CloudBees Security Advisory 2018-06-04

 

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

 

Server-side request forgery vulnerability in Git Plugin - SECURITY-810 / CVE pending

Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and the Overall/Administer permission.

Server-side request forgery vulnerability in GitHub Plugin - SECURITY-799 / CVE pending

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL.

If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials - SECURITY-804 / CVE pending

GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and appropriate user permissions.

Server-side request forgery vulnerability in GitHub Branch Source Plugin - SECURITY-806 / CVE pending

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials - SECURITY-805 / CVE pending

GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

Kubernetes Plugin printed sensitive build variables to logs - SECURITY-883 / CVE pending

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and master log, when using pipeline steps like withDockerRegistry.

The plugin now applies masking of sensitive build variables to these pipeline steps.

Server-side request forgery vulnerability in CAS Plugin - SECURITY-809 / CVE pending

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins master - SECURITY-807 / CVE pending

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins master.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method no longer implements the validation that required a program to be invoked.

CSRF vulnerability and missing permission checks in Black Duck Hub Plugin allowed server-side request forgery, capturing credentials - SECURITY-865 / CVE pending

Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials - SECURITY-866 / CVE pending

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

 

Severity: 

 

 

Fix: 

 

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.107.3.4 revision 3
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.107.3.4 revision 3
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.32.0.1 revision 2
  • CloudBees Jenkins Team should be upgraded to version 2.107.3.4 revision 3
  • DEV@cloud is already protected