Jenkins Security Advisory 2018-09-25

A URL used to allow setting the description of a test object in JUnit Plugin did not require POST requests, resulting in a cross-site request forgery vulnerability.

That URL now requires POST requests be sent.

Jira Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer (for globally defined sites) or Item/Configure permissions (for sites defined for a folder).

Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting (XSS) vulnerability.

Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI.

A URL used to save configuration files based on form submissions did not require POST requests, resulting in a CSRF vulnerability.

This URL now requires POST requests.

Rebuild Plugin did not escape parameter descriptions shown on the rebuild form page, resulting in a stored Cross-Site Scripting (XSS) vulnerability exploitable by users with the permission to configure jobs.

Rebuild Plugin now applies the configured markup formatter to the parameter descriptions it displays.

Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting (XSS) vulnerability.

Job Config History Plugin now globally applies variable escaping to its pages.

Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates.

These URLs now require POST requests.

HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method, capturing credentials stored in Jenkins, and submitting messages to HipChat.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permissions.

HipChat Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

A missing permission check in a form validation method in Mesos Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Crowd 2 Integration Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL with attacker-specified credentials and connection settings.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

Crowd 2 Integration Plugin stored the Crowd password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Users with Overall/Read permission were able to access MQ Notifier Plugin’s form validation URL, having it connect to an attacker-specified MQ system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

A stored cross-site scripting (XSS) vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages.

As of publication of this advisory, there is no fix.

Metadata Plugin lacks a permission check that allows users with Overall/Read access to Jenkins to change the plugin’s configuration.

As of publication of this advisory, there is no fix.

Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system.

Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using the Credentials Plugin integration.

The pam4j library bundled in PAM Authentication Plugin had a bug that resulted in it not properly validating user accounts.

The bundled version of the library was updated to include the fix for this.

SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the token encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Git Changelog Plugin did not escape the Git commit messages it displayed since version 1.48, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with commit access to specific Git repositories.

Git Changelog Plugin 2.7 and newer escape Git commit messages shown on the UI.

Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now integrates with Credentials Plugin. Existing configurations are migrated.

Argus Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Overall/Administer permission.

Argus Notifier Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Chatter Notifier Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now require POST requests and Item/Configure permission on the job being configured.

Chatter Notifier Plugin provides a list of applicable credential IDs to allow users configuring the plugin’s functionality to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Item/Configure permission for the job being configured.

Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system.

The plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Users with Overall/Read permission were able to access Dimensions Plugin’s form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials.

Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability.

The form validation now performs a permission check and requires POST requests to be sent.

Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller. These secrets could be viewed by users with access to the Jenkins controller file system.

Additionally, the authorization code was not masked from view using a password form field.

The plugin now stores these secrets encrypted in the configuration files on disk and no longer transfers the authorization code to users viewing the configuration form in plain text.

The JavaMelody library bundled in Monitoring Plugin is affected by an XML External Entity (XXE) processing vulnerability.

This allows attacker to send crafted requests to a web application for extraction of secrets from the file system, server-side request forgery, or denial-of-service attacks.

Monitoring plugin 1.74 updates its JavaMelody dependency to fix the issue.

The Jenkins security team and the maintainer of Monitoring Plugin have been unable to reproduce the issue in Jenkins, but we still recommend updating.