CloudBees Security Advisory 2019-10-01

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Sandbox bypass vulnerability in Script Security Plugin 

SECURITY-1579 / CVE-2019-10431

Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors.

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM.

These expressions are now subject to sandbox protection.

Stored XSS vulnerability in HTML Publisher Plugin 

SECURITY-1590 / CVE-2019-10432

HTML Publisher Plugin did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission.

HTML Publisher Plugin now escapes the display name displayed in the frame HTML page.

Dingding[钉钉] Plugin stores credentials in plain text 

SECURITY-1423 / CVE-2019-10433

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.

LDAP Email Plugin shows plain text password in configuration form 

SECURITY-1515 / CVE-2019-10434

LDAP Email Plugin stores an LDAP bind password in its global Jenkins configuration.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

SourceGear Vault Plugin shows plain text password in configuration form 

SECURITY-1524 / CVE-2019-10435

SourceGear Vault Plugin stores an SCM password in job configurations.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Severity: 
  • SECURITY-1423: Low
  • SECURITY-1515: Low
  • SECURITY-1524: Low
  • SECURITY-1579: High
  • SECURITY-1590: Medium
Fix: 
  • CloudBees Traditional Platforms should be upgraded 2.176.4.3-rev2
  • CloudBees Cloud Platforms should be upgraded 2.176.4.3-rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.176.4.3-rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.176.4.3-rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.138.x.0.z) should be upgraded to version 2.138.44.0.1-rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.32.0.1-rev2
  • CloudBees Jenkins Distribution should be upgraded to version 2.176.4.3-rev2