This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.
Jenkins allowed deserialization of URL
objects with host components - SECURITY-637
Jenkins allowed deserialization of URL
objects via Remoting (agent communication) and XStream.
This could in rare cases be used by attackers to have Jenkins loop up specified hosts' DNS records.
Jenkins now injects a URLStreamHandler
when deserializing URLs that overrides the affected URL
methods.
This can be disabled if needed by setting the system property hudson.remoting.URLDeserializationHelper.avoidUrlWrapping
to true
.
Ephemeral user record was created on some invalid authentication attempts - SECURITY-672
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record.
This behavior could be abused to create a large number of ephemeral user records in memory.
The API token validation on authentication has been improved to no longer create ephemeral user records.
Cron expression form validation could enter infinite loop, potentially resulting in denial of service - SECURITY-790
The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.
"Remember me" cookie was evaluated even if "Remember me" feature is disabled - SECURITY-996
The "Remember me" feature can be disabled in the Jenkins security configuration.
This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in.
"Remember me" cookies are no longer evaluated when the corresponding feature is disabled.
Unauthorized users could access agent logs - SECURITY-1071
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks.
Access to the affected URL is now limited to users with the correct Agent/Connect permission.
Unauthorized users could cancel scheduled restarts initiated from the update center - SECURITY-1076
Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.
Access to the affected URL is now limited to users with Overall/Administer permission.