This advisory announces vulnerabilities in Jenkins.

IRC Plugin stores credentials in plain text

SECURITY-829

IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-831

AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-839

HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-837

Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-954

FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-956

WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-965

Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-974

A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1041

Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1042

jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-830

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-832

Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-835

aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-838

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-841

Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-842

Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-945

VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-949

Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-952

veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-957

OctopusDeploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-961

WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-962

VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-964

Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-966

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-977

A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-979

A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-981

A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-991

A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-993

A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1037

A missing permission check in a form validation method in Chef Sinatra Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1043

Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1044

Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1054

A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1058

A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1059

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1061

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1062

TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1069

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1084

A missing permission check in a form validation method in openid Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1085

StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1091

A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1093

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-828

Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-843

Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-946

mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-947

Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-955

Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-959

DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-963

youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system.

youtrack-plugin Plugin now stores credentials encrypted.

SECURITY-1031

Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1032

A missing permission check in a form validation method in Netsparker Cloud Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.

SECURITY-1040

Netsparker Cloud Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins master. These API tokens could be viewed by users with access to the master file system.

Netsparker Cloud Scan Plugin now stores API tokens encrypted.

SECURITY-1055

A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

SECURITY-1056

Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1063

crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

SECURITY-1066

Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1090

Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-1092

Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

SECURITY-960

CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

• SECURITY-828:Low

• SECURITY-829:Low

• SECURITY-830:Low

• SECURITY-831:Low

• SECURITY-832:Low

• SECURITY-835:Low

• SECURITY-837:Medium

• SECURITY-838:Low

• SECURITY-839:Medium

• SECURITY-841:Medium

• SECURITY-842:Medium

• SECURITY-843:Medium

• SECURITY-945:Medium

• SECURITY-946:Medium

• SECURITY-947:Medium

• SECURITY-949:Low

• SECURITY-952:Low

• SECURITY-954:Low

• SECURITY-955:Low

• SECURITY-956:Medium

• SECURITY-957:Low

• SECURITY-959:Medium

• SECURITY-960:Low

• SECURITY-961:Medium

• SECURITY-962:Medium

• SECURITY-963:Low

• SECURITY-964:Low

• SECURITY-965:Low

• SECURITY-966:Low

• SECURITY-974:Medium

• SECURITY-977:Medium

• SECURITY-979:Medium

• SECURITY-981:Medium

• SECURITY-991:Medium

• SECURITY-993:Medium

• SECURITY-1031:Low

• SECURITY-1032:Medium

• SECURITY-1037:Medium

• SECURITY-1040:Low

• SECURITY-1041:Low

• SECURITY-1042:Medium

• SECURITY-1043:Medium

• SECURITY-1044:Medium

• SECURITY-1054:Medium

• SECURITY-1055:Medium

• SECURITY-1056:Medium

• SECURITY-1058:Medium

• SECURITY-1059:Low

• SECURITY-1061:Low

• SECURITY-1062:Medium

• SECURITY-1063:Medium

• SECURITY-1066:Low

• SECURITY-1069:Low

• SECURITY-1084:Medium

• SECURITY-1085:Medium

• SECURITY-1090:Low

• SECURITY-1091:Medium

• SECURITY-1092:Low

• SECURITY-1093:Low

• Netsparker Cloud Scan Plugin should be updated to version 1.1.6

• youtrack-plugin Plugin should be updated to version 0.7.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

• Amazon SNS Build NotifierPlugin

• Aqua Security ScannerPlugin

• Assembla AuthPlugin

• Audit to DatabasePlugin

• AWS CloudWatch Logs PublisherPlugin

• AWS Elastic Beanstalk PublisherPlugin

• aws-device-farmPlugin

• Bitbucket ApprovePlugin

• BugzillaPlugin

• Chef SinatraPlugin

• CloudCoreo DeployTimePlugin

• CloudShare Docker-MachinePlugin

• crittercism-dsymPlugin

• Crowd IntegrationPlugin

• DeployHubPlugin

• Diawi UploadPlugin

• Fabric Beta PublisherPlugin

• FTP publisherPlugin

• GearmanPlugin

• HockeyAppPlugin

• Hyper.sh CommonsPlugin

• IRCPlugin

• Jabber ServerPlugin

• jenkins-cloudformation-pluginPlugin

• jenkins-reviewbotPlugin

• Jira Issue UpdaterPlugin

• Klaros-TestmanagementPlugin

• KmapPlugin

• KojiPlugin

• mablPlugin

• Minio StoragePlugin

• NomadPlugin

• OctopusDeployPlugin

• Official OWASP ZAPPlugin

• Open STFPlugin

• openidPlugin

• OpenShift DeployerPlugin

• Perfecto MobilePlugin

• Relution Enterprise Appstore PublisherPlugin

• SametimePlugin

• Serena SRA DeployPlugin

• SOASTA CloudTestPlugin

• StarTeamPlugin

• TestFairyPlugin

• Trac PublisherPlugin

• Upload to pgyerPlugin

• veracode-scannerPlugin

• VMware Lab Manager SlavesPlugin

• VMware vRealize AutomationPlugin

• VS Team Services Continuous DeploymentPlugin

• WebSphere DeployerPlugin

• WildFly DeployerPlugin

• Zephyr Enterprise Test ManagementPlugin