Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3178
Jenkins Security Advisory 2020-09-16
17 September 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Overwrite Arbitrary Files -- Existing Account
Cross-site Request Forgery -- Existing Account
Cross-site Scripting -- Existing Account
Reduced Security -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2278 CVE-2020-2277 CVE-2020-2276
CVE-2020-2275 CVE-2020-2274 CVE-2020-2273
CVE-2020-2272 CVE-2020-2271 CVE-2020-2270
CVE-2020-2269 CVE-2020-2268 CVE-2020-2267
CVE-2020-2266 CVE-2020-2265 CVE-2020-2264
CVE-2020-2263 CVE-2020-2262 CVE-2020-2261
CVE-2020-2260 CVE-2020-2259 CVE-2020-2258
CVE-2020-2257 CVE-2020-2256 CVE-2020-2255
CVE-2020-2254 CVE-2020-2253 CVE-2020-2252
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-09-16/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-09-16
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Android Lint Plugin
o Blue Ocean Plugin
o chosen-views-tabbar Plugin
o ClearCase Release Plugin
o computer-queue-plugin Plugin
o Copy data to workspace Plugin
o Coverage/Complexity Scatter Plot Plugin
o Custom Job Icon Plugin
o Description Column Plugin
o ElasTest Plugin
o Email Extension Plugin
o Health Advisor by CloudBees Plugin
o Locked Files Report Plugin
o Mailer Plugin
o MongoDB Plugin
o Perfecto Plugin
o Pipeline Maven Integration Plugin
o Radiator View Plugin
o Selection tasks Plugin
o Storable Configs Plugin
o Validating String Parameter Plugin
Descriptions
Missing hostname validation in Mailer Plugin
SECURITY-1813 / CVE-2020-2252
Mailer Plugin 1.32 and earlier does not perform hostname validation when
connecting to the configured SMTP server. This lack of validation could be
abused using a man-in-the-middle attack to intercept these connections.
Mailer Plugin 1.32.1 validates the SMTP hostname when connecting via TLS by
default. In Mailer Plugin 1.32 and earlier, administrators can set the Java
system property mail.smtp.ssl.checkserveridentity to true on startup to enable
this protection.
In case of problems, this protection can be disabled again by setting the Java
system property mail.smtp.ssl.checkserveridentity to false on startup.
Missing hostname validation in Email Extension Plugin
SECURITY-1851 / CVE-2020-2253
Email Extension Plugin 2.75 and earlier does not perform hostname validation
when connecting to the configured SMTP server. This lack of validation could be
abused using a man-in-the-middle attack to intercept these connections.
Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS
by default. In Email Extension Plugin 2.75 and earlier, administrators can set
the Java system property mail.smtp.ssl.checkserveridentity to true on startup
to enable this protection. Alternatively, this protection can be enabled (or
disabled in the new version) via the 'Advanced Email Properties' field in the
plugin's configuration in Configure System.
In case of problems, this protection can be disabled again by setting
mail.smtp.ssl.checkserveridentity to false using either method.
Path traversal vulnerability in Blue Ocean Plugin
SECURITY-1956 / CVE-2020-2254
Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag,
blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows
an attacker with Item/Configure or Item/Create permission to read arbitrary
files on the Jenkins controller file system.
Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing
usage to a safer alternative.
Missing permission check in Blue Ocean Plugin
SECURITY-1961 / CVE-2020-2255
Updated 2020-09-16: This entry previously misidentified the problematic
behavior. The HTTP request itself is legitimate, but only authorized users
should be able to perform it.
Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in
several HTTP endpoints implementing connection tests.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these
connection tests.
Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin
SECURITY-1976 / CVE-2020-2256
Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the
upstream job's display name shown as part of a build cause.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build
causes.
Stored XSS vulnerability in Validating String Parameter Plugin
SECURITY-1935 / CVE-2020-2257
Validating String Parameter Plugin 2.4 and earlier does not escape regular
expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4
does not escape parameter names and parameter descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips
and parameter names. Parameter descriptions are rendered using the configured
markup formatter.
Incorrect permission check in Health Advisor by CloudBees Plugin
SECURITY-1998 / CVE-2020-2258
Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform
a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view an administrative
configuration page.
Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view
its administrative configuration page.
Stored XSS vulnerability in computer-queue-plugin Plugin
SECURITY-1912 / CVE-2020-2259
computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in
tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Agent/Configure permission.
computer-queue-plugin Plugin 1.6 escapes the agent name in tooltips.
Missing permission check in Perfecto Plugin
SECURITY-1979 / CVE-2020-2260
Perfecto Plugin 1.17 and earlier does not perform a permission check in a
method implementing a connection test.
This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP URL using attacker-specified username and password.
Perfecto Plugin 1.18 requires Overall/Administer permission to perform a
connection test.
OS command execution vulnerability in Perfecto Plugin
SECURITY-1980 / CVE-2020-2261
Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect
File Name in job configurations.
This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and
earlier, allowing attackers with Job/Configure permission to run arbitrary
commands on the Jenkins controller.
Perfecto Plugin 1.18 executes the specified commands on the agent the build is
running on.
Stored XSS vulnerability in Android Lint Plugin
SECURITY-1908 / CVE-2020-2262
Android Lint Plugin 2.6 and earlier does not escape the annotation message in
tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to provide report files to the 'Publish Android Lint results'
post-build step.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in Radiator View Plugin
SECURITY-1927 / CVE-2020-2263
Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs
in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in Custom Job Icon Plugin
SECURITY-1914 / CVE-2020-2264
Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in
tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in Coverage/Complexity Scatter Plot Plugin
SECURITY-1913 / CVE-2020-2265
Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the
method information in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to provide report files to the 'Publish Coverage / Complexity
Scatter Plot' post-build step.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in Description Column Plugin
SECURITY-1916 / CVE-2020-2266
Description Column Plugin 1.3 and earlier does not escape the job description
in the column tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in MongoDB Plugin
SECURITY-1904 / CVE-2020-2267 (missing permission check), CVE-2020-2268 (CSRF)
MongoDB Plugin 1.3 and earlier does not perform permission checks in methods
implementing form validation.
This allows attackers with Overall/Read permission to gain access to some
metadata of any arbitrary files on the Jenkins controller.
Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in chosen-views-tabbar Plugin
SECURITY-1869 / CVE-2020-2269
chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the
dropdown to select views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with the ability to configure views.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in ClearCase Release Plugin
SECURITY-1911 / CVE-2020-2270
ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline
in badge tooltip.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in Locked Files Report Plugin
SECURITY-1921 / CVE-2020-2271
Locked Files Report Plugin 1.6 and earlier does not escape locked files' names
in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in ElasTest Plugin
SECURITY-1903 / CVE-2020-2272 (missing permission check), CVE-2020-2273 (CSRF)
ElasTest Plugin 1.2.1 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Passwords stored in plain text by ElasTest Plugin
SECURITY-2014 / CVE-2020-2274
ElasTest Plugin 1.2.1 and earlier stores its server password in plain text in
the global configuration file
jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed
by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Arbitrary file read vulnerability in Copy data to workspace Plugin
SECURITY-1966 / CVE-2020-2275
Copy data to workspace Plugin allows users to copy files from the Jenkins
controller to job workspaces.
Copy data to workspace Plugin 1.0 and earlier does not limit which directories
can be copied. This allows attackers with Job/Configure permission to read
arbitrary files on the Jenkins controller.
As of publication of this advisory, there is no fix.
System command execution vulnerability in Selection tasks Plugin
SECURITY-1967 / CVE-2020-2276
Selection tasks Plugin implements a job parameter that dynamically generates
possible values from the output of a program. The path to that program is
specified as part of the parameter configuration.
Selection tasks Plugin 1.0 and earlier executes this user-specified program on
the Jenkins controller. This allows attackers with Job/Configure permission to
execute an arbitrary system command on the Jenkins controller as the OS user
that the Jenkins process is running as.
As of publication of this advisory, there is no fix.
Arbitrary file read vulnerability in Storable Configs Plugin
SECURITY-1968 (1) / CVE-2020-2277
Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission
to read arbitrary files on the Jenkins controller.
As of publication of this advisory, there is no fix.
Arbitrary file write vulnerability in Storable Configs Plugin
SECURITY-1968 (2) / CVE-2020-2278
Storable Configs Plugin allows storing copies of a job's config.xml file on the
Jenkins controller with a user-specified file name.
Storable Configs Plugin 1.0 and earlier does not restrict the user-specified
file name, except that a .xml suffix is added if it's not already present. This
allows attackers with Job/Configure permission to replace any other .xml file
on the Jenkins controller with the job's config.xml file's content.
As of publication of this advisory, there is no fix.
Severity
o SECURITY-1813: Medium
o SECURITY-1851: Medium
o SECURITY-1869: High
o SECURITY-1903: Medium
o SECURITY-1904: Medium
o SECURITY-1908: High
o SECURITY-1911: High
o SECURITY-1912: High
o SECURITY-1913: High
o SECURITY-1914: High
o SECURITY-1916: High
o SECURITY-1921: High
o SECURITY-1927: High
o SECURITY-1935: High
o SECURITY-1956: Medium
o SECURITY-1961: Medium
o SECURITY-1966: Medium
o SECURITY-1967: High
o SECURITY-1968 (1): Medium
o SECURITY-1968 (2): Medium
o SECURITY-1976: High
o SECURITY-1979: Medium
o SECURITY-1980: High
o SECURITY-1998: Medium
o SECURITY-2014: Low
Affected Versions
o Android Lint Plugin up to and including 2.6
o Blue Ocean Plugin up to and including 1.23.2
o chosen-views-tabbar Plugin up to and including 1.2
o ClearCase Release Plugin up to and including 0.3
o computer-queue-plugin Plugin up to and including 1.5
o Copy data to workspace Plugin up to and including 1.0
o Coverage/Complexity Scatter Plot Plugin up to and including 1.1.1
o Custom Job Icon Plugin up to and including 0.2
o Description Column Plugin up to and including 1.3
o ElasTest Plugin up to and including 1.2.1
o Email Extension Plugin up to and including 2.75
o Health Advisor by CloudBees Plugin up to and including 3.2.0
o Locked Files Report Plugin up to and including 1.6
o Mailer Plugin up to and including 1.32
o MongoDB Plugin up to and including 1.3
o Perfecto Plugin up to and including 1.17
o Pipeline Maven Integration Plugin up to and including 3.9.2
o Radiator View Plugin up to and including 1.29
o Selection tasks Plugin up to and including 1.0
o Storable Configs Plugin up to and including 1.0
o Validating String Parameter Plugin up to and including 2.4
Fix
o Blue Ocean Plugin should be updated to version 1.23.3
o computer-queue-plugin Plugin should be updated to version 1.6
o Email Extension Plugin should be updated to version 2.76
o Health Advisor by CloudBees Plugin should be updated to version 3.2.1
o Mailer Plugin should be updated to version 1.32.1
o Perfecto Plugin should be updated to version 1.18
o Pipeline Maven Integration Plugin should be updated to version 3.9.3
o Validating String Parameter Plugin should be updated to version 2.5
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Android Lint Plugin
o chosen-views-tabbar Plugin
o ClearCase Release Plugin
o Copy data to workspace Plugin
o Coverage/Complexity Scatter Plot Plugin
o Custom Job Icon Plugin
o Description Column Plugin
o ElasTest Plugin
o Locked Files Report Plugin
o MongoDB Plugin
o Radiator View Plugin
o Selection tasks Plugin
o Storable Configs Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-1966, SECURITY-1967,
SECURITY-1968 (1), SECURITY-1968 (2), SECURITY-1976
o Jinchen Sheng, Ant Security FG Lab. for SECURITY-1956, SECURITY-1961
o Matt Sicker, CloudBees, Inc. for SECURITY-1998
o Peter Stockli (via Github Security Lab) for SECURITY-1813
o Wadeck Follonier, CloudBees, Inc. for SECURITY-1869, SECURITY-1903,
SECURITY-1904, SECURITY-1908, SECURITY-1911, SECURITY-1912, SECURITY-1913,
SECURITY-1914, SECURITY-1916, SECURITY-1921, SECURITY-1927, SECURITY-2014
o Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for
SECURITY-1935
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX2Kdz+NLKJtyKPYoAQgl0hAApatEJHxwbfesI+K0YYqUIff+1cn3rcl1
cUuDuM33bXryd4iaFSikMtxM/NyZmsAwydmYZhXPcesLoEhIDtVhPwvIRc3OCPn/
MnE6dgm5msj/ggKJn/YESRE4V+Xzw6gt3vIdBwUp+6ZERTye+9l8VgO/VK++9HK4
BSiSFItTZsVC9VnDoYUjTsZa2q/TsxhpptV8yz54Wsbn9ElxrZcgZAWWDhNL6iJP
gGuXKByXCJZZR7D0hLxbs3wQZQMcvH4yZk/WrbugfVZ11IyUnhv25BxF3EGH2L4z
RDzCpvzmtwmIs00uJD9uArKbiLxegaP9ITJNFxgrk8psDP5eKjhTNcC2lCbKEN6g
hCfsvBWW7Bn+Cc7JbepiYQtil2tXgBb/lVi2hlqpkDzoBcEDw8ylcBqhA7M8y7g/
GDWk73ME5XjqFN+IdwHNpfYMkPnAifAGumPcNMoX2dvQNqSUKjjDuAqjnGqQipyM
fWxq7Rm0usPZBZDzwlnhRWBEKoQVUxe6sOwhAt+c4xUyrQBKc2dIM58h3t2Q7N18
KRljxA7L4R0mq/eCipb4Z3aCa+p4B3e8ASAc8FuQ3P/0rxH4keJrfwxiQq8TvXUq
rBqojIbQXMyOZiDasoRC5GoA0dIqjxipdIyXOqaf/a6MF3vR4QxFd/iQXWe+vJs7
FKTeUM5ZKyg=
=yuc3
-----END PGP SIGNATURE-----