Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-2599: Jenkins Security Advisory 2017-02-01

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don’t have access to (SECURITY-321).

CVE
#xss#csrf#vulnerability#web#git#java#oracle#rce#auth

Use of AES ECB block cipher mode without IV for encrypting secrets

SECURITY-304 / CVE-2017-2598

Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.

Items could be created with same name as existing item

SECURITY-321 / CVE-2017-2599

An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don’t have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.

Node monitor data could be viewed by low privilege users

SECURITY-343 / CVE-2017-2600

Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.

Possible cross-site scripting vulnerability in jQuery bundled with timeline widget

SECURITY-349 / CVE-2011-4969

The Simile timeline widget used on build history pages bundles an outdated jQuery vulnerable to CVE-2011-4969. We were unable to confirm that Jenkins is vulnerable, but updated the jQuery version bundled with the Simile timeline widget anyway.

Persisted cross-site scripting vulnerability in parameter names and descriptions

SECURITY-353 / CVE-2017-2601

Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

Outdated jbcrypt version bundled with Jenkins

SECURITY-354 / CVE-2015-0886

Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886.

Pipeline metadata files not excluded in agent-to-controller security subsystem

SECURITY-358 / CVE-2017-2602

The Pipeline suite of plugins stored build metadata in the file program.dat and the directory workflow/. These were not excluded in the agent-to-controller security subsystem and could therefore be written to by malicious agents.

User data leak in disconnected agents’ config.xml API

SECURITY-362 / CVE-2017-2603

Agents that were disconnected by users contained the disconnecting user’s User object in serialized form in the config.xml remote API output. This could leak sensitive data such as API tokens.

Low privilege users were able to act on administrative monitors

SECURITY-371 / CVE-2017-2604

Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.

All administrative monitors now require the user accessing them to be an administrator.

Re-key admin monitor leaves behind unencrypted credentials in upgraded installations

SECURITY-376 / CVE-2017-1000362

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.

Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

Internal API allowed access to item names that should not be visible

SECURITY-380 / CVE-2017-2606

The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the Logged in users can do anything authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

Persisted cross-site scripting vulnerability in console notes

SECURITY-382 / CVE-2017-2607

Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

To prevent this, console notes are now signed by Jenkins when created, and Jenkins will only deserialize correctly signed console notes. As a side effect, console notes created before updating to a release containing this fix will no longer be deserialized. To restore the previous (unsafe) behavior, set the system property hudson.console.ConsoleNote.INSECURE to true as described on Features controlled by system properties.

XStream remote code execution vulnerability

SECURITY-383 / CVE-2017-2608

XStream-based APIs in Jenkins (e.g. /createItem URLs, or POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio.

Information disclosure vulnerability in search suggestions

SECURITY-385 / CVE-2017-2609

The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. These suggestions were removed.

Persisted cross-site scripting vulnerability in search suggestions

SECURITY-388 / CVE-2017-2610

Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.

Insufficient permission check for periodic processes

SECURITY-389 / CVE-2017-2611

The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins controller and agents.

Low privilege users were able to override JDK download credentials

SECURITY-392 / CVE-2017-2612

Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK. A permission check has been added.

User creation CSRF using GET by admins

SECURITY-406 / CVE-2017-2613

When administrators accessed a URL like /user/example via HTTP GET, a user with the ID example was created if it did not exist. While this user record was only retained until restart in most cases, administrators’ web browsers could be manipulated to create a large number of user records.

Accessing these URLs now no longer results in a user record getting created, Jenkins will respond with 404 Not Found if no such user exists. When using the internal Jenkins user database, new users can be created via Manage Jenkins » Manage Users. To restore the previous (unsafe) behavior, set the system property hudson.model.User.allowUserCreationViaUrl to true as described on Features controlled by system properties.

Related news

CVE-2022-34796: Jenkins Security Advisory 2022-06-30

A missing permission check in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34790: Jenkins Security Advisory 2022-06-30

Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34794: Jenkins Security Advisory 2022-06-30

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CVE-2022-34803: Jenkins Security Advisory 2022-06-30

Jenkins OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file and in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission (config.xml), or access to the Jenkins controller file system.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34797: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34175: Jenkins Security Advisory 2022-06-22

Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.

CVE-2022-30946: security - Multiple vulnerabilities in Jenkins plugins

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

CVE-2022-30971: Jenkins Security Advisory 2022-05-17

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-29048: Jenkins Security Advisory 2022-04-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2021-34565: VDE-2021-027 | CERT@VDE

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907