This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.
Server-side request forgery vulnerability in Git Plugin - SECURITY-810 / CVE-2018-1000182
Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and the Overall/Administer permission.
Server-side request forgery vulnerability in GitHub Plugin - SECURITY-799 / CVE-2018-1000184
A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL.
If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
The form validation method now requires POST requests and the Overall/Administer permission.
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials - SECURITY-804 / CVE-2018-1000183
GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and appropriate user permissions.
Server-side request forgery vulnerability in GitHub Branch Source Plugin - SECURITY-806 / CVE-2018-1000185
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and the Overall/Administer permission.
CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials - SECURITY-805 / CVE-2018-1000186
GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
Kubernetes Plugin printed sensitive build variables to logs - SECURITY-883 / CVE-2018-1000187
Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and master log, when using pipeline steps like withDockerRegistry.
The plugin now applies masking of sensitive build variables to these pipeline steps.
Server-side request forgery vulnerability in CAS Plugin - SECURITY-809 / CVE-2018-1000188
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and the Overall/Administer permission.
CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins master - SECURITY-807 / CVE-2018-1000189
AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins master.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method no longer implements the validation that required a program to be invoked.
CSRF vulnerability and missing permission checks in Black Duck Hub Plugin allowed server-side request forgery, capturing credentials - SECURITY-865 / CVE-2018-1000190
Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials - SECURITY-866 / CVE-2018-1000191
Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.