Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3486
Jenkins Plugins Vulnerabilities - Security Advisory 2020-10-08
9 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Existing Account
Cross-site Scripting -- Existing Account
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2298 CVE-2020-2297 CVE-2020-2296
CVE-2020-2295 CVE-2020-2294 CVE-2020-2293
CVE-2020-2292 CVE-2020-2291 CVE-2020-2290
CVE-2020-2289 CVE-2020-2288 CVE-2020-2287
CVE-2020-2286
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-10-08/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-10-08
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Active Choices Plugin
o Audit Trail Plugin
o couchdb-statistics Plugin
o Maven Cascade Release Plugin
o Nerrvana Plugin
o Persona Plugin
o Release Plugin
o Role-based Authorization Strategy Plugin
o Shared Objects Plugin
o SMS Notification Plugin
Descriptions
Improper authorization due to caching in Role-based Authorization Strategy
Plugin
SECURITY-1767 / CVE-2020-2286
Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed
up permission lookups.
In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not
invalidated properly when an administrator changes the permission
configuration. This can result in permissions being granted long after the
configuration was changed to no longer grant them.
Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on
configuration changes.
Request logging could be bypassed in Audit Trail Plugin
SECURITY-1815 / CVE-2020-2287
Audit Trail Plugin logs requests whose URL path matches an admin-configured
regular expression.
A discrepancy between the behavior of the plugin and the Stapler web framework
in parsing URL paths allows attackers to craft URLs that would bypass request
logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins
2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774
prohibits dispatch of affected requests.
Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler
web framework.
Incorrect default pattern in Audit Trail Plugin
SECURITY-1846 / CVE-2020-2288
Audit Trail Plugin uses regular expressions to match requested URLs whose
dispatch should be logged.
In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern
could be bypassed in many cases by adding a suffix to the URL that would be
ignored during request handling.
Audit Trail Plugin 3.7 changes the default regular expression pattern so that
it allows for arbitrary suffixes. It automatically will replace previous
default patterns with the new, more complete default pattern.
Additionally, an administrative monitor is shown if a user-specified pattern is
found to be bypassable through crafted URLs and form validation was improved to
recognize patterns that would not match requests with arbitrary suffixes.
Stored XSS vulnerability in Active Choices Plugin
SECURITY-1954 / CVE-2020-2289
Active Choices Plugin 2.4 and earlier does not escape the name and description
of build parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
Active Choices Plugin 2.5 escapes the name of build parameters and applies the
configured markup formatter to the description of build parameters.
Stored XSS vulnerability in Active Choices Plugin
SECURITY-2008 / CVE-2020-2290
Active Choices Plugin 2.4 and earlier does not escape List and Map return
values of sandboxed scripts for Reactive Reference Parameter.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
This issue is caused by an incomplete fix for SECURITY-470.
Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.
Password stored in plain text by couchdb-statistics Plugin
SECURITY-2065 / CVE-2020-2291
couchdb-statistics Plugin 0.3 and earlier stores its server password
unencrypted in its global configuration file
org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller
as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file
system.
couchdb-statistics Plugin 0.4 stores its server password encrypted once its
configuration is saved again.
Stored XSS vulnerability in Release Plugin
SECURITY-1928 / CVE-2020-2292
Release Plugin 2.10.2 and earlier does not escape the release version in the
badge tooltip.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Release/Release permission.
As of publication of this advisory, there is no fix.
Arbitrary file read vulnerability in Persona Plugin
SECURITY-2046 / CVE-2020-2293
Persona Plugin 2.4 and earlier allows users with Overall/Read permission to
read arbitrary files on the Jenkins controller.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in Maven Cascade Release
Plugin
SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)
Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission
checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to start cascade builds and
layout builds, and reconfigure the plugin.
Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability in Shared Objects Plugin
SECURITY-2052 / CVE-2020-2296
Shared Objects Plugin 0.44 and earlier does not require POST requests for an
HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to configure shared objects.
As of publication of this advisory, there is no fix.
Access token stored in plain text by SMS Notification Plugin
SECURITY-2054 / CVE-2020-2297
SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in
its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on
the Jenkins controller as part of its configuration.
This access token can be viewed by users with access to the Jenkins controller
file system.
As of publication of this advisory, there is no fix.
XXE vulnerability in Nerrvana Plugin
SECURITY-2097 / CVE-2020-2298
Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read permission to have Jenkins parse a
crafted HTTP request with XML data that uses external entities for extraction
of secrets from the Jenkins controller or server-side request forgery.
Additionally, XML parsing is exposed as a form validation endpoint that does
not require POST requests, allowing exploitation by users without Overall/Read
permission via CSRF.
As of publication of this advisory, there is no fix.
Severity
o SECURITY-1767: High
o SECURITY-1815: Medium
o SECURITY-1846: Medium
o SECURITY-1928: High
o SECURITY-1954: High
o SECURITY-2008: High
o SECURITY-2046: Medium
o SECURITY-2049: Medium
o SECURITY-2052: Medium
o SECURITY-2054: Low
o SECURITY-2065: Low
o SECURITY-2097: High
Affected Versions
o Active Choices Plugin up to and including 2.4
o Audit Trail Plugin up to and including 3.6
o couchdb-statistics Plugin up to and including 0.3
o Maven Cascade Release Plugin up to and including 1.3.2
o Nerrvana Plugin up to and including 1.02.06
o Persona Plugin up to and including 2.4
o Release Plugin up to and including 2.10.2
o Role-based Authorization Strategy Plugin up to and including 3.0
o Shared Objects Plugin up to and including 0.44
o SMS Notification Plugin up to and including 1.2
Fix
o Active Choices Plugin should be updated to version 2.5
o Audit Trail Plugin should be updated to version 3.7
o couchdb-statistics Plugin should be updated to version 0.4
o Role-based Authorization Strategy Plugin should be updated to version 3.1
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Maven Cascade Release Plugin
o Nerrvana Plugin
o Persona Plugin
o Release Plugin
o Shared Objects Plugin
o SMS Notification Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-1846, SECURITY-2046,
SECURITY-2097
o Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
SECURITY-1815
o Jeff Thompson, CloudBees, Inc. for SECURITY-2052
o Long Nguyen, Viettel Cyber Security for SECURITY-2054, SECURITY-2065
o Raihaan Shouhell, Autodesk, Inc for SECURITY-1767
o Wadeck Follonier, CloudBees, Inc. for SECURITY-1928, SECURITY-1954,
SECURITY-2008
o Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc. for
SECURITY-2049
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX3+L/ONLKJtyKPYoAQhQ+g/+P9sSAdXcZy4H2TiGoty4LsyOnScfAtK3
DJDQS+hiR677Z+zi626/Kqq1CTq98hFCaDXSxP7ZlRnCkvMkccucDrGz0gB2cM/f
f7XOSBR7UniF7O9mjFbz75hZ8G0Xbh64jI3i1p4fpp95ZmBjJAYFh4A+LeQ6KgJI
tBCft8W06PnUr2DjDpZ172NgboXbtJSO4Oph2ygPSb8qKBJvZFay3jQz6Sv/rAnR
jLaDl+kryRkfg9p/KWprjqhkTN/ZEs0s7XXl1ERno6wHgT/lY8cI2qmlk+kTnc8L
oJUBGujx5viBdYrT01wB+m/d4A5Bd5vtTZ6CLtSkujJ4AfTHo/6EErN7IEq23hDl
TLfVK00Me/NAQ0FW5H8GaBzIi/XmeZcQk5ecv9plbb/hEfSj2s/4cwtzE9b+vATt
0TpFgLwX+EtANQqsWrZjIzdh4oXnHGiRMP9nSZXYNE/UEo58MmF4RvsIxNf2d2te
9iXB7UTVnmtuso0OEBJCQUTnC9y2XsrsX1ghyusnSLEcavan4BRmm8fN9ku/Ilh4
Ncb/PpwBqb15ACrN2Z1AMWcklXs5V2bPjGPnmcyn03UEI9nDYQMB83ycX4FSfJOn
V/l+MWhvG69WrSZTTgar82KoUITxfUjgEVrK4Fx9d+QJBfe220xqg8Kijb0LBnsH
V2ZwglcxzqQ=
=eSUU
-----END PGP SIGNATURE-----