This advisory announces multiple vulnerabilities in Jenkins.
Project name disclosure via fingerprints
SECURITY-153 / CVE-2015-5317
The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.
Public value used for CSRF protection salt
SECURITY-169 / CVE-2015-5318
The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token.
XXE injection into job configurations via CLI
SECURITY-173 / CVE-2015-5319
When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user's computer may be disclosed to Jenkins and the attacker.
Secret key not verified when connecting a slave
SECURITY-184 / CVE-2015-5320
JNLP slave connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as slaves to Jenkins knowing only the name of the slave. This enables attackers to take over Jenkins (unless the slave-to-master security subsystem is enabled) or gain access to private data like keys and source code.
Queue API did show items not visible to the current user
SECURITY-186 / CVE-2015-5324
The /queue/api URL could return information about items not accessible to the current user (such as parameter names and values, build names, project descriptions, …).
Information disclosure via sidepanel
SECURITY-192 / CVE-2015-5321
The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission, resulting in disclosure of the names of configured slaves (and contents of other sidepanel widgets, if present) to unauthorized users.
Local file inclusion vulnerability
SECURITY-195 / CVE-2015-5322
Access to the /jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as web.xml.
API tokens of other users available to admins
SECURITY-200 / CVE-2015-5323
API tokens of other users were exposed to admins by default. On instances that don't implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user's credentials.
JNLP slaves not subject to slave-to-master access control
SECURITY-206 / CVE-2015-5325
Slaves connecting via JNLP were not subject to the optional slave-to-master access control documented at http://jenkins-ci.org/security-144 (CVE-2014-3665).
Stored XSS vulnerability in slave offline status message
SECURITY-214 / CVE-2015-5326
Users with the permission to take slave nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the slave overview page.
Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting
SECURITY-218 / CVE-2015-8103
Unsafe deserialization allows unauthenticated remote attackers to run arbitrary code on the Jenkins master.
SECURITY-153 is considered low as users have no control over which information they see, and the kind of information revealed is very limited.
SECURITY-169 is considered critical as it allows attackers to circumvent CSRF protection.
SECURITY-173 is considered low due to the high degree of specific user interaction required, and the limited information that can be gained this way.
SECURITY-184 is considered critical: It enables several different attacks, compromising integrity, stability and confidentiality.
SECURITY-186 is considered medium: Low privileged users can gain some limited information about items they should not have access to.
SECURITY-192 is considered medium: While the amount of information disclosed is very limited, it is trivial to exploit.
SECURITY-195 is considered low: The information gained is very limited, and it requires a specific setup to gain any non-public information this way.
SECURITY-200 is considered medium: In very specific circumstances, it allows admins to gain permissions they would not otherwise have.
SECURITY-206 is considered high as it allows to circumvent the major protection against less trusted node admins.
SECURITY-214 is considered medium as allows admins and users with significant privileges to circumvent XSS protection.
SECURITY-218 is considered critical as it allows unauthenticated remote attackers to run arbitrary code on Jenkins.
The following versions incorporate fixes to these vulnerabilities:
CloudBees Jenkins Operations Center 1.609.14.1
CloudBees Jenkins Operations Center 1.580.14.1
CloudBees Jenkins Enterprise 1.609.14.1
CloudBees Jenkins Enterprise 1.580.14.1
Jenkins LTS 1.625.2
Jenkins mainline 1.638
DEV@cloud is already protected
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.