CloudBees Security Advisory 2018-07-30

This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

SSH Agent Plugin could reveal SSH key passphrase when used inside pipeline - SECURITY-704

When using the sshagent step inside a withDockerContainer block in Pipeline, the resulting logging of the ssh-add command included the SSH key passphrase in plain text.

The plugin no longer logs the ssh-add invocation that would reveal the passphrase.

CSRF vulnerability and missing permission checks in Resource Disposer Plugin - SECURITY-997

Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource.

Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Publish Over CIFS Plugin - SECURITY-975

Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Confluence Publisher Plugin - SECURITY-982

Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Kubernetes Plugin allowed capturing credentials - SECURITY-1016

Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Tinfoil Security Plugin stored API Secret Key in plain text - SECURITY-840

Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins master. This key could be viewed by users with access to the master file system.

The plugin now integrates with Credentials Plugin. Existing configurations are not migrated and will need to be reconfigured.

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation - SECURITY-932

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.

TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plugin.

CSRF vulnerability and missing permission checks in TraceTronic ECU-TEST Plugin allowed server-side request forgery - SECURITY-994

TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the suffix /app-version-info appended.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in SaltStack Plugin allowed capturing credentials - SECURITY-1009

SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Accurev Plugin allowed capturing credentials - SECURITY-1021

Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin - SECURITY-1001

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability.

Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI.

CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials - SECURITY-1022

Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

meliora-testlab Plugin stored API Key in plain text - SECURITY-847

meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins master. This key could be viewed by users with access to the master file system.

Additionally, the API key was not masked from view using a password form field.

The plugin now stores the API Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

CSRF vulnerability and missing permission checks in Agiletestware Pangolin Connector for TestRail Plugin allowed overriding plugin configuration - SECURITY-995

Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration.

Additionally, the API endpoint did not require POST requests, resulting in a CSRF vulnerability.

This API endpoint now requires POST requests and Overall/Administer permissions.

Anchore Container Image Scanner Plugin stored password in plain text - SECURITY-1039

Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Inedo ProGet Plugin globally and unconditionally disabled SSL/TLS certificate validation - SECURITY-933

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation  - SECURITY-935

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.

The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections.

 

Severity: 
Fix: 
  • CloudBees Traditional Platforms should be upgraded 2.121.2.1 revision 3
  • CloudBees Cloud Platforms should be upgraded 2.121.2.1 revision 3
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.121.2.1 revision 3
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.121.2.1 revision 3
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.34.0.1 revision 2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.107.33.0.1 revision 2
  • CloudBees Jenkins Team should be upgraded to version 2.121.2.1 revision 3
  • DEV@cloud is already protected