Jenkins Security Advisory 2020-07-02

This advisory announces vulnerabilities in Jenkins

Stored XSS vulnerability in Sonargraph Integration Plugin 

SECURITY-1775 / CVE-2020-2201

Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.

Sonargraph Integration Plugin 3.0.1 escapes the affected part of the error message.

Users with Overall/Read access could enumerate credentials IDs in Fortify on Demand Plugin 

SECURITY-1690 / CVE-2020-2202

Fortify on Demand Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions in Fortify on Demand Plugin 6.0.0 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Fortify on Demand Plugin 6.0.1 now requires the appropriate permissions.

CSRF vulnerability and missing permission checks in Fortify on Demand Plugin 

SECURITY-1691 / CVE-2020-2203 (CSRF), CVE-2020-2204 (missing permission check)

Fortify on Demand Plugin 5.0.1 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs obtained through another method.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires appropriate permission in Fortify on Demand Plugin 6.0.0.

Stored XSS vulnerability in VncRecorder Plugin 

SECURITY-1728 (1) / CVE-2020-2205

VncRecorder Plugin 1.25 and earlier does not escape a tool path in the checkVncServ form validation endpoint accessed e.g. via job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.

VncRecorder Plugin 1.35 escapes the tool path.

Reflected XSS vulnerability in VncRecorder Plugin 

SECURITY-1728 (2) / CVE-2020-2206

VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

VncRecorder Plugin 1.35 escapes the parameter value in the output.

Reflected XSS vulnerability in VncViewer Plugin 

SECURITY-1776 / CVE-2020-2207

VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

VncViewer Plugin 1.8 escapes the parameter value in the output.

Secret stored in plain text by Slack Upload Plugin 

SECURITY-1627 / CVE-2020-2208

Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files as part of its configuration. This secret can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by TestComplete support Plugin 

SECURITY-1686 / CVE-2020-2209

TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files as part of its configuration. This password can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Passwords transmitted in plain text by Stash Branch Parameter Plugin 

SECURITY-1656 / CVE-2020-2210

Stash Branch Parameter Plugin stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins master as part of its configuration.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Stash Branch Parameter Plugin 0.3.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.

As of publication of this advisory, there is no fix.

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin 

SECURITY-1738 / CVE-2020-2211

ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to ElasticBox Jenkins Kubernetes CI/CD Plugin’s build step.

As of publication of this advisory, there is no fix.

Secret stored in plain text by GitHub Coverage Reporter Plugin 

SECURITY-1632 / CVE-2020-2212

GitHub Coverage Reporter Plugin 1.8 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This can be viewed by users with access to the Jenkins master file system. It is also transmitted in plain text as part of the configuration form where it can be viewed by those who can read the system configuration.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by White Source Plugin 

SECURITY-1630 / CVE-2020-2213

White Source Plugin 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins master. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.

As of publication of this advisory, there is no fix.

Content-Security-Policy protection for user content disabled by ZAP Pipeline Plugin 

SECURITY-1811 / CVE-2020-2214

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts.

ZAP Pipeline Plugin 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:

  • Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from Content-Security-Policy header.

  • Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL.

  • Jenkins 2.227 and older, 2.204.5 and older, don’t have XSS protection for file parameter values, see SECURITY-1793.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Zephyr for JIRA Test Management Plugin 

SECURITY-1762 / CVE-2020-2215 (CSRF), CVE-2020-2216 (missing permission check)

Zephyr for JIRA Test Management Plugin 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Reflected XSS in Compatibility Action Storage Plugin 

SECURITY-1771 / CVE-2020-2217

Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint. This allows attackers able to update the configured document in MongoDB to inject the payload.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Password stored in plain text by HP ALM Quality Center Plugin 

SECURITY-1576 / CVE-2020-2218

HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins master file system.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Link Column Plugin 

SECURITY-1803 / CVE-2020-2219

Link Column Plugin allows users with View/Configure permission to add a new column to list views that contains a user-configurable link.

Link Column Plugin 1.0 and earlier does not filter the URL for these links, allowing the javascript: scheme. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure list views.

As of publication of this advisory, there is no fix.

Severity

Fix

  • Fortify on Demand Plugin should be updated to version 6.0.1

  • Fortify on Demand Plugin should be updated to version 6.0.0

  • Sonargraph Integration Plugin should be updated to version 3.0.1

  • VncRecorder Plugin should be updated to version 1.35

  • VncViewer Plugin should be updated to version 1.8