CloudBees Security Advisory 2020-03-09

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Distribution, CloudBees Jenkins Platform and CloudBees Core.

Sandbox bypass vulnerability in Script Security Plugin 

SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

  • Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)

  • Crafted method calls on objects that implement GroovyInterceptable

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is a blacklisted method.

Stored XSS vulnerability in Git Plugin 

SECURITY-1723 / CVE-2020-2136

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

Stored XSS vulnerability in Timestamper Plugin 

SECURITY-1784 / CVE-2020-2137

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

XXE vulnerability in Cobertura Plugin 

SECURITY-1700 / CVE-2020-2138

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the ‘Publish Cobertura Coverage Report’ post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

Arbitrary file write vulnerability in Cobertura Plugin 

SECURITY-1668 / CVE-2020-2139

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins master file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

XSS vulnerability in Audit Trail Plugin 

SECURITY-1722 / CVE-2020-2140

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

CSRF vulnerability and missing permission checks in P4 Plugin 

SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

Credentials transmitted in plain text by Logstash Plugin 

SECURITY-1516 / CVE-2020-2143

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins master as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

XXE vulnerability in Rundeck Plugin 

SECURITY-1702 / CVE-2020-2144

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins master or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

Credentials stored in plain text by Zephyr Enterprise Test Management Plugin 

SECURITY-1596 / CVE-2020-2145

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins master file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

Missing SSH host key validation in Mac Plugin 

SECURITY-1692 / CVE-2020-2146

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

CSRF vulnerability and missing permission checks in Mac Plugin 

SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

Credentials transmitted in plain text by Repository Connector Plugin 

SECURITY-1520 / CVE-2020-2149

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins master as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by Sonar Quality Gates Plugin 

SECURITY-1523 / CVE-2020-2150

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins master as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by Quality Gates Plugin 

SECURITY-1519 / CVE-2020-2151

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins master as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

XSS vulnerability in Subversion Release Manager Plugin 

SECURITY-1727 / CVE-2020-2152

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by Backlog Plugin 

SECURITY-1510 / CVE-2020-2153

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by Zephyr for JIRA Test Management Plugin 

SECURITY-1550 / CVE-2020-2154

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by OpenShift Deployer Plugin 

SECURITY-1518 / CVE-2020-2155

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins master as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by DeployHub Plugin 

SECURITY-1511 / CVE-2020-2156

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

Credentials transmitted in plain text by Skytap Cloud CI Plugin 

SECURITY-1522 / CVE-2020-2157

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

RCE vulnerability in Literate Plugin 

SECURITY-1750 / CVE-2020-2158

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

OS command injection in CryptoMove Plugin 

SECURITY-1635 / CVE-2020-2159

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins master as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins master.

As of publication of this advisory, there is no fix.

CSRF Allowing Restart of a Connected Master

CTR-1037​​​

Operations Center Server Cluster Operations build requests accepted HTTP GET calls, which made it vulnerable to cross-site request forgery (CSRF) attacks. With this fix, the Operations Center Server Cluster Operations build requests endpoint is now only accepting HTTP POST requests, removing the vulnerability. This only affects installations that use the link: Operations Center Cluster Operations Plugin 

CSRF in Authentication Mechanism in SSO

CTR-1098

Single sign-on (SSO) authentication to CloudBees Jenkins Masters was vulnerable to cross-site request forgery (CSRF) attacks. This vulnerability meant a malicious user could have forged an authentication URL to be sent to another user (potentially with more permissions, ie. an Administrator).  Then, if the target victim clicked on the URL and logged into the system, the attacker would be able to retrieve an authentication code to use to log in as the victim user.

Since the attack is based on forging the “from” parameter of the authentication call, to fix this vulnerability an additional check has been added to ensure the “from” parameter is the expected one and return HTTP 400 (Bad Request) otherwise.

This only affects installations that use the link: Operations Center Single Sign-On Plugin

 

Severity: 
Fix: 
  • CloudBees Traditional Platforms should be upgraded 2.204.2.2 rev2
  • CloudBees Cloud Platforms should be upgraded 2.204.3.7 rev2
  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.204.3.7 rev2
  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.204.3.7 rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.30.0.2 rev2
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.164.x.0.z) should be upgraded to version 2.164.33.0.1 rev4
  • CloudBees Jenkins Distribution should be upgraded to version 2.204.3.7 rev​​​​​2