CloudBees Security Advisory 2019-03-25

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

 

Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin

SECURITY-1353

Sandbox projection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.

Script Security and Pipeline: Groovy have been hardened to prevent these methods of bypassing sandbox protection.

XSS vulnerability in Lockable Resources Plugin

SECURITY-1361

Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting (XSS) vulnerability.

The plugin now properly escapes resource names in its scripts.

CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials

SECURITY-976

Notification Plugin Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).

ECS Publisher Plugin stored and displayed API token in plain text

SECURITY-846

ECS Publisher Plugin stored the API token unencrypted in jobs’ config.xml files and its global configuration file on the Jenkins master. This token could be viewed by users with Extended Read permission, or access to the master file system.

Additionally, the API token was not masked from view using a password form field.

The plugin now stores the API token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin

SECURITY-992

A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability.

The form validation methods now require POST requests and perform a permission check.

PRQA Plugin stored password in plain text

SECURITY-1089

PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.

The plugin now stores the password encrypted in the configuration files on disk.

Codebeamer Test Results Trend Updater Plugin stored password in plain text

SECURITY-1086

Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs’ config.xml files on the Jenkins master. This password could be viewed by users with Extended Read permission, or access to the master file system.

The plugin now integrates with Credentials Plugin.

Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin

SECURITY-1328

Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

 

Severity

 

Fix

  • CloudBees Traditional Platforms should be upgraded 2.164.1.2-rev2
  • CloudBees Cloud Platforms should be upgraded 2.164.1.2-rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.164.1.2-rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.164.1.2-rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.40.0.2-rev5
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.107.x.0.z) should be upgraded to version 2.107.37.0.2-rev7
  • CloudBees Jenkins Distribution should be upgraded to version 2.164.1.2-rev2