Headline
CVE-2020-2094: Jenkins Security Advisory 2020-01-15
A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Amazon EC2 Plugin
- gitlab-hook Plugin
- Health Advisor by CloudBees Plugin
- Redgate SQL Change Automation Plugin
- Robot Framework Plugin
- Sounds Plugin
Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin
SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)
Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.
Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.
XXE vulnerability in Robot Framework Plugin
SECURITY-1698 / CVE-2020-2092
Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the ‘Publish Robot Framework’ post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.
CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin
SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)
Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.
Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
Redgate SQL Change Automation Plugin stored credentials in plain text
SECURITY-1696 / CVE-2020-2095
Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.
Reflected XSS vulnerability in gitlab-hook Plugin
SECURITY-1683 / CVE-2020-2096
gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.
As of publication of this advisory, there is no fix.
CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution
SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)
Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.
Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.
As of publication of this advisory, there is no fix.
Severity
- SECURITY-814: High
- SECURITY-1004: Low
- SECURITY-1683: Medium
- SECURITY-1696: Medium
- SECURITY-1698: High
- SECURITY-1708: Medium
Affected Versions
- Amazon EC2 Plugin up to and including 1.47
- gitlab-hook Plugin up to and including 1.4.2
- Health Advisor by CloudBees Plugin up to and including 3.0
- Redgate SQL Change Automation Plugin up to and including 2.0.4
- Robot Framework Plugin up to and including 2.0.0
- Sounds Plugin up to and including 0.5
Fix
- Amazon EC2 Plugin should be updated to version 1.48
- Health Advisor by CloudBees Plugin should be updated to version 3.0.1
- Redgate SQL Change Automation Plugin should be updated to version 2.0.5
- Robot Framework Plugin should be updated to version 2.0.1
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- gitlab-hook Plugin
- Sounds Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Ai Ho (@j3ssiejjj) for SECURITY-1683
- Federico Pellegrin for SECURITY-1698
- Oleg Nenashev, CloudBees, Inc. for SECURITY-1004
- Thomas de Grenier de Latour for SECURITY-814
- Wadeck Follonier, CloudBees, Inc. for SECURITY-1696
Related news
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.
Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.