CloudBees Security Advisory 2020-03-25

This advisory announces vulnerabilities inJenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

CSRF protection for any URL could be bypassed

SECURITY-1774 / CVE-2020-2160

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

NOTE	In case of problems, administrators can disable this security fix by setting the system property `hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO` to `true` .

NOTE	As an additional safeguard, semicolon (`;` ) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property `jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath` to `true` .

Stored XSS vulnerability in label expression validation

SECURITY-1781 / CVE-2020-2161

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels.

Jenkins now correctly escapes node labels that are shown in form validation on job configuration pages.

Stored XSS vulnerability in file parameters

SECURITY-1793 / CVE-2020-2162

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.

The system property hudson.model.DirectoryBrowserSupport.CSP can be set to override the value of Content-Security-Policy headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the Resource Root URL and works the same way for file parameters. See Configuring Content Security Policy to learn more.

NOTE	Even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to `Content-Security-Policy` restrictions.

Stored XSS vulnerability in list view column headers

SECURITY-1796 / CVE-2020-2163

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers.

The following plugins are known to allow users to define column headers:

Further plugins may also allow users to define column headers.

Jenkins no longer processes HTML embedded in list view column headers.

Passwords stored in plain text by Artifactory Plugin

SECURITY-1542 (1) / CVE-2020-2164

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml . This password can be viewed by users with access to the Jenkins master file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

Passwords transmitted in plain text by Artifactory Plugin

SECURITY-1542 (2) / CVE-2020-2165

Artifactory Plugin stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins master as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

RCE vulnerability in Pipeline: AWS Steps Plugin

SECURITY-1741 / CVE-2020-2166

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

RCE vulnerability in OpenShift Pipeline Plugin

SECURITY-1739 / CVE-2020-2167

OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step.

OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

RCE vulnerability in Azure Container Service Plugin

SECURITY-1732 / CVE-2020-2168

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

Reflected XSS vulnerability in Queue cleanup Plugin

SECURITY-1724 / CVE-2020-2169

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).

Queue cleanup Plugin 1.4 correctly escapes the query parameter.

Stored XSS vulnerability in RapidDeploy Plugin

SECURITY-1676 / CVE-2020-2170

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

XXE vulnerability in RapidDeploy Plugin

SECURITY-1677 / CVE-2020-2171

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

XSS in Plugin Catalogs

CTR-1309

A cross-site scripting (XSS) attack was possible during Plugin Catalog validation from the user interface (UI) using a malicious Plugin Catalog file.

With this fix, HTML entered into validation messages is now escaped.

RBAC Issue When Deleting/Recreating Internal Groups That Are Members In Other Internal Groups

CTR-472

When using role-based access control (RBAC), deleting/recreating groups that included members included in another internal group did not work as expected. With this fix, the group members cache is properly invalidated when a group is deleted/created, so that deleting/recreating groups works as expected.

This only affects installations that use the CloudBees Role Based Access Control plugin.

XSS in Operations Center Cluster Operations Plugin

CTR-1036

Fix persistent XSS vulnerability in the List View and Operations Center Cluster Operations Plugin did not escape the click event on the Cluster Operation checkbox. This lapse resulted in a stored cross-site scripting vulnerability, exploitable by users with Overall/Administer permissions in Operations Center. With this fix, the JavaScript code was changed to prevent this vulnerability.

Stored Cross-Site Script on CloudBees Template Plugin in Display Name Field

CPLT2-6219

HTML placed in the Display Name area of a job or folder template would be rendered raw in the New Item dialog, posing a stored-XSS vulnerability. This HTML is now escaped.

Severity

SECURITY-1542 (1): Low
SECURITY-1542 (2): Low
SECURITY-1676: Medium
SECURITY-1677: High
SECURITY-1724: Medium
SECURITY-1732: High
SECURITY-1739: High
SECURITY-1741: High
SECURITY-1774: High
SECURITY-1781: Medium
SECURITY-1793: Medium
SECURITY-1796: Medium
CTR-1309: Medium
CTR-472: Low
CTR-1036: Medium
CPLT2-6219: Medium

Fix

CloudBees Traditional Platforms should be upgraded 2.222.1.1
CloudBees Cloud Platforms should be upgraded 2.222.1.1
CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.222.1.1
CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.222.1.1
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.31.0.1
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.34.0.1
CloudBees Jenkins Distribution should be upgraded to version 2.222.1.1

More Security Advisories