This advisory announces vulnerabilities inJenkins.

SECURITY-1010 / CVE-2019-10340 (CSRF), CVE-2019-10341 (permission check)

Docker Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer or Item/Configure permission, as appropriate.

SECURITY-1400 / CVE-2019-10342

Docker Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires the appropriate permission, typically Overall/Administer or Item/Configure.

SECURITY-1419 / CVE-2019-10346

Embeddable Build Status Plugin did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability.

Arguments are now sanitized.

SECURITY-775 / CVE-2019-10347

Mashup Portlets Plugin stored SonarQube credentials unencrypted on the Jenkins master. These credentials could be viewed by users with access to the master file system.

Mashup Portlets Plugin now stores these credentials encrypted.

SECURITY-1438 / CVE-2019-10348

Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master. These credentials could be viewed by users with Extended Read permission, or access to the master file system.

Gogs Plugin now stores credentials encrypted.

SECURITY-1177 / CVE-2019-10349

Dependency Graph Viewer Plugin does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

SECURITY-1441 / CVE-2019-10350

Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

SECURITY-1437 / CVE-2019-10351

Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.