CloudBees Security Advisory 2015-12-09

This advisory announces multiple vulnerabilities in Jenkins.

Stored XSS vulnerability through workspace files and archived artifacts

SECURITY-95 / CVE-2015-7536

In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends Content-Security-Policy headers that enables sandboxing and prohibits script execution by default. If you rely on the previous behavior, or in case of compatibility problems with certain plugins, you can modify the header sent by Jenkins. Learn more: Configuring Content Security Policy .

CSRFvulnerability in some administrative actions

SECURITY-225 / CVE-2015-7537

Several administration/configuration related URLs could be accessed using GET, which allowed attackers to circumvent CSRF protection.

CSRF protection ineffective

SECURITY-233 / CVE-2015-7538

Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted POST requests.

Jenkins plugin manager vulnerable to MITM attacks

SECURITY-234 / CVE-2015-7539

While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins.

Severity

  • SECURITY-95 is considered medium as it allows low-privilege users to perform limited XSS in certain configurations.

  • SECURITY-225 is considered high as it allows unprivileged attackers to perform some administrative actions via CSRF.

  • SECURITY-233 is considered high as it allows unprivileged attackers to circumvent CSRF protection.

  • SECURITY-234 is considered high as it allows attackers able to manipulate the network path between Jenkins and the update site to install and run arbitrary code on Jenkins.

Fix

  • CloudBees Jenkins Operations Center 1.625.x.y should be upgraded to 1.625.3.1

  • CloudBees Jenkins Operations Center 1.609.x.y should be upgraded to 1.609.15.1

  • CloudBees Jenkins Enterprise 1.625.x.y should be upgraded to 1.625.3.1

  • CloudBees Jenkins Enterprise 1.609.x.y should be upgraded to 1.609.15.1

  • Jenkins LTS should be upgraded to 1.625.3

  • Jenkins main line should be upgraded to Jenkins 1.641

  • DEV@cloud is already protected

All prior versions are affected by these vulnerabilities.