Jenkins Security Advisory 2020-12-03

This advisory announces vulnerabilities in Jenkins

XXE vulnerability in CVS Plugin 

SECURITY-2146 / CVE-2020-2324

CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVS Plugin 2.17 disables external entity resolution for its XML parser.

Plugin Installation Manager Tool did not verify plugin downloads

SECURITY-1856 / CVE-2020-2320

Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running.

Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.

Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.

Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:

ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar

Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.

CSRF vulnerability in Shelve Project Plugin 

SECURITY-2108 / CVE-2020-2321

Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to shelve, unshelve, or delete a project.

Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.

Missing permission checks in Chaos Monkey Plugin 

SECURITY-2109 (1) / CVE-2020-2322

Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and to generate memory leaks.

Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.

Missing permission checks in Chaos Monkey Plugin 

SECURITY-2109 (2) / CVE-2020-2323

Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.

Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.

Severity

Fix

  • Chaos Monkey Plugin should be updated to version 0.4

  • Chaos Monkey Plugin should be updated to version 0.4.1

  • CVS Plugin should be updated to version 2.17

  • Shelve Project Plugin should be updated to version 3.1

  • Plugin Installation Manager Tool should be updated to version 2.2.0