CloudBees Security Advisory 2019-03-25
This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.
Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin
Sandbox projection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
Script Security and Pipeline: Groovy have been hardened to prevent these methods of bypassing sandbox protection.
XSS vulnerability in Lockable Resources Plugin
The plugin now properly escapes resource names in its scripts.
CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials
Notification Plugin Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).
ECS Publisher Plugin stored and displayed API token in plain text
ECS Publisher Plugin stored the API token unencrypted in jobs’
config.xml files and its global configuration file on the Jenkins master. This token could be viewed by users with Extended Read permission, or access to the master file system.
Additionally, the API token was not masked from view using a password form field.
The plugin now stores the API token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.
SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin
A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability.
The form validation methods now require POST requests and perform a permission check.
PRQA Plugin stored password in plain text
PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.
The plugin now stores the password encrypted in the configuration files on disk.
Codebeamer Test Results Trend Updater Plugin stored password in plain text
Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs’
config.xml files on the Jenkins master. This password could be viewed by users with Extended Read permission, or access to the master file system.
The plugin now integrates with Credentials Plugin.
Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin
Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.
This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.
- CloudBees Traditional Platforms should be upgraded 18.104.22.168-rev2
- CloudBees Cloud Platforms should be upgraded 22.214.171.124-rev2
- CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 126.96.36.199-rev2
- CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 188.8.131.52-rev2
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 184.108.40.206.2-rev5
- CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.107.x.0.z) should be upgraded to version 220.127.116.11.2-rev7
- CloudBees Jenkins Distribution should be upgraded to version 18.104.22.168-rev2