This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin 

SECURITY-1710 / CVE-2020-2109

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins master JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

Sandbox bypass vulnerability in Script Security Plugin 

SECURITY-1713 / CVE-2020-2110

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins master.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

Stored XSS vulnerability in Subversion Plugin 

SECURITY-1725 / CVE-2020-2111

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

Multiple stored XSS vulnerabilities in Git Parameter Plugin 

SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

Credential transmitted in plain text by S3 publisher Plugin 

SECURITY-1684 / CVE-2020-2114

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

XXE vulnerability in NUnit Plugin 

SECURITY-1752 / CVE-2020-2115

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials 

SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin 

SECURITY-812 (2) / CVE-2020-2118

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

Client secret transmitted in plain text by Azure AD Plugin 

SECURITY-1717 / CVE-2020-2119

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

XXE vulnerability in FitNesse Plugin 

SECURITY-1751 / CVE-2020-2120

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

RCE vulnerability in Google Kubernetes Engine Plugin 

SECURITY-1731 / CVE-2020-2121

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

Stored XSS vulnerability in Brakeman Plugin 

SECURITY-1644 / CVE-2020-2122

Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

Brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

NOTE

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

RCE vulnerability in RadarGun Plugin 

SECURITY-1733 / CVE-2020-2123

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

Password stored in plain text by Dynamic Extended Choice Parameter Plugin 

SECURITY-1560 / CVE-2020-2124

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by Debian Package Builder Plugin 

SECURITY-1558 / CVE-2020-2125

Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins master. This credential can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

Token stored in plain text by DigitalOcean Plugin 

SECURITY-1559 / CVE-2020-2126

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

Credential stored in plain text by BMC Release Package and Deployment Plugin 

SECURITY-1547 / CVE-2020-2127

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master. This credential can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by ECX Copy Data Management Plugin 

SECURITY-1549 / CVE-2020-2128

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Eagle Tester Plugin 

SECURITY-1552 / CVE-2020-2129

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master. This credential can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

Passwords stored in plain text by Harvest SCM Plugin 

SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the master file system (both).

As of publication of this advisory, there is no fix.

Password stored in plain text by Parasoft Environment Manager Plugin 

SECURITY-1562 / CVE-2020-2132

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Applatix Plugin 

SECURITY-1540 / CVE-2020-2133

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Severity: 
Fix: 
  • CloudBees Traditional Platforms should be upgraded 2.204.2.2 rev2
  • CloudBees Cloud Platforms should be upgraded 2.204.2.2 rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.204.2.2 rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.204.2.2 rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.33.0.1 rev2
  • CloudBees Jenkins Distribution should be upgraded to version 2.204.2.2 rev​​​​​2