Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3904
Jenkins plugins multiple vulnerabilities
6 November 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Increased Privileges -- Remote/Unauthenticated
Cross-site Request Forgery -- Existing Account
Cross-site Scripting -- Existing Account
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2319 CVE-2020-2318 CVE-2020-2317
CVE-2020-2316 CVE-2020-2315 CVE-2020-2314
CVE-2020-2313 CVE-2020-2312 CVE-2020-2311
CVE-2020-2310 CVE-2020-2309 CVE-2020-2308
CVE-2020-2307 CVE-2020-2306 CVE-2020-2305
CVE-2020-2304 CVE-2020-2303 CVE-2020-2302
CVE-2020-2301 CVE-2020-2300 CVE-2020-2299
Original Bulletin:
https://www.jenkins.io/security/advisory/2020-11-04/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2020-11-04
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Active Directory Plugin
o Ansible Plugin
o AppSpider Plugin
o AWS Global Configuration Plugin
o Azure Key Vault Plugin
o FindBugs Plugin
o Kubernetes Plugin
o Mail Commander Plugin for Jenkins-ci Plugin
o Mercurial Plugin
o SQLPlus Script Runner Plugin
o Static Analysis Utilities Plugin
o Subversion Plugin
o Visualworks Store Plugin
o VMware Lab Manager Slaves Plugin
Descriptions
Login allowed with hardcoded password by Active Directory Plugin
SECURITY-2117 / CVE-2020-2299
Active Directory Plugin implements two separate modes: Integration with ADSI on
Windows, and an OS agnostic LDAP-based mode.
The LDAP-based mode in Active Directory Plugin 2.19 and earlier shares code
between user lookup and user authentication and distinguishes these behaviors
through the use of a magic constant used in place of a real password. This
allows attackers to log in as any user if the magic constant is used as the
password in Active Directory Plugin 2.19 and earlier.
Active Directory Plugin 2.20 no longer uses a magic constant to distinguish
between user lookup and user authentication.
Login allowed with empty password by Active Directory Plugin
SECURITY-2099 / CVE-2020-2300
Active Directory Plugin implements two separate modes: Integration with ADSI on
Windows, and an OS agnostic LDAP-based mode.
The Windows/ADSI mode does not specifically prohibit use of empty passwords in
Active Directory Plugin 2.19 and earlier. If the Active Directory server allows
the unauthenticated bind operation, this allows attackers to log in to Jenkins
as any user by providing an empty password.
Active Directory Plugin 2.20 prohibits the use of an empty password to log in.
Authentication cache in Active Directory Plugin allows logging in with any
password
SECURITY-2123 / CVE-2020-2301
Active Directory Plugin implements two separate modes: Integration with ADSI on
Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time,
a cache can be configured to remember user lookups and user authentications.
In Active Directory Plugin 2.19 and earlier, when run in Windows/ADSI mode, the
provided password was not used when looking up an applicable cache entry. This
allows attackers to log in as any user using any password while a successful
authentication of that user is still in the cache.
As a workaround for this issue, the cache can be disabled.
Active Directory Plugin 2.20 includes the provided password in cache entry
lookup.
Additionally, the Java system property
hudson.plugins.active_directory.CacheUtil.noCacheAuth can be set to true to no
longer cache user authentications.
Missing permission check in Active Directory Plugin allows accessing domain
health check page
SECURITY-1999 / CVE-2020-2302
Active Directory Plugin 2.19 and earlier does not perform a permission check in
an HTTP endpoint.
This allows attackers with Overall/Read permission to access the domain health
check diagnostic page.
Active Directory Plugin 2.20 requires Overall/Administer permission to access
the domain health check diagnostic page.
CSRF vulnerability in Active Directory Plugin
SECURITY-2126 / CVE-2020-2303
Active Directory Plugin 2.19 and earlier does not require POST requests for
multiple HTTP endpoints implementing connection and authentication tests,
resulting in cross-site request forgery (CSRF) vulnerabilities.
This vulnerability allows attackers to perform connection tests, connecting to
attacker-specified or previously configured Active Directory servers using
attacker-specified credentials.
Active Directory Plugin 2.20 requires POST requests for the affected HTTP
endpoints.
XXE vulnerability in Subversion Plugin
SECURITY-2145 / CVE-2020-2304
Subversion Plugin 2.13.1 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a
crafted changelog file that uses external entities for extraction of secrets
from the Jenkins controller or server-side request forgery.
Subversion Plugin 2.13.2 disables external entity resolution for its XML
parser.
XXE vulnerability in Mercurial Plugin
SECURITY-2115 / CVE-2020-2305
Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser
to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a
crafted changelog file that uses external entities for extraction of secrets
from the Jenkins controller or server-side request forgery.
Mercurial Plugin 2.12 disables external entity resolution for its XML parser.
Missing permission check in Mercurial Plugin
SECURITY-2104 / CVE-2020-2306
Mercurial Plugin 2.11 and earlier does not perform a permission check in an
HTTP endpoint.
This allows attackers with Overall/Read permission to obtain a list of names of
configured Mercurial installations.
Mercurial Plugin 2.12 performs permission checks when listing configured
Mercurial installations.
Jenkins controller environment variables accessible in Kubernetes Plugin
SECURITY-1646 / CVE-2020-2307
Kubernetes Plugin 1.27.3 and earlier includes a feature to replace placeholders
in pod template and container template fields with environment variable values.
This feature allows low-privilege users to access possibly sensitive Jenkins
controller environment variables.
Kubernetes Plugin 1.27.4 disables this feature.
The Java system property
org.csanchez.jenkins.plugins.kubernetes.PodTemplateUtils.SUBSTITUTE_ENV
Note can be set to true to restore this feature. Administrators are advised
that future releases of Kubernetes Plugin will remove this feature
entirely.
Missing permission check in Kubernetes Plugin allows listing pod templates
SECURITY-2102 / CVE-2020-2308
Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an
HTTP endpoint.
This allows attackers with Overall/Read permission to list global pod template
names.
Kubernetes Plugin 1.27.4 requires Overall/Administer permission to list global
pod template names.
Missing permission check in Kubernetes Plugin allows enumerating credentials
IDs
SECURITY-2103 / CVE-2020-2309
Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an
HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Kubernetes Plugin 1.27.4 requires the
appropriate permissions.
Missing permission checks in Ansible Plugin allow enumerating credentials IDs
SECURITY-1943 / CVE-2020-2310
Ansible Plugin 1.0 and earlier does not perform permission checks in methods
implementing form validation.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Ansible Plugin 1.1 requires the
appropriate permissions.
Missing permission check in AWS Global Configuration Plugin allows replacing
plugin configuration
SECURITY-2101 / CVE-2020-2311
AWS Global Configuration Plugin 1.5 and earlier does not perform a permission
check in an HTTP endpoint processing form submissions.
This allows attackers with Overall/Read permission to replace the global AWS
configuration.
AWS Global Configuration Plugin 1.6 properly performs permission checks when
processing configuration form submissions.
Password written to the build log by SQLPlus Script Runner Plugin
SECURITY-2129 / CVE-2020-2312
SQLPlus Script Runner Plugin 2.0.12 and earlier prints the sqlplus command
invocation to the build log.
This log message does not redact a password provided as part of a command line
argument. This password can be viewed by users with Item/Read permission.
SQLPlus Script Runner Plugin 2.0.13 no longer prints the password in the build
log.
Missing permission checks in Azure Key Vault Plugin allow enumerating
credentials IDs
SECURITY-2110 / CVE-2020-2313
Azure Key Vault Plugin 2.0 and earlier does not perform permission checks in
several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Azure Key Vault Plugin 2.1 requires the
appropriate permissions.
Password stored in plain text by AppSpider Plugin
SECURITY-2058 / CVE-2020-2314
AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global
configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins
controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file
system.
AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is
saved again.
XXE vulnerability in Visualworks Store Plugin
SECURITY-1900 / CVE-2020-2315
Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the output of a script that
run Visualworks with StoreCI, or able to control an agent process, to have
Jenkins parse a crafted file that uses external entities for extraction of
secrets from the Jenkins controller or server-side request forgery.
Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML
parser.
Stored XSS vulnerability in Static Analysis Utilities Plugin
SECURITY-1907 / CVE-2020-2316
Static Analysis Utilities Plugin 1.96 and earlier does not escape the
annotation message in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.
As of publication of this advisory, there is no fix.
Stored XSS vulnerability in FindBugs Plugin
SECURITY-1918 / CVE-2020-2317
FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in
tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to provide report files to FindBugs Plugin's post build step.
As of publication of this advisory, there is no fix.
Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin
SECURITY-2085 / CVE-2020-2318
Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords
unencrypted in job config.xml files on the Jenkins controller as part of its
configuration.
These passwords can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Password stored in plain text by VMware Lab Manager Slaves Plugin
SECURITY-2084 / CVE-2020-2319
VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password
unencrypted in the global config.xml file on the Jenkins controller as part of
its configuration.
This password can be viewed by users with access to the Jenkins controller file
system.
As of publication of this advisory, there is no fix.
Severity
o SECURITY-1646: Medium
o SECURITY-1900: High
o SECURITY-1907: High
o SECURITY-1918: High
o SECURITY-1943: Medium
o SECURITY-1999: Medium
o SECURITY-2058: Low
o SECURITY-2084: Low
o SECURITY-2085: Medium
o SECURITY-2099: High
o SECURITY-2101: Medium
o SECURITY-2102: Medium
o SECURITY-2103: Medium
o SECURITY-2104: Medium
o SECURITY-2110: Medium
o SECURITY-2115: High
o SECURITY-2117: Critical
o SECURITY-2123: High
o SECURITY-2126: Medium
o SECURITY-2129: Medium
o SECURITY-2145: High
Affected Versions
o Active Directory Plugin up to and including 2.19
o Ansible Plugin up to and including 1.0
o AppSpider Plugin up to and including 1.0.12
o AWS Global Configuration Plugin up to and including 1.5
o Azure Key Vault Plugin up to and including 2.0
o FindBugs Plugin up to and including 5.0.0
o Kubernetes Plugin up to and including 1.27.3
o Mail Commander Plugin for Jenkins-ci Plugin up to and including 1.0.0
o Mercurial Plugin up to and including 2.11
o SQLPlus Script Runner Plugin up to and including 2.0.12
o Static Analysis Utilities Plugin up to and including 1.96
o Subversion Plugin up to and including 2.13.1
o Visualworks Store Plugin up to and including 1.1.3
o VMware Lab Manager Slaves Plugin up to and including 0.2.8
Fix
o Active Directory Plugin should be updated to version 2.20
o Ansible Plugin should be updated to version 1.1
o AppSpider Plugin should be updated to version 1.0.13
o AWS Global Configuration Plugin should be updated to version 1.6
o Azure Key Vault Plugin should be updated to version 2.1
o Kubernetes Plugin should be updated to version 1.27.4
o Mercurial Plugin should be updated to version 2.12
o SQLPlus Script Runner Plugin should be updated to version 2.0.13
o Subversion Plugin should be updated to version 2.13.2
o Visualworks Store Plugin should be updated to version 1.1.4
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o FindBugs Plugin
o Mail Commander Plugin for Jenkins-ci Plugin
o Static Analysis Utilities Plugin
o VMware Lab Manager Slaves Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Chris Maggiulli, Build and Integrations Engineer, Excelsior College for
SECURITY-2129
o Daniel Beck, CloudBees, Inc. for SECURITY-2117, SECURITY-2145
o Jeff Thompson, CloudBees, Inc. for SECURITY-1900
o Long Nguyen, Viettel Cyber Security for SECURITY-2058, SECURITY-2084,
SECURITY-2085
o Matt Sicker, CloudBees, Inc. for SECURITY-1999
o Vic Chappill, Lee Jones, and Matthew Maylin, Siemens for SECURITY-2099
o Wadeck Follonier, CloudBees, Inc. for SECURITY-1907, SECURITY-1918,
SECURITY-1943
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX6TTO+NLKJtyKPYoAQgDAw//Y+bp49IvoR/EYWMgPqHGVn8Ma+0qdjMW
pL4UMBdxeczgJJJLpHtt2Zd5MMKhQ8Axh5Cn/I/otJUqqELxxD0mqKGVMRTgPhhc
hOhjXZ3nRTXDM3ca+dX71qZtGXMSk/7CloXNug7TQ9WeyBOkwamgZ9u21XaWwK2e
/osIIZAygD7xsiywaEwwbge8vx5yT+MS2+olff2m4d6McAv03/7TccelLpoyOsid
uUXcYnvCZ6W2Eb7GUkBq3YMlMxQr4mEmD/y5SW1MW8GLxHbJa3MFObHWeTsjvWBC
cu59iesGhmzt3m1zvL1meSevarPBAKRemXS8s06kntDX7ZVAObLCl93vBLEYGIsW
uCSrWl8R9eVzPCFS8D0wpg+KoByk582kkd1TEbTqFDfh+DKDkuliR6QAiz+tGd+2
RPpc8Rxsy+zofEu1TQy82zOrdcNpQE+KWLb9QaODA59qcxWMlzABl7v63fWiOCl7
pmx8gC+LxXkR8f8o7y+HKCZ2izNZujmQEdD0M8D5VRm37HWDyHal7cG4gE1NnPa/
JmN76SZS1eth76wt+dffxWKTtCll7m+rESVbrRkeAmlzFfLlLAeXSVYQg6dVaCpD
06IH2pBYEy3oWyX3nY0hM5/2DyWe+oWhovsj22yYCtDE3ny9lWgyeUV06gNl8TTS
Xk+9ornP7zU=
=Xlvr
-----END PGP SIGNATURE-----