Jenkins Security Advisory 2017-04-03
This advisory announces vulnerabilities in Jenkins.
IRC Plugin stores credentials in plain text
SECURITY-829
IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text
SECURITY-831
AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
HockeyApp Plugin stores credentials in plain text
SECURITY-839
HockeyApp Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Jira Issue Updater Plugin stores credentials in plain text
SECURITY-837
Jira Issue Updater Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
FTP publisher Plugin stores credentials in plain text
SECURITY-954
FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
WebSphere Deployer Plugin stores credentials in plain text
SECURITY-956
WebSphere Deployer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Bitbucket Approve Plugin stores credentials in plain text
SECURITY-965
Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CSRF vulnerability and missing permission check in FTP publisher Plugin allow connecting to arbitrary FTP servers
SECURITY-974
A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Official OWASP ZAP Plugin stores credentials in plain text
SECURITY-1041
Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
jenkins-cloudformation-plugin Plugin stores credentials in plain text
SECURITY-1042
jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
AWS CloudWatch Logs Publisher Plugin stores credentials in plain text
SECURITY-830
AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Amazon SNS Build Notifier Plugin stores credentials in plain text
SECURITY-832
Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
aws-device-farm Plugin stores credentials in plain text
SECURITY-835
aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CloudShare Docker-Machine Plugin stores credentials in plain text
SECURITY-838
CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Bugzilla Plugin stores credentials in plain text
SECURITY-841
Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Trac Publisher Plugin stores credentials in plain text
SECURITY-842
Trac Publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
VMware vRealize Automation Plugin stores credentials in plain text
SECURITY-945
VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Aqua Security Scanner Plugin stores credentials in plain text
SECURITY-949
Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
veracode-scanner Plugin stores credentials in plain text
SECURITY-952
veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
OctopusDeploy Plugin stores credentials in plain text
SECURITY-957
OctopusDeploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
WildFly Deployer Plugin stores credentials in plain text
SECURITY-961
WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
VS Team Services Continuous Deployment Plugin stores credentials in plain text
SECURITY-962
VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Hyper.sh Commons Plugin stores credentials in plain text
SECURITY-964
Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Audit to Database Plugin stores credentials in plain text
SECURITY-966
Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CSRF vulnerability and missing permission check in Audit to Database Plugin allow connecting to arbitrary databases
SECURITY-977
A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in VMware Lab Manager Slaves Plugin
SECURITY-979
A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in OpenShift Deployer Plugin
SECURITY-981
A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in Gearman Plugin
SECURITY-991
A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in Zephyr Enterprise Test Management Plugin allow SSRF
SECURITY-993
A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in Chef Sinatra Plugin allow SSRF
SECURITY-1037
A missing permission check in a form validation method in Chef Sinatra Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Fabric Beta Publisher Plugin stores credentials in plain text
SECURITY-1043
Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Upload to pgyer Plugin stores credentials in plain text
SECURITY-1044
Upload to pgyer Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin allow SSRF
SECURITY-1054
A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF
SECURITY-1058
A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Open STF Plugin stores credentials in plain text
SECURITY-1059
Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Perfecto Mobile Plugin stores credentials in plain text
SECURITY-1061
Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
TestFairy Plugin stores credentials in plain text
SECURITY-1062
TestFairy Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Crowd Integration Plugin stores credentials in plain text
SECURITY-1069
Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CSRF vulnerability and missing permission check in openid Plugin allow SSRF
SECURITY-1084
A missing permission check in a form validation method in openid Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
StarTeam Plugin stores credentials in plain text
SECURITY-1085
StarTeam Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin allow SSRF
SECURITY-1091
A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Assembla Auth Plugin stores credentials in plain text
SECURITY-1093
Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Relution Enterprise Appstore Publisher Plugin stores credentials in plain text
SECURITY-828
Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Klaros-Testmanagement Plugin stores credentials in plain text
SECURITY-843
Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
mabl Plugin stores credentials in plain text
SECURITY-946
mabl Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Diawi Upload Plugin stores credentials in plain text
SECURITY-947
Diawi Upload Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Minio Storage Plugin stores credentials in plain text
SECURITY-955
Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
DeployHub Plugin stores credentials in plain text
SECURITY-959
DeployHub Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
youtrack-plugin Plugin stored credentials in plain text
SECURITY-963
youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
on the Jenkins master. These credentials could be viewed by users with access to the master file system.
youtrack-plugin Plugin now stores credentials encrypted.
Jabber Server Plugin stores credentials in plain text
SECURITY-1031
Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CSRF vulnerability and missing permission check in Netsparker Cloud Scan Plugin allowed SSRF
SECURITY-1032
A missing permission check in a form validation method in Netsparker Cloud Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.
Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.
Netsparker Cloud Scan Plugin stored credentials in plain text
SECURITY-1040
Netsparker Cloud Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml
on the Jenkins master. These API tokens could be viewed by users with access to the master file system.
Netsparker Cloud Scan Plugin now stores API tokens encrypted.
CSRF vulnerability and missing permission check in Kmap Plugin allow SSRF
SECURITY-1055
A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
Kmap Plugin stores credentials in plain text
SECURITY-1056
Kmap Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
crittercism-dsym Plugin stores API key in plain text
SECURITY-1063
crittercism-dsym Plugin stores credentials unencrypted in job config.xml
files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
Serena SRA Deploy Plugin stores credentials in plain text
SECURITY-1066
Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Sametime Plugin stores credentials in plain text
SECURITY-1090
Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
Koji Plugin stores credentials in plain text
SECURITY-1092
Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CloudCoreo DeployTime Plugin stores credentials in plain text
SECURITY-960
CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml
on the Jenkins master. These credentials can be viewed by users with access to the master file system.