XXE vulnerability in CVS Plugin
SECURITY-2146 / CVE-2020-2324
CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CVS Plugin 2.17 disables external entity resolution for its XML parser.
Plugin Installation Manager Tool did not verify plugin downloads
SECURITY-1856 / CVE-2020-2320
Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli
it is used to download and install plugins even before Jenkins is running.
Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.
Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.
Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:
ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar
Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.
CSRF vulnerability in Shelve Project Plugin
SECURITY-2108 / CVE-2020-2321
Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to shelve, unshelve, or delete a project.
Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.
Missing permission checks in Chaos Monkey Plugin
SECURITY-2109 (1) / CVE-2020-2322
Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to generate load and to generate memory leaks.
Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.
Missing permission checks in Chaos Monkey Plugin
SECURITY-2109 (2) / CVE-2020-2323
Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.