This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.
Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the
config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
The fix prevents this behavior.
To mitigate this problem, we strongly advise that administrators of Jenkins instances without this fix, that are reachable by untrusted users, save the global configuration shortly before shutting down Jenkins. Doing so will write the current configuration from memory to the config.xml file, which is only read on startup or when reloading configuration.
If Jenkins has already been shut down after this issue has been exploited, the
config.xml file can be found at
users/$002e$002e/config.xml in the Jenkins home directory.
This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security advisory .
Arbitrary file read vulnerability
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master process has access to.
Input validation in Stapler has been improved to prevent this.
Unauthorized users could cancel queued builds
The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds.
The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission.
Unauthorized users could initiate and abort agent launches
The URL that initiates agent launches on the Jenkins master did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches.
Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.
The URL for agent launches now ensures that the user has the Agent/Connect permission.
Stored XSS vulnerability
The build timeline widget shown on URLs like
/view/…/builds did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names.
Jenkins now escapes job display names shown on the timeline widget.
Unauthorized users are able to determine when a plugin was extracted from its JPI package
Files indicating when a plugin JPI file was last extracted into a subdirectory of
plugins/ in the Jenkins home directory was accessible via HTTP by users with Overall/Read permission. This allowed unauthorized users to determine the likely install date of a given plugin.
The affected file is no longer available via HTTP.
XSS vulnerability in Stapler debug mode
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability.
Parts of URLs displayed on these error pages are now properly escaped.
As a workaround, Stapler debug mode should not be enabled on instances accessible to untrusted users.