Jenkins Security Advisory 2012-09-17

This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.

The first vulnerability in Jenkins core allows unprivileged users to insert data into Jenkins master, which can lead to remote code execution. For this vulnerability to be exploited, the attacker must have an HTTP access to a Jenkins master, and he must have a read access to Jenkins.

The second vulnerability in Jenkins core is a cross-site scripting vulnerability. This allows an attacker to craft a URL that points to Jenkins, and if a legitimate user clicks this link, the attacker will be able to hijack the user session.

The third vulnerability is a cross-site scripting vulnerability in the Violations plugin.

The fourth vulnerability is a cross-site scripting vulnerability in the CI game plugin.

Several of these vulnerabilies were discovered by Avram Marius Gabriel.

Severity: 

CloudBees rates the first vulnerability in the core as critical, as it allows malicious users to execute arbitrary code on the server. The othe three XSS vulnerabilities are rated as high, as they allow malicious users to escalate privileges.

Fix: 
The following versions incorporate fixes to the vulnerabilities found in the Jenkins core.
  • Main line users should upgrade to Jenkins 1.482
  • LTS users should upgrade to 1.466.2
  • Users of Jenkins Enterprise by CloudBees 1.466.x should upgrade to 1.466.2.1
  • Users of Jenkins Enterprise by CloudBees 1.447.x should upgrade to 1.447.3.1
  • Users of Jenkins Enterprise by CloudBees 1.424.x and earlier should upgrade to 1.424.6.11
  • The fix has already been deployed to DEV@cloud

Users of the CloudBees Custom Update Center plugin needs to update to 3.4 or later in order to work with these newer versions of Jenkins.

To patch vulnerabilities in the plugins, upgrade to the following versions. These plugins should be available in your Jenkins’ plugin update center UI in up to a day.

  • Users of the Violations plugin should upgrade to 0.7.11 or later
  • Users of the CI game plugin should upgrade to 1.19 or later