Jenkins Security Advisory 2018-03-26

GitHub Pull Request Builder Plugin stored serialized objects in build.xml files that contained the credential used to poll Jenkins. This can be used by users with Jenkins controller file system access to obtain GitHub credentials.

Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk.

Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.

GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text.

This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations.

GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook secret encrypted on disk.

Jenkins 1.641 and 1.625.3 introduced Content-Security-Policy HTTP headers as protection against Cross-Site Scripting attacks using workspace files and archived artifacts served using DirectoryBrowserSupport (SECURITY-95).

Cucumber Living Documentation Plugin disabled this XSS protection until Jenkins was restarted whenever a Cucumber Report was viewed by any user to work around the Content-Security-Policy limitations.

While disabling this protection mechanism temporarily may be necessary to make plugins work that haven’t been adapted to work with the Content-Security-Policy restriction, this should only be done by administrators, as doing so may result in a security issue (see Configuring Content Security Policy).

This has been addressed in version 1.1.0 of the plugin, and it will now request that users change the Content-Security-Policy option in Jenkins.

Perforce Plugin encrypts its credentials using DES and an encryption key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix. The plugin has been removed from publication at the request of its former maintainers. We recommend that users of Perforce Plugin use the P4 Plugin instead.

vSphere Plugin disabled SSL/TLS certificate validation unconditionally, allowing potential man-in-the-middle attacks.

vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default.

vSphere Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to perform various actions such as:

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and appropriate user permissions.

Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution.

As of publication of this advisory, there is no fix.

Jenkins prevents users with Extended Read permission from obtaining secrets such as credentials stored in job configurations.

Perforce Plugin implements its own credential encryption using DES and an encryption key stored in its public source code. This is not considered a secret by Jenkins, resulting in potential exposure of Perforce credentials stored in job configurations to users with Extended Read permission. While these are encrypted, this can only be considered basic obfuscation due to the hard-coded public encryption key used.

As of publication of this advisory, there is no fix. The plugin has been removed from publication at the request of its maintainers. We recommend that users of Perforce Plugin use the P4 Plugin instead.

Copy To Slave Plugin allows users with Job/Configure permissions to configure it in such a way that it allows obtaining arbitrary files accessible to the Jenkins controller process from the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Ansible Plugin disabled host key verification by default, having it only as an opt-in option.

Ansible Plugin 1.0 now enables host key verification by default, adding options allowing users to opt out.

Existing configurations that previously did not opt into host key verification will have host key verification enabled after update, possibly resulting in failures.

Reverse Proxy Auth Plugin persisted a cache of granted authorities (group memberships) on disk.

This could allow users with local Jenkins controller file system access to obtain group membership information of Jenkins users.

Reverse Proxy Auth Plugin 1.6.0 and newer no longer store the cache of granted authorities on disk.

A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could result in DoS if, for example, specifying a valid mail server but invalid credentials.

As the same URL did not require POST to be used, it also was vulnerable to cross-site request forgery.

The URL handling test emails now requires POST to protect from CSRF, and performs an Overall/Administer permission check.