Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2809 Jenkins 2.235.4 and 2.252, plus plugins, contain security fixes 14 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins core Jenkins plugin: Email Extension Jenkins plugin: Flaky Test Handler Jenkins plugin: Pipeline Maven Integration Jenkins plugin: Yet Another Build Visualizer Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Existing Account Cross-site Scripting -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-2237 CVE-2020-2236 CVE-2020-2235 CVE-2020-2234 CVE-2020-2233 CVE-2020-2232 CVE-2020-2231 CVE-2020-2230 CVE-2020-2229 Original Bulletin: https://www.jenkins.io/security/advisory/2020-08-12/ Comment: Fixes are available for all components other than the Flaky Test Handler plugin. - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2020-08-12 This advisory announces vulnerabilities in the following Jenkins deliverables: * Jenkins (core) * Email Extension Plugin * Flaky Test Handler Plugin * Pipeline Maven Integration Plugin * Yet Another Build Visualizer Plugin Descriptions Stored XSS vulnerability in help icons SECURITY-1955 / CVE-2020-2229 Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons. Stored XSS vulnerability in project naming strategy SECURITY-1957 / CVE-2020-2230 Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description. Stored XSS vulnerability in 'Trigger builds remotely' SECURITY-1960 / CVE-2020-2231 Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host. SMTP password transmitted and displayed in plain text by Email Extension Plugin SECURITY-1975 / CVE-2020-2232 Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins master as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password. Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field. Missing permission check in Pipeline Maven Integration Plugin allows enumerating credentials IDs SECURITY-1794 (1) / CVE-2020-2233 Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions. CSRF vulnerability and missing permission check in Pipeline Maven Integration Plugin allow capturing credentials SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF) Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/ Configure permission for the affected form validation method. Stored XSS vulnerability in Yet Another Build Visualizer Plugin SECURITY-1940 / CVE-2020-2236 Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission. Yet Another Build Visualizer Plugin 1.12 escapes tooltip content. CSRF vulnerability in Flaky Test Handler Plugin SECURITY-1763 / CVE-2020-2237 Flaky Test Handler Plugin 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing. As of publication of this advisory, there is no fix. Severity * SECURITY-1763: Medium * SECURITY-1794 (1): Medium * SECURITY-1794 (2): High * SECURITY-1940: High * SECURITY-1955: High * SECURITY-1957: High * SECURITY-1960: High * SECURITY-1975: Low Affected Versions * Jenkins weekly up to and including 2.251 * Jenkins LTS up to and including 2.235.3 * Email Extension Plugin up to and including 2.73 * Flaky Test Handler Plugin up to and including 1.0.4 * Pipeline Maven Integration Plugin up to and including 3.8.2 * Yet Another Build Visualizer Plugin up to and including 1.11 Fix * Jenkins weekly should be updated to version 2.252 * Jenkins LTS should be updated to version 2.235.4 * Email Extension Plugin should be updated to version 2.74 * Pipeline Maven Integration Plugin should be updated to version 3.8.3 * Yet Another Build Visualizer Plugin should be updated to version 1.12 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: * Flaky Test Handler Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: * Bjoern Kasteleiner for SECURITY-1975 * Pierre Beitz, CloudBees, Inc. for SECURITY-1957 * Tim Jacomb for SECURITY-1794 (1), SECURITY-1794 (2) * Wadeck Follonier, CloudBees, Inc. for SECURITY-1763, SECURITY-1940, SECURITY-1955, SECURITY-1960 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXzYPReNLKJtyKPYoAQgFDw//eiVSEQlmMAs+5agmWzRsma76RGg/GJ58 nQkQUkJ1efLlqHt6DOV8VCrsF4cNrPsaQ82pbrtn+V5KBWkH+3Cw+xGUjnJslemG FJxYGNFPB3yc08Z9qXrt0qrWvdpYZRnasoMpLJLS8DFs4iStSUrTBg5VUUxhvohE Oi3I2UtbRGKDXxmEHfy50cirsyUBxbcpRjPT7l4VMhj+1+QYX6fYFFUKCK2286tM Tm8mY5cRdaYm9zGdj4yIJWx3zeKEWROsqTa4IYpaS5bglvtiBd0CuPW/0vpvyXXj +q5bhQpKZQSkNxtIVTZaldz9rJPVuiuHhc02MaNtbIofwMtuu67gK3gd5cDu55hs sUMU9YrpoyiCVVqwt/CErDTGKFI/8fNnObvjTUjWTDCKyF60AMOvPTlFwC8j0A30 Q6zzY1HJc1JzuWhZgDfM6P8nld4ufAQbDHS7zKDOejMqogIg5uBaAFQlCHcpyEpM SqM5rHqmk9bM1FHaX0ADa6CcCErM/TukxvzD+0AvgXrTsRCSqJN2CBYeYrwJvEpl st7/v8ITd/r+8QJvp1RKgnZLRihIT91x5RrXvubPKtfdg92yA3d2P9pgRNgP5dND f8+nlaqJ22efOCiU7RWsv3gaoG6OofDJaC1nSJuTHV2A7skvFos5bTTVTB3DuZSd FY7xQKkVkQQ= =lu0l -----END PGP SIGNATURE-----