CloudBees Security Advisory 2019-04-03

Jenkins Security Advisory 2017-04-03

This advisory announces vulnerabilities in Jenkins.

IRC Plugin stores credentials in plain text

SECURITY-829

IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text

SECURITY-831

AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

HockeyApp Plugin stores credentials in plain text

SECURITY-839

HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Jira Issue Updater Plugin stores credentials in plain text

SECURITY-837

Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

FTP publisher Plugin stores credentials in plain text

SECURITY-954

FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

WebSphere Deployer Plugin stores credentials in plain text

SECURITY-956

WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Bitbucket Approve Plugin stores credentials in plain text

SECURITY-965

Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in FTP publisher Plugin allow connecting to arbitrary FTP servers

SECURITY-974

A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Official OWASP ZAP Plugin stores credentials in plain text

SECURITY-1041

Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

jenkins-cloudformation-plugin Plugin stores credentials in plain text

SECURITY-1042

jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

SECURITY-830

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Amazon SNS Build Notifier Plugin stores credentials in plain text

SECURITY-832

Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

aws-device-farm Plugin stores credentials in plain text

SECURITY-835

aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CloudShare Docker-Machine Plugin stores credentials in plain text

SECURITY-838

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Bugzilla Plugin stores credentials in plain text

SECURITY-841

Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Trac Publisher Plugin stores credentials in plain text

SECURITY-842

Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

VMware vRealize Automation Plugin stores credentials in plain text

SECURITY-945

VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Aqua Security Scanner Plugin stores credentials in plain text

SECURITY-949

Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

veracode-scanner Plugin stores credentials in plain text

SECURITY-952

veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

OctopusDeploy Plugin stores credentials in plain text

SECURITY-957

OctopusDeploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

WildFly Deployer Plugin stores credentials in plain text

SECURITY-961

WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

VS Team Services Continuous Deployment Plugin stores credentials in plain text

SECURITY-962

VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Hyper.sh Commons Plugin stores credentials in plain text

SECURITY-964

Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Audit to Database Plugin stores credentials in plain text

SECURITY-966

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in Audit to Database Plugin allow connecting to arbitrary databases

SECURITY-977

A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in VMware Lab Manager Slaves Plugin

SECURITY-979

A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in OpenShift Deployer Plugin

SECURITY-981

A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Gearman Plugin

SECURITY-991

A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Zephyr Enterprise Test Management Plugin allow SSRF

SECURITY-993

A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Chef Sinatra Plugin allow SSRF

SECURITY-1037

A missing permission check in a form validation method in Chef Sinatra Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Fabric Beta Publisher Plugin stores credentials in plain text

SECURITY-1043

Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Upload to pgyer Plugin stores credentials in plain text

SECURITY-1044

Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin allow SSRF

SECURITY-1054

A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF

SECURITY-1058

A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Open STF Plugin stores credentials in plain text

SECURITY-1059

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Perfecto Mobile Plugin stores credentials in plain text

SECURITY-1061

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

TestFairy Plugin stores credentials in plain text

SECURITY-1062

TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Crowd Integration Plugin stores credentials in plain text

SECURITY-1069

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in openid Plugin allow SSRF

SECURITY-1084

A missing permission check in a form validation method in openid Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

StarTeam Plugin stores credentials in plain text

SECURITY-1085

StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin allow SSRF

SECURITY-1091

A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Assembla Auth Plugin stores credentials in plain text

SECURITY-1093

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Relution Enterprise Appstore Publisher Plugin stores credentials in plain text

SECURITY-828

Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Klaros-Testmanagement Plugin stores credentials in plain text

SECURITY-843

Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

mabl Plugin stores credentials in plain text

SECURITY-946

mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Diawi Upload Plugin stores credentials in plain text

SECURITY-947

Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Minio Storage Plugin stores credentials in plain text

SECURITY-955

Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

DeployHub Plugin stores credentials in plain text

SECURITY-959

DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

youtrack-plugin Plugin stored credentials in plain text

SECURITY-963

youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system.

youtrack-plugin Plugin now stores credentials encrypted.

Jabber Server Plugin stores credentials in plain text

SECURITY-1031

Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CSRF vulnerability and missing permission check in Netsparker Cloud Scan Plugin allowed SSRF

SECURITY-1032

A missing permission check in a form validation method in Netsparker Cloud Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.

Netsparker Cloud Scan Plugin stored credentials in plain text

SECURITY-1040

Netsparker Cloud Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins master. These API tokens could be viewed by users with access to the master file system.

Netsparker Cloud Scan Plugin now stores API tokens encrypted.

CSRF vulnerability and missing permission check in Kmap Plugin allow SSRF

SECURITY-1055

A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Kmap Plugin stores credentials in plain text

SECURITY-1056

Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

crittercism-dsym Plugin stores API key in plain text

SECURITY-1063

crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.

Serena SRA Deploy Plugin stores credentials in plain text

SECURITY-1066

Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Sametime Plugin stores credentials in plain text

SECURITY-1090

Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Koji Plugin stores credentials in plain text

SECURITY-1092

Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

CloudCoreo DeployTime Plugin stores credentials in plain text

SECURITY-960

CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

Severity

Fix

  • Netsparker Cloud Scan Plugin should be updated to version 1.1.6

  • youtrack-plugin Plugin should be updated to version 0.7.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Amazon SNS Build NotifierPlugin

  • Aqua Security ScannerPlugin

  • Assembla AuthPlugin

  • Audit to DatabasePlugin

  • AWS CloudWatch Logs PublisherPlugin

  • AWS Elastic Beanstalk PublisherPlugin

  • aws-device-farmPlugin

  • Bitbucket ApprovePlugin

  • BugzillaPlugin

  • Chef SinatraPlugin

  • CloudCoreo DeployTimePlugin

  • CloudShare Docker-MachinePlugin

  • crittercism-dsymPlugin

  • Crowd IntegrationPlugin

  • DeployHubPlugin

  • Diawi UploadPlugin

  • Fabric Beta PublisherPlugin

  • FTP publisherPlugin

  • GearmanPlugin

  • HockeyAppPlugin

  • Hyper.sh CommonsPlugin

  • IRCPlugin

  • Jabber ServerPlugin

  • jenkins-cloudformation-pluginPlugin

  • jenkins-reviewbotPlugin

  • Jira Issue UpdaterPlugin

  • Klaros-TestmanagementPlugin

  • KmapPlugin

  • KojiPlugin

  • mablPlugin

  • Minio StoragePlugin

  • NomadPlugin

  • OctopusDeployPlugin

  • Official OWASP ZAPPlugin

  • Open STFPlugin

  • openidPlugin

  • OpenShift DeployerPlugin

  • Perfecto MobilePlugin

  • Relution Enterprise Appstore PublisherPlugin

  • SametimePlugin

  • Serena SRA DeployPlugin

  • SOASTA CloudTestPlugin

  • StarTeamPlugin

  • TestFairyPlugin

  • Trac PublisherPlugin

  • Upload to pgyerPlugin

  • veracode-scannerPlugin

  • VMware Lab Manager SlavesPlugin

  • VMware vRealize AutomationPlugin

  • VS Team Services Continuous DeploymentPlugin

  • WebSphere DeployerPlugin

  • WildFly DeployerPlugin

  • Zephyr Enterprise Test ManagementPlugin