Headline
CVE-2018-1000193: Jenkins Security Advisory 2018-05-09
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Jenkins (core)
- Black Duck Hub Plugin
- Black Duck Hub Plugin
- gitlab-hook Plugin
- Groovy Postbuild Plugin
Descriptions****CLI and UI allow non-admin users to enumerate installed plugins
SECURITY-771 / CVE-2018-1000192
Users with Overall/Read permission were able use the list-plugins CLI command and view the About Jenkins page to list all installed plugins.
Use of the list-plugins CLI command and access to the About Jenkins page now require Overall/Administer permission.
Users were able to register user names containing control characters
SECURITY-786 / CVE-2018-1000193
The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters.
This could be used to confuse administrators (appearing to be a different user) while preventing deletion of such users through the UI.
User registration in the built-in Jenkins user database now limits user names to those containing alphanumeric, dash, and underscore characters. Administrators can customize this restriction by setting the hudson.security.HudsonPrivateSecurityRealm.ID_REGEX system property to a regular expression that will be used instead to determine whether a given user name is valid.
Path traversal vulnerability in agent to controller security subsystem
SECURITY-788 / CVE-2018-1000194
The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more.
A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access.
Paths are now normalized before performing the access check to ensure they don’t escape allowed directories.
Users with Overall/Read permission were able to send GET requests to any URL
SECURITY-794 / CVE-2018-1000195
The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful (HTTP 200) or not.
Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.
The affected form validation code now properly checks permissions, and requires that POST requests be sent to prevent CSRF attacks.
Gitlab Hook Plugin stores and displays GitLab API token in plain text
SECURITY-263 / CVE-2018-1000196
Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials.
Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to users with Overall/Administer permission. This exposes the API token to people viewing a Jenkins administrator’s screen, browser extensions, cross-site scripting vulnerabilities, etc.
As of publication of this advisory, there is no fix.
Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration
SECURITY-670 / CVE-2018-1000197
Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint.
This allowed any user with Overall/Read permission to both read and write the plugin configuration XML.
Black Duck Hub Plugin 3.1.0 and newer requires Overall/Administer permission to access this API.
XML Exernal Entity processing vulnerability in Black Duck Hub Plugin
SECURITY-671 / CVE-2018-1000198
Black Duck Hub Plugin’s /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity (XXE) processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
Black Duck Hub Plugin 4.0.0 and newer no longer processes XML External Entities in XML documents submitted to this endpoint.
Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin
SECURITY-821 / CVE-2018-1000202
Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability.
Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input.
Severity
- SECURITY-263: low
- SECURITY-670: medium
- SECURITY-671: high
- SECURITY-771: medium
- SECURITY-786: low
- SECURITY-788: high
- SECURITY-794: low
- SECURITY-821: medium
Affected Versions
- Jenkins weekly up to and including 2.120
- Jenkins LTS up to and including 2.107.2
- Black Duck Hub Plugin up to and including 3.0.3
- Black Duck Hub Plugin up to and including 3.1.0
- gitlab-hook Plugin up to and including 1.4.2
- Groovy Postbuild Plugin up to and including 2.3.1
Fix
- Jenkins weekly should be updated to version 2.121
- Jenkins LTS should be updated to version 2.107.3
- Black Duck Hub Plugin should be updated to version 3.1.0
- Black Duck Hub Plugin should be updated to version 4.0.0
- Groovy Postbuild Plugin should be updated to version 2.4
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- gitlab-hook Plugin
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Daniel Beck, CloudBees, Inc. for SECURITY-670
- Devin Nusbaum, CloudBees, Inc. for SECURITY-771
- James Nord, CloudBees, Inc. for SECURITY-671
- Jesse Glick, CloudBees, Inc. and Kalle Niemitalo, Procomp Solutions Oy for SECURITY-788
- Steve Marlowe [email protected] of Cisco ASIG for SECURITY-263
- Sureshbabu Narvaneni for SECURITY-786
- Thomas de Grenier de Latour for SECURITY-794
Related news
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.
A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.