Headline
CVE-2019-10340: Jenkins Security Advisory 2019-07-11
A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Caliper CI Plugin
- Dependency Graph Viewer Plugin
- Docker Plugin
- Embeddable Build Status Plugin
- Gogs Plugin
- Mashup Portlets Plugin
- Port Allocator Plugin
Descriptions****CSRF vulnerability and missing permission check in Docker Plugin allowed capturing credentials
SECURITY-1010 / CVE-2019-10340 (CSRF), CVE-2019-10341 (permission check)
Severity (CVSS): Medium
Affected plugin: docker-plugin
Description:
Docker Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer or Item/Configure permission, as appropriate.
Users with Overall/Read access could enumerate credential IDs in Docker Plugin
SECURITY-1400 / CVE-2019-10342
Severity (CVSS): Medium
Affected plugin: docker-plugin
Description:
Docker Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in this plugin now requires the appropriate permission, typically Overall/Administer or Item/Configure.
Reflected XSS vulnerability in Embeddable Build Status Plugin
SECURITY-1419 / CVE-2019-10346
Severity (CVSS): Medium
Affected plugin: embeddable-build-status
Description:
Embeddable Build Status Plugin did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability.
Arguments are now sanitized.
Mashup Portlets Plugin stored credentials in plain text
SECURITY-775 / CVE-2019-10347
Severity (CVSS): Medium
Affected plugin: mashup-portlets-plugin
Description:
Mashup Portlets Plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.
Mashup Portlets Plugin now stores these credentials encrypted.
Gogs Plugin stored credentials in plain text
SECURITY-1438 / CVE-2019-10348
Severity (CVSS): Medium
Affected plugin: gogs-webhook
Description:
Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Gogs Plugin now stores credentials encrypted.
Stored XSS vulnerability in Dependency Graph Viewer Plugin
SECURITY-1177 / CVE-2019-10349
Severity (CVSS): Medium
Affected plugin: depgraph-view
Description:
Dependency Graph Viewer Plugin does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability.
As of publication of this advisory, there is no fix.
Port Allocator Plugin stores credentials in plain text
SECURITY-1441 / CVE-2019-10350
Severity (CVSS): Medium
Affected plugin: port-allocator
Description:
Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Caliper CI Plugin stores credentials in plain text
SECURITY-1437 / CVE-2019-10351
Severity (CVSS): Medium
Affected plugin: caliper-ci
Description:
Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Severity
- SECURITY-775: Medium
- SECURITY-1010: Medium
- SECURITY-1177: Medium
- SECURITY-1400: Medium
- SECURITY-1419: Medium
- SECURITY-1437: Medium
- SECURITY-1438: Medium
- SECURITY-1441: Medium
Affected Versions
- Caliper CI Plugin up to and including 2.3
- Dependency Graph Viewer Plugin up to and including 0.13
- Docker Plugin up to and including 1.1.6
- Embeddable Build Status Plugin up to and including 2.0.1
- Gogs Plugin up to and including 1.0.14
- Mashup Portlets Plugin up to and including 1.0.9
- Port Allocator Plugin up to and including 1.8
Fix
- Docker Plugin should be updated to version 1.1.7
- Embeddable Build Status Plugin should be updated to version 2.0.2
- Gogs Plugin should be updated to version 1.0.15
- Mashup Portlets Plugin should be updated to version 1.1.0
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- Caliper CI Plugin
- Dependency Graph Viewer Plugin
- Port Allocator Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- David Fiser of Trend Micro Nebula working with Trend Micro’s Zero Day Initiative for SECURITY-1437, SECURITY-1438, SECURITY-1441
- Dhiru Pandey for SECURITY-1419
- Ishaq Mohammed (https://about.me/security-prince) for SECURITY-1177
- Oleg Nenashev, CloudBees, Inc. for SECURITY-1010
Related news
A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.
A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.