CloudBees Security Advisory 2020-07-15

CloudBees Security Advisory 2020-07-15

This advisory announces vulnerabilities in CloudBees Jenkins Platform and CloudBees CI.

Stored XSS in "Configure Global Security" Due to Operations Center Connection

CTR-2018

Fix stored XSS in "Configure Global Security" due to Operations Center Connection. A cross-site scripting (XSS) attack was possible in connected masters by saving a malicious Operations Center URL in the global security configuration of connected masters.

With this fix, the parameters causing the vulnerability are escaped.

Stored XSS vulnerability in Cloudbees External Notification Plugin

CTR-2099

Fix stored XSS vulnerability in Cloudbees External Notification Plugin. The Manage Notification Webhook HTTP Endpoint page was not escaping the content of the tooltip of the "Last Status" column. This vulnerability was exploitable by an attacker (no permissions required) making a request to a webhook URL, which are usually stored in 3rd party aplications without encrypting.

With this fix, the tooltip content is escaped.

SSRF in Docker Agent Template Configuration

CPLT2-6565

Fixed SSRF vulnerability in the "Docker Agent Template" Configuration

SSRF in CloudBees Jenkins Enterprise Agents Configuration

CPLT2-6564

Fixed SSRF vulnerability in "CloudBees Jenkins Enterprise Agents" Configuration

Stored XSS vulnerability in CloudBees Role-Based Access Control

CTR-1980

Fix stored XSS vulnerability in CloudBees Role-Based Access Control plugin. The text in Group descriptions and Role IDs could be used to store malicious code. This malicious code would then be run if users moused over icons to display tooltips that included the Group description or the Role ID.

With this fix, the text in both Group descriptions and Role IDs is escaped by using the configured markup formatter.

Persistent XSS vulnerability in Shortcut Master and Connected Master

CTR-1646

Fix persistent XSS vulnerability in Connected Masters. A cross-site scripting (XSS) attack was possible in connected masters by saving a malicious connected master display name in Operations Center.

With this fix, the JavaScript code was changed to prevent this vulnerability.

Reflected XSS in "Join Operations Center Cluster" Page

CTR-1983

Fix reflected XSS vulnerability in the "Join Operations Center Cluster" Page. The "Join Operations Center Cluster" page in connected masters was not escaping some parameters received by URL. This vulnerability was exploitable by an attacker (no permissions required) sharing a malicious URL with an Administer user.

With this fix, the parameters causing the vulnerability are escaped.

XSS in "Folder Plus" Leading to RCE. Remaining tooltips

FNDJEN-2744

Folder Plus Plugin versions before 3.10 do not escape the tooltip attribute, which may allow attackers to inject malicious code.
Folder Plus Plugin 3.10 escapes the tooltip attributes to avoid this security vulnerability.

Stored XSS vulnerability in job build time trend 

SECURITY-1868 / CVE-2020-2220

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the agent name.

Stored XSS vulnerability in upstream cause 

SECURITY-1901 / CVE-2020-2221

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the job display name.

Stored XSS vulnerability in 'keep forever' badge icons 

SECURITY-1902 / CVE-2020-2222

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names.

As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations.

Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.

SECURITY-1945 / CVE-2020-2223

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.

Stored XSS vulnerability in single axis builds tooltips in Matrix Project Plugin 

SECURITY-1924 / CVE-2020-2224

Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.

Stored XSS vulnerability in multiple axis builds tooltips in Matrix Project Plugin 

SECURITY-1925 / CVE-2020-2225

Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.

Stored XSS vulnerability in Matrix Authorization Strategy Plugin 

SECURITY-1909 / CVE-2020-2226

Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission.

Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.

Stored XSS vulnerability in Deployer Framework Plugin 

SECURITY-1915 / CVE-2020-2227

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.

The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.

CloudBees Amazon Web Services Deploy Engine Plugin is unaffected by this vulnerability.

Deployer Framework Plugin 1.3 escapes the URL.

Improper authorization of users and groups with the same base name in Gitlab Authentication Plugin 

SECURITY-1792 / CVE-2020-2228

Gitlab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.

Gitlab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

Severity

 

Fix

  • CloudBees Traditional Platforms should be upgraded 2.235.2.3

  • CloudBees Cloud Platforms should be upgraded 2.235.2.3

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.235.2.3

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.235.2.3

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.222.40.0.2 or 2.190.32.0.1