940: High
* SECURITY-1955: High
* SECURITY-1957: High
* SECURITY-1960: High
* SECURITY-1975: Low
Affected Versions
* Jenkins weekly up to and including 2.251
* Jenkins LTS up to and including 2.235.3
* Email Extension Plugin up to and including 2.73
* Flaky Test Handler Plugin up to and including 1.0.4
* Pipeline Maven Integration Plugin up to and including 3.8.2
* Yet Another Build Visualizer Plugin up to and including 1.11
Fix
* Jenkins weekly should be updated to version 2.252
* Jenkins LTS should be updated to version 2.235.4
* Email Extension Plugin should be updated to version 2.74
* Pipeline Maven Integration Plugin should be updated to version 3.8.3
* Yet Another Build Visualizer Plugin should be updated to version 1.12
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
* Flaky Test Handler Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* Bjoern Kasteleiner for SECURITY-1975
* Pierre Beitz, CloudBees, Inc. for SECURITY-1957
* Tim Jacomb for SECURITY-1794 (1), SECURITY-1794 (2)
* Wadeck Follonier, CloudBees, Inc. for SECURITY-1763, SECURITY-1940,
SECURITY-1955, SECURITY-1960
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXzYPReNLKJtyKPYoAQgFDw//eiVSEQlmMAs+5agmWzRsma76RGg/GJ58
nQkQUkJ1efLlqHt6DOV8VCrsF4cNrPsaQ82pbrtn+V5KBWkH+3Cw+xGUjnJslemG
FJxYGNFPB3yc08Z9qXrt0qrWvdpYZRnasoMpLJLS8DFs4iStSUrTBg5VUUxhvohE
Oi3I2UtbRGKDXxmEHfy50cirsyUBxbcpRjPT7l4VMhj+1+QYX6fYFFUKCK2286tM
Tm8mY5cRdaYm9zGdj4yIJWx3zeKEWROsqTa4IYpaS5bglvtiBd0CuPW/0vpvyXXj
+q5bhQpKZQSkNxtIVTZaldz9rJPVuiuHhc02MaNtbIofwMtuu67gK3gd5cDu55hs
sUMU9YrpoyiCVVqwt/CErDTGKFI/8fNnObvjTUjWTDCKyF60AMOvPTlFwC8j0A30
Q6zzY1HJc1JzuWhZgDfM6P8nld4ufAQbDHS7zKDOejMqogIg5uBaAFQlCHcpyEpM
SqM5rHqmk9bM1FHaX0ADa6CcCErM/TukxvzD+0AvgXrTsRCSqJN2CBYeYrwJvEpl
st7/v8ITd/r+8QJvp1RKgnZLRihIT91x5RrXvubPKtfdg92yA3d2P9pgRNgP5dND
f8+nlaqJ22efOCiU7RWsv3gaoG6OofDJaC1nSJuTHV2A7skvFos5bTTVTB3DuZSd
FY7xQKkVkQQ=
=lu0l
-----END PGP SIGNATURE-----