Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Email Extension Plugin
*   Flaky Test Handler Plugin
*   Pipeline Maven Integration Plugin
*   Yet Another Build Visualizer Plugin

**Descriptions****Stored XSS vulnerability in help icons**

**SECURITY-1955 / CVE-2020-2229**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.

This results in a stored cross-site scripting (XSS) vulnerability.

Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.

**Stored XSS vulnerability in project naming strategy**

**SECURITY-1957 / CVE-2020-2230**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

**Stored XSS vulnerability in 'Trigger builds remotely'**

**SECURITY-1960 / CVE-2020-2231**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.

**SMTP password transmitted and displayed in plain text by Email Extension Plugin**

**SECURITY-1975 / CVE-2020-2232**  
**Severity (CVSS):** Low  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password.

Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

**Missing permission check in Pipeline Maven Integration Plugin allows enumerating credentials IDs**

**SECURITY-1794 (1) / CVE-2020-2233**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin 3.8.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission check in Pipeline Maven Integration Plugin allow capturing credentials**

**SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

**Stored XSS vulnerability in Yet Another Build Visualizer Plugin**

**SECURITY-1940 / CVE-2020-2236**  
**Severity (CVSS):** High  
**Affected plugin: yet-another-build-visualizer**  
**Description:**

Yet Another Build Visualizer Plugin 1.11 and earlier does not escape tooltip content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

Yet Another Build Visualizer Plugin 1.12 escapes tooltip content.

**CSRF vulnerability in Flaky Test Handler Plugin**

**SECURITY-1763 / CVE-2020-2237**  
**Severity (CVSS):** Medium  
**Affected plugin: flaky-test-handler**  
**Description:**

Flaky Test Handler Plugin 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1763: Medium
*   SECURITY-1794 (1): Medium
*   SECURITY-1794 (2): High
*   SECURITY-1940: High
*   SECURITY-1955: High
*   SECURITY-1957: High
*   SECURITY-1960: High
*   SECURITY-1975: Low

**Affected Versions**

*   Jenkins weekly up to and including 2.251
*   Jenkins LTS up to and including 2.235.3
*   **Email Extension Plugin** up to and including 2.73
*   **Flaky Test Handler Plugin** up to and including 1.0.4
*   **Pipeline Maven Integration Plugin** up to and including 3.8.2
*   **Yet Another Build Visualizer Plugin** up to and including 1.11

**Fix**

*   Jenkins weekly should be updated to version 2.252
*   Jenkins LTS should be updated to version 2.235.4
*   **Email Extension Plugin** should be updated to version 2.74
*   **Pipeline Maven Integration Plugin** should be updated to version 3.8.3
*   **Yet Another Build Visualizer Plugin** should be updated to version 1.12

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Flaky Test Handler Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Bjoern Kasteleiner** for SECURITY-1975
*   **Pierre Beitz, CloudBees, Inc.** for SECURITY-1957
*   **Tim Jacomb** for SECURITY-1794 (1), SECURITY-1794 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1763, SECURITY-1940, SECURITY-1955, SECURITY-1960

CVE-2020-2231: Jenkins Security Advisory 2020-08-12

Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202004008

CVE ID

CVE-2020-12781

CVSS

5.7 (Medium)  
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

影響產品

Combodo iTop 2.7.0-beta2之前的版本

問題描述

Combodo iTop含有跨站請求攻擊之漏洞，攻擊者可以藉由惡意網頁來偽造請求，並執行特定指令。

解決方法

更新至Combodo iTop 2.7.1

漏洞通報者

黃榆翔、蔡仲南、Tseng, Yung-Hao

公開日期

2020-08-10

CVE-2020-12781: Combodo iTop - CSRF

Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.

CVE-2020-11110: grafana/CHANGELOG.md at main · grafana/grafana

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp.

CVE-2020-15074: Access Server Release Notes | OpenVPN

An issue was discovered in Navigate CMS 2.8 and 2.9 r1433. The query parameter fid on the resource navigate.php does not perform sufficient data validation and/or encoding, making it vulnerable to reflected XSS.

I recently took part in a live bug hunting event:

> — OnSecurity - We're Hiring! (@HackersOnDemand) June 9, 2020

As part of these event, we reviewed the product Navigate CMS. In order to perform this review I setup a local instance of this tool, using version v2.9 r1433 (2020/06).

While taking part of this event, I managed to help identify several findings:

*   User enumeration
*   Session information leakage
*   User password reset vulnerability
*   Store Cross-Site Scripting (XSS)
*   Reflected Cross-Site Scripting (XSS)

**User Enumeration - CVE-2020-14016**

Navigate CMS has a _Forgot password?_ feature, which allows a user to reset their password if they forgot what their current password is.

Navigate CMS login page with _Forgot password?_ link.

In order to use this feature the user supplies either their username associated with their account, or the email address which is associate with their account.

Forgot password feature.

When entering the username or email address of a non-existent user, it produces and error stating that the user couldn't be found:

Result of providing details of non-existent user.

When reviewing the HTTP response it can clearly be seen that the HTTP response responds with the message _not\_found_ in the response body:

**HTTP request:**

    POST /navigate/login.php HTTP/1.1
    Host: 192.168.0.130
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: */*
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    X-Requested-With: XMLHttpRequest
    Content-Length: 36
    Origin: http://192.168.0.130
    Connection: close
    Referer: http://192.168.0.130/navigate/login.php
    Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; navigate-tinymce-scroll=%7B%7D; NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t
    
    action=forgot-password&value=invalid
    

**HTTP Response**

    HTTP/1.1 200 OK
    Date: Wed, 10 Jun 2020 16:55:33 GMT
    Server: Apache/2.4.41 (Ubuntu)
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Set-Cookie: NVSID_ff0d48a629500e15=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    Set-Cookie: PHPSESSID=6ls0ko8kgh9fikeqt0a78cmp0t; expires=Wed, 10-Jun-2020 17:55:33 GMT; Max-Age=3600; path=/; domain=192.168.0.130; HttpOnly; SameSite=Lax
    X-Csrf-Token: 236c7e771d9d104865dd84a095910bdeef4434443f7c55be1cdff82bb6037b7f
    Vary: Accept-Encoding
    Connection: close
    Content-Type: text/html; charset=utf-8
    Content-Length: 9
    
    not_found
    

Using this one can either use something such as a wordlist to try enumeration which users exist on the system:

User enumeration of the _Forgot password?_ feature.

**Session Information Leakage - CVE-2020-14017**

Navigate CMS stores session information in plaintext files on the server in the webroot. These files are then publicly available to un-authenticated users. As part of the setup, there is an option to copy/install the appropriate _.htaccess_ files used to prevent access to this directory and files. However it appears that this doesn't prevent access with later versions of Apache HTTPD.

Depending how the server has been configured, it could be possible to view the contents of the directory:

Directory list of the directory private/sessions which contains all session files.

Upon navigating to one of the session files (most preferably the most recent), one is able to view details and sensitive information (such as CSRF tokens) which are associated with the session:

Details of session file.

If directory listing has been disabled on the webserver (such as via Apache configuration), an attacker is still able to access these files without authentication, however they would need to bruteforce the session IDs to find existing sessions and thus the existing session files:

Bruteforcing of session files.

**User Password Reset Vulnerability - CVE-2020-14015**

The _Forgot password?_ feature allows a user to reset their password. When a user successfully enters their username or email address in the forgot password feature, an email is sent the user which contains a password reset link. This link contains an _activation code_, which allows the user to then reset the password associated with their account.

When providing an invalid code, the user is presented with the login screen:

Login screen with invalid password activation code.

However a flaw exists when no code is presented, the user is prompted for a new password:

Password reset for now password activation code.

And setting the password results in success:

Password reset successful.

Upon further investigation, the reason is that when a user is created, their account is created without an activation code:

Database after user created.

When no code is supplied in the password reset process flow, the first user without an activation key will be matched and thus have their password reset.

**Stored Cross-Site Scripting - CVE-2020-14018**

While there is HTML encoding on _User_ field in the Users / Edit page, there is not sufficient encoding on the _E-Mail_ field, these leaves it vulnerable to a store XSS vulnerability:

Stored XSS from E-Mail field on the Users / Edit page.

As stated the _User_ field is appropriate HTML encoded, preventing any XSS vulnerability from this field on this page:

HTML encoding of the _User_ field.

However the E-Mail field is does not have sufficient HTML encoding, resulting in a stored XSS vulnerability:

XSS vulnerability in the _E-Mail_ field.

This stored XSS vulnerability is persisted and present from both the _User_ as well as the _E-Mail_ fields when viewing users on the _Users_ page:

Stored XSS from the _User_ field.

Stored XSS from the _E-Mail_ field.

**Reflected Cross-Site Scripting - CVE-2020-14014**

On the landing page once the user authenticates, there is a resource _/nagivate.php_ which can take the query parameter _fid_. The value from this parameter is reflected back on the page, without having appropriate validation or HTML encoding. This makes the page vulnerable to reflected XSS:

Reflected XSS from the vulnerable _fid_ query parameter.

This is since the value is reflected to a link in the top right corner of the page:

Reflected link contain the reflected XSS.

**Resolution**

Fixed as of version v2.9.1 r1487 (2020/06).

**Vendor Notification**

*   10 June 2020 - Initial contact with the vendor, indicating wish to share findings with vendor before disclosing publicly.
*   11 June 2020 - Received response from vendor expressing wish to obtain information about findings.
*   11 June 2020 - Forwarded findings to vendor.
*   17 June 2020 - Vendor shared fixes with myself and asked me to review the fixes.
*   21 June 2020 - Reviewed fixes and confirmed with vendor.
*   22 June 2020 - Vendor confirmed new version and approved public disclosure of findings.

CVE-2020-14014: Navigate CMS

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

CVE-2020-8167: HackerOne

Bolt CMS before version 3.7.1 lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview. This has been fixed in Bolt 3.7.1

**Impact**

Bolt CMS lacked CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.

**Patches**

This has been fixed in Bolt 3.7.1

**References**

Related issue: #7853

CVE-2020-4040: CSRF issue on preview pages

D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Information.

DIR-865L :: Rev. Ax :: End of Support / End of Life Product :: Reporting Multiple Vulnerabilities

**Overview**

  
On February 28, 2020, a report from a security researcher at Palo Alto Networks  identified the DIR-865L hardware Ax with 1.20B01 Beta released on August 9, 2018, as potentially having multiple security vulnerabilities.

DIR-865L reached its End of Support (“EOS”) / End of Life (“EOL”) Date on 02/01/2016. As a  general policy, when the product reaches EOS/EOL, it  can no longer be supported, and all firmware development for the product ceases, except in certain unique situations.  In this particular case for DIR-865, D-Link was able to provide a Beta Patch Release after the EOS/EOL Date.  **Please see information and recommendations** below. 

As a part of our standard process, we accept reports from 3rd parties and then confirm the report across the family of products that could be affected by software or hardware design similarities that are or were shipped under the D-Link brand globally.  

**Third-Party Report**

      Gregory Basior:: Palo Alto Networks:: Gasior \_at\_ Palo alto networks \_dot\_ com 

      Davila Loranca:: Palo Alto Networks:: adavilaloran \_at\_ Palo alto networks \_dot\_ com  

      Jun Du:: Palo Alto Networks:: judu \_at\_ Palo alto networks \_dot\_ com   

     CVE-ID::

            CVE-2020-13785  D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.

            CVE-2020-13782  D-Link DIR-865L Ax 1.20B01 Beta devices allow Command Injection.

            CVE-2020-13784  D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number

            CVE-2020-13783  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.

            CVE-2020-13786  D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.

            CVE-2020-13787  D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Transmission of Sensitive Informatio…  
  

     CWE-IDs::

           1. CWE-77: Improper Neutralization of Special Elements used in a Command (Command Injection)             

           2. CWE-352: Cross-Site Request Forgery (CSRF)                        

           3. CWE-326: Inadequate Encryption Strength       

           4. CWE-337: Predictable seed in Pseudo-Random Number Generator      

           5. CWE-312: Cleartext Storage of Sensitive Information                 

           6. CWE-319: Cleartext Transmission of Sensitive Information  

**Exceptional Beta Patch Release**   

Released: v1.20B01Beta01 05-26-2020 :: LINK

D-Link continues to recommend that for the End Of Support (“EOS”) / End of Life (“EOL”) products , a product owner should retire the EOS/EOL product and replace the EOS/EOL product for an actively supported product.

Owners of the DIR-865L who use this product beyond EOS/EOL, at their own risk, should manually update to the latest firmware. This beta release is a result of investigation based on the understanding of the report and is released after a complete investigation of the entire family of products that may be affected. Releasing firmware after EOS/EOL is not a standard operating procedure.

**CWE-ID Fixes Offered In Exceptional Beta Release  
**

2\. CWE-352: Cross-Site Request Forgery (CSRF)   

3\. CWE-326: Inadequate Encryption Strength   

5\. CWE-312: Cleartext Storage of Sensitive Information 

**Recommendation for End of Support Life Products**

From time to time, D-Link will decide that some of its products have reached End of Support ("EOS") / End of Life (“EOL”). D-Link may choose to EOS/EOL a product due to evolution of technology, market demands,  new innovations, product efficiencies based on new technologies, or the product matures over time and should be replaced by functionally superior technology.

**For US Consumer**

If a product has reached End of Support ("EOS") / End of Life ("EOL"), there is normally no further extended support or development for it. Once a product reaches its EOL/EOS date, it is transferred to  https://legacy.us.dlink.com/

Typically for these products, D-Link will be unable to resolve device or firmware issues since all development and customer support has ceased. 

This DIR-856L is an exceptional circumstance in which D-Link is able to provide a Beta Patch Release. However, D-Link strongly recommends that this product be retired and cautions that any further use of this product may be a risk to devices connected to it. If US consumers continue to use the DIR-856L against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/ installed, make sure you frequently update the device's unique password to access its web-configuration, and always have WIFI encryption enabled with a unique password.

CVE-2020-13787: D-Link Technical Support

Jenkins Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints, allowing attackers to perform all administrative actions provided by the plugin.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Compact Columns Plugin
*   ECharts API Plugin
*   Play Framework Plugin
*   Project Inheritance Plugin
*   Script Security Plugin
*   Selenium Plugin
*   Subversion Partial Release Manager Plugin
*   Swarm Plugin

**Descriptions****Stored XSS vulnerability in Script Security Plugin**

**SECURITY-1866 / CVE-2020-2190**

Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure sandboxed scripts.

Script Security Plugin 1.73 escapes pending and approved classpath entries before rendering them in the Jenkins UI.

**CSRF vulnerability and improper permission checks in Swarm Plugin**

**SECURITY-1200 / CVE-2020-2191 (permission checks), CVE-2020-2192 (CSRF)**

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent.

Additionally, these API endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Swarm Plugin 3.21 requires POST requests and Agent/Configure permission for the affected agent to these endpoints. It no longer uses the global Swarm secret for these API endpoints.

**Stored XSS vulnerability in ECharts API Plugin**

**SECURITY-1841 / CVE-2020-2193**

ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.

ECharts API Plugin 4.7.0-4 escapes the parser identifier.

**Stored XSS vulnerability in ECharts API Plugin**

**SECURITY-1842 / CVE-2020-2194**

ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Run/Update permission.

ECharts API Plugin 4.7.0-4 escapes the display name.

**Stored XSS vulnerability in Compact Columns Plugin**

**SECURITY-1837 / CVE-2020-2195**

Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Compact Columns Plugin 1.12 applies the configured markup formatter to the job description shown in tooltips.

**Complete lack of CSRF protection in Selenium Plugin can lead to OS command injection**

**SECURITY-1766 / CVE-2020-2196**

Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints.

This allows attackers to perform the following actions:

*   Restart the Selenium Grid hub.
    
*   Delete or replace the plugin configuration.
    
*   Start, stop, or restart Selenium configurations on specific nodes.
    

Through carefully chosen configuration parameters, these actions can result in OS command injection on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Missing permission check in Project Inheritance Plugin**

**SECURITY-1582 / CVE-2020-2197 (permission check), CVE-2020-2198 (unredacted encrypted secrets)**

Jenkins limits access to job configuration XML data (config.xml) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…​/getConfigAsXML for its Inheritance Project job type that does something similar.

Project Inheritance Plugin 19.08.02 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission.

Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Job/Configure permission.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Partial Release Manager Plugin**

**SECURITY-1726 / CVE-2020-2199**

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation.

This results in a reflected cross-site scripting (XSS) vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**OS command injection vulnerability in Play Framework Plugin**

**SECURITY-1879 / CVE-2020-2200**

A form validation endpoint in Play Framework Plugin executes the play command to validate a given input file.

Play Framework Plugin 1.0.2 and earlier lets users specify the path to the play command on the Jenkins controller. This results in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins controller (e.g. through archiving artifacts).

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1200: Medium
*   SECURITY-1582: Medium
*   SECURITY-1726: Medium
*   SECURITY-1766: High
*   SECURITY-1837: Medium
*   SECURITY-1841: Medium
*   SECURITY-1842: Medium
*   SECURITY-1866: Medium
*   SECURITY-1879: High

**Affected Versions**

*   **Compact Columns Plugin** up to and including 1.11
*   **ECharts API Plugin** up to and including 4.7.0-3
*   **Play Framework Plugin** up to and including 1.0.2
*   **Project Inheritance Plugin** up to and including 19.08.02
*   **Script Security Plugin** up to and including 1.72
*   **Selenium Plugin** up to and including 3.141.59
*   **Subversion Partial Release Manager Plugin** up to and including 1.0.1
*   **Swarm Plugin** up to and including 3.20

**Fix**

*   **Compact Columns Plugin** should be updated to version 1.12
*   **ECharts API Plugin** should be updated to version 4.7.0-4
*   **Script Security Plugin** should be updated to version 1.73
*   **Swarm Plugin** should be updated to version 3.21

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Play Framework Plugin
*   Project Inheritance Plugin
*   Selenium Plugin
*   Subversion Partial Release Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1879
*   **Daniel Beck, CloudBees, Inc. and, independently, Markus Winter, SAP SE** for SECURITY-1582
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1200
*   **Tobias Gruetzmacher** for SECURITY-1837
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1726, SECURITY-1841, SECURITY-1842, SECURITY-1866
*   **Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-1766

CVE-2020-2196: Jenkins Security Advisory 2020-06-03

An issue was discovered in Aviatrix Controller before 5.4.1204. It contains credentials unused by the software.

Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket at Aviatrix Support Portal at https://support.aviatrix.com. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.

Please note the below Aviatrix Security recommendations and communication plans: - Aviatrix strongly recommend customers to stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions. - Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch - All known software vulerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems - Avitrix publish Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published

**Most Recent IR¶**

**18\. Aviatrix Controller - Remote file execution¶**

**Date** 10/04/2021

**Risk Rating** Critical

**Description** The Aviatrix Controller legacy API had a vulnerability allowing an unauthenticated attacker to upload arbitrary files, including .php scripts, to the filesystem. These uploaded scripts will be processed by the web frontend, allowing an attacker to run code of their choosing.

**Impact** Remote file execution

**Affected Product** Aviatrix Controller prior to the fixed versions.

**Solution** The vulnerability has been fixed in:

> *   UserConnect-6.2-1804.2043 or later
> *   UserConnect-6.3-1804.2490 or later
> *   UserConnect-6.4-1804.2838 or later
> *   UserConnect-6.5-1804.1922 or later

**CVE-ID** CVE-2021-40870

**Acknowledgement** Aviatrix would like to thank the team at Tradecraft (https://www.wearetradecraft.com/) for the responsible disclosure of these issues.

**17\. OpenVPN - Abitrary File Write¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** The VPN service write logs to a location that is writable

**Impact** Unauthorized file permission

**Affected Product** Aviatrix OpenVPN R2.8.2 or earlier

**Solution** Aviatrix OpenVPN OpenVPN 2.10.8 - May 14 2020 or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**16\. Bypass htaccess security control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to a cert directory can be bypassed to download files.

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**15\. Insecure File Permissions¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** Several world writable files and directories were found

**Impact** Excessive Permission

**Affected Product** Controller 5.3.1516

**Solution** Controller R5.4.1290 (8/5/2020) or later

**CVE-ID** TBD

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**14\. Bypass Htaccess Security Control¶**

**Date** 8/10/2020

**Risk Rating** Low

**Description** The htaccess control to prevent requests to directories can be bypassed for file downloading.

**Impact** Unauthorized file download

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26549

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**13\. Insecure sudo rule¶**

**Date** 8/10/2020

**Risk Rating** Medium

**Description** A user account has permission to execute all commands access as any user on the system.

**Impact** Excessive permission

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26548

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**12\. Cleartext Ecryption Key Storage¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Encrypted key values are stored in cleartext in a readable file

**Impact** Access to read key in encrypted format

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later Migration required to the latest AMI Software Version 050120 (Aug 13, 2020)

**CVE-ID** CVE-2020-26551

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**11\. Pre-Auth Account Takeover¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session and allows for updates of account email addresses.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.4.1290 (8/5/2020) or later

**CVE-ID** CVE-2020-26552

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**10\. Post-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** High

**Description** Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**9\. Pre-Auth Remote Code Execution¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An API file does not require a valid session ID and allows arbitrary files to be uploaded to the web tree.

**Impact** Access to unauthorized files

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R6.0.2483 (8/4/2020) or later

**CVE-ID** CVE-2020-26553

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**8\. Insufficiently Protected Credentials¶**

**Date** 8/10/2020

**Risk Rating** Critical

**Description** An encrypted file containing credentials to unrelated systems is protected by a weak key.

**Impact** Encryption key may not meet the latest security standard

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade R5.3.1151 (6/4/2020) or later

**CVE-ID** CVE-2020-26550

**Acknowledgement** Aviatrix would like to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**7\. Observable Response Discrepancy from API¶**

**Date** 5/19/2020

**Risk Rating** Medium

**Description** The Aviatrix Cloud Controller appliance is vulnerable to a user enumeration vulnerability.

**Impact** A valid username could be used for brute force attack.

**Affected Product** Aviatrix Controller 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13413

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**6\. OpenVPN Client - Elevation of Privilege¶**

**Date** 5/19/2020

**Risk Rating** High

**Description** The Aviatrix VPN client on Linux, macOS, and Windows is vulnerable to an Elevation of Privilege vulnerability. This vulnerability was previously reported (CVE-2020-7224), and a patch was released however the fix is incomplete.

**Impact** This would impact dangerous OpenSSL parameters code execution that are not authorized. Impacts macOS, Linux and Windows clients.

**Affected Product** Client VPN 2.8.2 or earlier Controller & Gateway 5.2 or earlier

**Solution** Client VPN upgrade to 2.10.7 Controller & Gateway upgrade to 5.3 or later In Controller, customer must configure OpenVPN minimum client version to 2.10.7

**CVE-ID** CVE-2020-13417

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**5\. Cross Site Request Forgery (CSRF)¶**

**Date** 5/12/2020

**Risk Rating** Critical

**Description** An API call on Aviatrix Controller web interface was found missing session token check to control access.

**Impact** Application may be vulnerable to Cross Site Request Forgery (CSRF)

**Affected Product** Aviatrix Controller with software release 5.3 or earlier

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later

**CVE-ID** CVE-2020-13412

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**4\. Hard Coded Credentials¶**

**Date** 1/16/2020

**Risk Rating** Low

**Description** The Aviatrix Cloud Controller contains credentials unused by the software. This is a clean-up effort implemented to improve on operational and security maintenance.

**Impact** This would impact operation and maintenance complexity.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Controller & Gateway upgrade 5.4.1204 (5/8/2020) or later Recommended: AWS Security Group settings grants only authorized Controller Access in your environment

**CVE-ID** CVE-2020-13414

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

**3\. CSRF on Password Reset¶**

**Date** 1/16/2020

**Risk Rating** Medium

**Description** Controller Web Interface session token parameter is not required on an API call, which opens the application up to a Cross Site Request Forgery (CSRF) vulnerability.

**Impact** Vulnerability could lead to the unintended reset of a user’s password.

**Affected Product** Aviatrix Controller 5.3 or lower

**Solution** Upgrade 5.4.1066 (must be on version is 5.0 or above) Make sure your AWS Security Group settings limit authorized Controller Access only

**CVE-ID** CVE-2020-13416

**2\. XML Signature Wrapping in SAML¶**

**Date** 2/26/2020

**Risk Rating** High

**Description** An attacker with any signed SAML assertion from the Identity Provider can establish a connection (even if that SAML assertion has expired or is from a user who is not authorized to access Aviatrix).

**Impact** Aviatrix customer using SAML

**Affected Product** Aviatrix Controller 5.1 or lower

**Solution** Aviatrix Controller 5.2 or later Plus Security Patch “SAML XML signature wrapping vulnerability”

**CVE-ID** CVE-2020-13415

**Acknowledgement** Aviatrix is pleased to thank Ioannis Kakavas from Elastic for reporting this vulnerability under responsible disclosure.

**1\. OpenVPN Client Arbitrary File Write¶**

**Date** 1/16/2020

**Risk Rating** High

**Description** Aviatrix OpenVPN client through 2.5.7 or older on Linux, MacOS, and Windows is vulnerable when OpenSSL parameters are altered from the issued value set; the parameters could allow unauthorized third-party libraries to load.

**Impact** OpenVPN client on Linux, MacOS, and Windows

**Affected Product** OpenVPN Client 2.5.7

**Solution** Upgrade to VPN client v2.6 or later

**CVE-ID** CVE-2020-7224

**Acknowledgement** Aviatrix is pleased to thank Rich Mirch, Senior Adversarial Engineer - TeamARES from Critical Start, Inc. for reporting this vulnerability under responsible disclosure.

Tag

#csrf