Jenkins Security Advisory 2017-06-06

This advisory announces multiple vulnerabilities in the Favorite Plugin.

Description

Missing permission check in Favorite Plugin allows anyone to change favorites for any other user

JENKINS-44643 / CVE-2017-1000243

A missing permission check allowed any user to add or remove favorites for any other user.

The API was changed so users cannot change another user’s favorites, only their own.

CSRF vulnerability in Favorite Plugin allows changing another user’s favorites

SECURITY-532 / CVE-2017-1000244

An API used to add and remove a favorite was vulnerable to CSRF, allowing attackers to change the victim’s favorites.

The API now requires requests to be sent via POST, which is subject to the CSRF protection configurable in Jenkins global security configuration.

Severity

JENKINS-44643: medium
SECURITY-532: medium

Affected versions

JENKINS-44643: Favorite Plugin up to and including 2.1.0.
SECURITY-532: Favorite Plugin up to and including 2.2.0.

Fix

Users of Favorite Plugin should update it to version 2.3.0 or newer.

Credit

The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:

Andres Rodriguez, CloudBees, Inc. for SECURITY-532