CloudBees Security Advisory 2020-08-12
This advisory announces vulnerabilities in CloudBees Jenkins Platform, CloudBees CI and Jenkins.
Concurrency Issue in "CloudBees Groovy View Plugin" Leading to RCE
Users with View/Create and View/Configure permissions were able to execute any Groovy code on the Jenkins instance, leveraging a concurrency issue in Groovy Views.
The concurrency issue is fixed, removing the RCE vulnerability.
Lack of Access Control in "CloudBees Git Validated Merge Plugin" => Credentials Id Listing
Git Validated Merge Plugin was not checking any permission when filling up the Credentials field in the job configuration.
Git Validated Merge Plugin is now checking the permission needed.
Backup jobs can be executed by any user
With this fix, only admin users can execute a backup of the instance configuration.
Plain Text Storage / Display of Secret in "External Notification Plugin"
External Notification plugin was storing some secrets in plain text.
The DockerHub and BitBucket Cloud secret parameters are now stored encrypted instead of using plain text.
XXE Vulnerability in Oc-Context M/C/P
Move/Copy/Promote operations were vulnerable to XML External Entity (XXE) attack if some of the XML files involved contained malicious code.
With this fix, malicious files are rejected by the XML parser and the Move/Copy/Promote operation is stopped.
Groovy remove code execution (RCE) vulnerability in CloudBees Groovy View Plugin
The CloudBees Groovy View sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.
This affected an HTTP endpoint used to validate a user-submitted Groovy script and allowed users to bypass the sandbox protection and execute arbitrary code on the Jenkins master.
The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.
Privilege escalation with CloudBees Backup plugin
With this fix, backup jobs with a restore build step can be built only if created and saved by administrators.
Stored XSS vulnerability in help icons
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.
This results in a stored cross-site scripting (XSS) vulnerability.
Jenkins LTS 2.235.4 escapes the tooltip content of help icons.
Stored XSS vulnerability in project naming strategy
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
Stored XSS vulnerability in 'Trigger builds remotely'
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.
Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.
SMTP password transmitted and displayed in plain text by email-ext
email-ext stores an SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins master as part of its configuration.
While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by email-ext 2.72 and 2.73.
This can result in exposure of the password.
email-ext 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.
This vulnerability does not affect CloudBees products using the version of Email Extension Plugin offered by CAP.
Missing permission check in pipeline-maven allows enumerating credentials IDs
pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in pipeline-maven 3.8.3 requires the appropriate permissions.
CSRF vulnerability and missing permission check in pipeline-maven allow capturing credentials
`pipeline-maven` 3.8.2 and earlier does not perform a permission check in a method implementing form validation.
This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
pipeline-maven 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.
Stored XSS vulnerability in yet-another-build-visualizer
yet-another-build-visualizer 1.11 and earlier does not escape tooltip content.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.
yet-another-build-visualizer 1.12 escapes tooltip content.
CSRF vulnerability in flaky-test-handler
flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing.
As of publication of this advisory, there is no fix.