Jenkins Security Advisory 2013-11-20

This advisory announces multiple security vulnerabilities that were found in several Jenkins plugins.

Description

SECURITY-58 / CVE-2013-6372

Subversion plugin was not storing credentials by using the security mechanism Jenkins core provides to plugins. As a result people with local system access on the Jenkins controller can compromise passwords and SSH private key passphrases Jenkins uses to access Subversion repositories. Jenkins project would like to thank Lennart Starr for finding this issue.

SECURITY-53 / CVE-2013-6373

Exclusion-plugin wasn’t protecting itself from unauthorized access to list and release resource locks that on-going builds have held. Jenkins project would like to thank mwebber for finding this issue.

SECURITY-96 / CVE-2013-6374

build failure analyzer plugin had a Cross-site Scripting Vulnerability, where an attacker with certain pre-existing privileges on Jenkins can execute JavaScript in the browser of other users. We thank Sharif Nassar for finding this problem.

Severity

SECURITY-58 is rated low as it requires an attacker to have local access to the Jenkins controller. Subversion itself does not store passwords securely anyway.

SECURITY-53 is rated medium, as it allows anyone with access to Jenkins to mount an attack. However, the impact of the attack is limited, as it can only cause builds to fail and leads to no privilege escalation nor data loss.

SECURITY-96 is rated low. To exploit this vulnerability, an attacker must be granted access to a certain permission explicitly.

Fix

  • Subversion plugin 1.54 contains the fix for SECURITY-58.

  • Exclusion plugin 0.9 contains the fix for SECURITY-53.

  • Build failure analyzer plugin 1.5.1 contains the fix for SECURITY-96.

Please update your plugins to receive fixes. All the prior versions are affected by these vulnerabilities.