A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   Configuration as Code Plugin
*   Google Kubernetes Engine Plugin
*   Maven Integration Plugin
*   Maven Release Plug-in Plugin
*   Pipeline: Deprecated Groovy Libraries Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin

**Descriptions****Sandbox bypass through type casts in Script Security Plugin**

**SECURITY-1465 (1) / CVE-2019-10355**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren’t approved.

Additionally, this could be used to read arbitrary files on the Jenkins controller.

Casting collections to other types as an alternative syntax for constructor invocation is now only allowed when the collection type is defined in java.util, and prohibited otherwise. Casting files and enums to arrays is now intercepted by the sandbox and treated as the invocation of an equivalent method.

**Sandbox bypass through method pointer expressions in Script Security Plugin**

**SECURITY-1465 (2) / CVE-2019-10356**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Method pointer subexpressions are now subject to sandbox protection.

**Missing permission check in Pipeline: Deprecated Groovy Libraries Plugin**

**SECURITY-1422 / CVE-2019-10357**  
**Severity (CVSS):** Medium  
**Affected plugin: workflow-cps-global-lib**  
**Description:**

Pipeline: Deprecated Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

Pipeline: Deprecated Groovy Libraries Plugin now performs the appropriate permission check.

**Maven Integration Plugin did not mask sensitive values in module build logs**

**SECURITY-713 / CVE-2019-10358**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-plugin**  
**Description:**

Maven Integration Plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked.

Maven Integration Plugin now applies build log decorators from the Build Environment configuration to module builds.

**CSRF vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1098 / CVE-2019-10359**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases.

Maven Release Plug-in Plugin now requires that these requests be sent via POST.

**Stored XSS vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1184 / CVE-2019-10360**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability.

Variables on affected views are now escaped.

**Maven Release Plug-in Plugin stored credentials in plain text**

**SECURITY-1435 / CVE-2019-10361**  
**Severity (CVSS):** Low  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Maven Release Plug-in Plugin now stores credentials encrypted.

**Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1279 / CVE-2019-10343**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.

Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).

Since Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type Secret, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages. See the logging documentation for details.

**Configuration as Code Plugin allowed users without Overall/Administer permission to access documentation**

**SECURITY-1290 / CVE-2019-10344**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This included detailed information about installed plugins that may not be available otherwise.

Access to these URLs is now restricted to users with Overall/Administer permission.

**Configuration as Code Plugin did not mask proxy credentials**

**SECURITY-1303 / CVE-2019-10345**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a custom configurator for the Jenkins proxy configuration.

This feature did not mask the password for logging or encrypt it in the export.

Configuration as Code Plugin 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export.

**Configuration as Code Plugin evaluated variable references when importing a previously exported configuration**

**SECURITY-1446 / CVE-2019-10362**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references (e.g. ${VARIABLE_NAME}) in the configuration YAML file. These will be replaced by the value of the corresponding environment variable (or other source of secrets) during import (interpolation). If such a value should not be interpolated, the escape character ^ can be used before (e.g. ^${VARIABLE_NAME}).

Exporting did not add ^ escape characters to exported strings, such as various entity descriptions. This allowed attackers with permission to configure certain entities, such as credentials or agents, to specify crafted descriptions containing variable references. These would be replaced by the corresponding environment variable’s value during a subsequent import.

The export now adds ^ escape characters to exported strings as needed to prevent them from being interpolated during import. Previously exported configurations may require manual cleanup by Jenkins admins before being imported.

**Configuration as Code Plugin exported secret values in plain text**

**SECURITY-1458 / CVE-2019-10363**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure.

Configuration as Code Plugin did not reliably detect which values in the exported YAML file need to be considered sensitive (e.g. credentials and other secrets), as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API. This resulted in credentials being exported in plain text in some cases.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of exporting encrypted secrets.

**Amazon EC2 Plugin leaked beginning of private key in system log**

**SECURITY-673 / CVE-2019-10364**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin printed a log message that contained the beginning of the private key to the Jenkins system log.

The log message no longer includes the beginning of the private key.

**Google Kubernetes Engine Plugin stored temporary secret in a user accessible location**

**SECURITY-1345 / CVE-2019-10365**  
**Severity (CVSS):** Medium  
**Affected plugin: google-kubernetes-engine**  
**Description:**

Google Kubernetes Engine Plugin created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token.

This temporary file is now created outside the regular project workspace.

**Skytap Cloud CI Plugin stored credentials in plain text**

**SECURITY-1429 / CVE-2019-10366**  
**Severity (CVSS):** Medium  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Skytap Cloud CI Plugin now stores credentials encrypted.

**Severity**

*   SECURITY-673: Medium
*   SECURITY-713: Medium
*   SECURITY-1098: Medium
*   SECURITY-1184: Medium
*   SECURITY-1279: Medium
*   SECURITY-1290: Medium
*   SECURITY-1303: Low
*   SECURITY-1345: Medium
*   SECURITY-1422: Medium
*   SECURITY-1429: Medium
*   SECURITY-1435: Low
*   SECURITY-1446: Medium
*   SECURITY-1458: Medium
*   SECURITY-1465 (1): High
*   SECURITY-1465 (2): High

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.43
*   **Configuration as Code Plugin** up to and including 1.24
*   **Google Kubernetes Engine Plugin** up to and including 0.6.2
*   **Maven Integration Plugin** up to and including 3.3
*   **Maven Release Plug-in Plugin** up to and including 0.14.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** up to and including 2.14
*   **Script Security Plugin** up to and including 1.61
*   **Skytap Cloud CI Plugin** up to and including 2.06

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.44
*   **Configuration as Code Plugin** should be updated to version 1.25
*   **Google Kubernetes Engine Plugin** should be updated to version 0.6.3
*   **Maven Integration Plugin** should be updated to version 3.4
*   **Maven Release Plug-in Plugin** should be updated to version 0.15.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** should be updated to version 2.15
*   **Script Security Plugin** should be updated to version 1.62
*   **Skytap Cloud CI Plugin** should be updated to version 2.07

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-1422
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1184
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1429, SECURITY-1435
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-713, SECURITY-1345
*   **Mikaël Barbero (Eclipse Foundation)** for SECURITY-1290
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1098
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1446

CVE-2019-10360: Jenkins Security Advisory 2019-07-31

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission.

CVE-2019-10365: Jenkins Security Advisory 2019-07-31

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised. This vulnerability affects Firefox < 68.

**Mozilla Foundation Security Advisory 2019-21**

Announced

July 9, 2019

Impact

critical

Products

Firefox

Fixed in

*   Firefox 68

**#CVE-2019-9811: Sandbox escape via installation of malicious language pack**

Reporter

Niklas Baumstark

Impact

high

**Description**

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.

**References**

*   Bug 1538007
*   Bug 1539598
*   Bug 1539759
*   Bug 1523741
*   Bug 1563327

**#CVE-2019-11711: Script injection within domain through inner window reuse**

Reporter

Boris Zbarsky

Impact

high

**Description**

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.

**References**

*   Bug 1552541

**#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects**

Reporter

Gregory Smiley of Security Compass

Impact

high

**Description**

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.

**References**

*   Bug 1543804

**#CVE-2019-11713: Use-after-free with HTTP/2 cached stream**

Reporter

Hanno Böck

Impact

high

**Description**

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.

**References**

*   Bug 1528481

**#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread**

Reporter

Hanno Böck

Impact

moderate

**Description**

Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.

**References**

*   Bug 1542593

**#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault**

Reporter

Jonas Allmann

Impact

moderate

**Description**

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.

**References**

*   Bug 1515342

**#CVE-2019-11715: HTML parsing error can contribute to content XSS**

Reporter

Linus Särud

Impact

moderate

**Description**

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.

**References**

*   Bug 1555523

**#CVE-2019-11716: globalThis not enumerable until accessed**

Reporter

Chris Hacking

Impact

moderate

**Description**

Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.

**References**

*   Bug 1552632

**#CVE-2019-11717: Caret character improperly escaped in origins**

Reporter

Tyson Smith

Impact

moderate

**Description**

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.

**References**

*   Bug 1548306

**#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML**

Reporter

Mark Banner

Impact

moderate

**Description**

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised.

**References**

*   Bug 1408349

**#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key**

Reporter

Henry Corrigan-Gibbs

Impact

moderate

**Description**

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.

**References**

*   Bug 1540541

**#CVE-2019-11720: Character encoding XSS vulnerability**

Reporter

Rakesh Mane

Impact

moderate

**Description**

Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering.

**References**

*   Bug 1556230

**#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character**

Reporter

Anonymous

Impact

moderate

**Description**

The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion.

**References**

*   Bug 1256009

**#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin**

Reporter

Luigi Gubello

Impact

moderate

**Description**

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.

**References**

*   Bug 1558299

**#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries**

Reporter

Andreas Wagner

Impact

low

**Description**

A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension.

**References**

*   Bug 1528335

**#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions**

Reporter

Frederik Braun

Impact

low

**Description**

Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks.

**References**

*   Bug 1512511

**#CVE-2019-11725: Websocket resources bypass safebrowsing protections**

Reporter

Andrey

Impact

low

**Description**

When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections.

**References**

*   Bug 1483510

**#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3**

Reporter

Hubert Kario

Impact

low

**Description**

A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.

**References**

*   Bug 1552208

**#CVE-2019-11728: Port scanning through Alt-Svc header**

Reporter

Trishita Tiwari, Ari Trachtenberg

Impact

low

**Description**

The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded.

**References**

*   Bug 1552993

**#CVE-2019-11710: Memory safety bugs fixed in Firefox 68**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members André Bargull, Christian Holler, Natalia Csoregi, Raul Gurzau, Daniel Varga, Jon Coppeard, Marcia Knous, Gary Kwong, Randell Jesup, David Bolter, Jeff Gilbert, and Deian Stefan reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 68

**#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8**

Reporter

Mozilla developers and community

Impact

critical

**Description**

Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

**References**

*   Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

CVE-2019-11718: Security vulnerabilities fixed in Firefox 68

A reflected cross site scripting vulnerability in Jenkins Embeddable Build Status Plugin 2.0.1 and earlier allowed attackers inject arbitrary HTML and JavaScript into the response of this plugin.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Caliper CI Plugin
*   Dependency Graph Viewer Plugin
*   Docker Plugin
*   Embeddable Build Status Plugin
*   Gogs Plugin
*   Mashup Portlets Plugin
*   Port Allocator Plugin

**Descriptions****CSRF vulnerability and missing permission check in Docker Plugin allowed capturing credentials**

**SECURITY-1010 / CVE-2019-10340 (CSRF), CVE-2019-10341 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: docker-plugin**  
**Description:**

Docker Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer or Item/Configure permission, as appropriate.

**Users with Overall/Read access could enumerate credential IDs in Docker Plugin**

**SECURITY-1400 / CVE-2019-10342**  
**Severity (CVSS):** Medium  
**Affected plugin: docker-plugin**  
**Description:**

Docker Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires the appropriate permission, typically Overall/Administer or Item/Configure.

**Reflected XSS vulnerability in Embeddable Build Status Plugin**

**SECURITY-1419 / CVE-2019-10346**  
**Severity (CVSS):** Medium  
**Affected plugin: embeddable-build-status**  
**Description:**

Embeddable Build Status Plugin did not sanitize arguments provided in the query string, resulting in a reflected cross-site scripting vulnerability.

Arguments are now sanitized.

**Mashup Portlets Plugin stored credentials in plain text**

**SECURITY-775 / CVE-2019-10347**  
**Severity (CVSS):** Medium  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin stored SonarQube credentials unencrypted on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Mashup Portlets Plugin now stores these credentials encrypted.

**Gogs Plugin stored credentials in plain text**

**SECURITY-1438 / CVE-2019-10348**  
**Severity (CVSS):** Medium  
**Affected plugin: gogs-webhook**  
**Description:**

Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Gogs Plugin now stores credentials encrypted.

**Stored XSS vulnerability in Dependency Graph Viewer Plugin**

**SECURITY-1177 / CVE-2019-10349**  
**Severity (CVSS):** Medium  
**Affected plugin: depgraph-view**  
**Description:**

Dependency Graph Viewer Plugin does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Port Allocator Plugin stores credentials in plain text**

**SECURITY-1441 / CVE-2019-10350**  
**Severity (CVSS):** Medium  
**Affected plugin: port-allocator**  
**Description:**

Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Caliper CI Plugin stores credentials in plain text**

**SECURITY-1437 / CVE-2019-10351**  
**Severity (CVSS):** Medium  
**Affected plugin: caliper-ci**  
**Description:**

Caliper CI Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-775: Medium
*   SECURITY-1010: Medium
*   SECURITY-1177: Medium
*   SECURITY-1400: Medium
*   SECURITY-1419: Medium
*   SECURITY-1437: Medium
*   SECURITY-1438: Medium
*   SECURITY-1441: Medium

**Affected Versions**

*   **Caliper CI Plugin** up to and including 2.3
*   **Dependency Graph Viewer Plugin** up to and including 0.13
*   **Docker Plugin** up to and including 1.1.6
*   **Embeddable Build Status Plugin** up to and including 2.0.1
*   **Gogs Plugin** up to and including 1.0.14
*   **Mashup Portlets Plugin** up to and including 1.0.9
*   **Port Allocator Plugin** up to and including 1.8

**Fix**

*   **Docker Plugin** should be updated to version 1.1.7
*   **Embeddable Build Status Plugin** should be updated to version 2.0.2
*   **Gogs Plugin** should be updated to version 1.0.15
*   **Mashup Portlets Plugin** should be updated to version 1.1.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Caliper CI Plugin
*   Dependency Graph Viewer Plugin
*   Port Allocator Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1437, SECURITY-1438, SECURITY-1441
*   **Dhiru Pandey** for SECURITY-1419
*   **Ishaq Mohammed (https://about.me/security-prince)** for SECURITY-1177
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1010

CVE-2019-10346: Jenkins Security Advisory 2019-07-11

A stored cross site scripting vulnerability in Jenkins Dependency Graph Viewer Plugin 0.13 and earlier allowed attackers able to configure jobs in Jenkins to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

CVE-2019-10349: Jenkins Security Advisory 2019-07-11

A cross-site request forgery vulnerability in Jenkins Docker Plugin 1.1.6 and earlier in DockerAPI.DescriptorImpl#doTestConnection allowed users with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2019-10340: Jenkins Security Advisory 2019-07-11

Cross-site request forgery (CSRF) vulnerability in Personalized WooCommerce Cart Page 2.4 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

WOOHero is just a great WooCommerce extension to customize any store. Like change button text/labels, add contents and much more. WOOHero is compatible with all WooCommerce themes.  
No coding experience requires to change button text/label, add new contents inside WooCommerce core pages. WOOHero nice and simple  
settings will handle all for you. Following details and screenshots explaining all powerful feature of WOOHero.

**Getting Started Video**

**Customize/Change Text**

1.  Add to cart (Single product)
2.  Add to cart (Shop/Loop)
3.  Out of stock (Single product)
4.  View product (Grouped product – Shop/Loop)
5.  Select options (Variable products – Shop/Loop)
6.  Buy product (External product – Shop/Loop)
7.  Place order (Checkout page)

**Customize WooCommerce Core Pages**

1.  Before cart table
2.  Before cart contents
3.  Cart contents
4.  After cart contents
5.  After cart table
6.  After cart
7.  Proceed to checkout
8.  Cart coupon
9.  After cart totals
10.  Before cart totals
11.  Cart is empty
12.  Before mini cart (cart in widget)
13.  Widget shopping cart before buttons
14.  After mini cart
15.  Cart totals before shipping
16.  Cart totals after shipping
17.  Cart totals before order total
18.  Cart totals after order total
19.  Before shipping calculator
20.  After shipping calculator

**WooCommerce Actions/Hooks**

WOOHero using Woocommerce core hooks/actions to customize, zero coding requires. Just install and use.  
Details Here

**WOOHero PRO Features**

WOOHero PRO has more powerful feature and control to customize your store like:

*   **Customize Shop/Store page**
*   **Customize Product page**
*   **Customize My account page**
*   **Customize Checkout page**
*   **Customize Thanks page**
*   **Customize Change button titles (add to cart etc)**
*   **Customize Product Page**
*   **Disable Related Products**
*   **Customize Related Products**
*   **Add Unlimited Product Tabs**
*   **Enquiry/Get a Quote Form for Product**
*   **Front-end editor to add/edit contents**

**Change Any Text**

Another a cool feature of WOOHero PRO version is that you can change Any text from entire site. Like if you want to change ‘Billing Address’ text on checkout  
page, you can do this with WOOHero PRO.

Get Pro Version

1.  Upload plugin directory to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  After activation, you can set options from WooCommerce -> WooHero menu

**DO I need to make changes in file?**

No

**How to access settings**

In Dashboard, you will menu title WooCommerce -> WooHero

**Will this work with my Theme?**

Yes, it is compatible with all themes.

I used it just now and it’s great! In fact, it’s super powerful for being free.

Plugin functionality and working is awesome. The only suggestion is you just need to improve its backend style and usage directions. It shouldn't have a separate menu it should be somewhere in woo-commerce settings.

Great. I can change text almost anywhere in WooCommerce 🙂 Good for non technical users.

Read all 10 reviews

“WooHero WooCommerce Store Customizer” is open source software. The following people have contributed to this plugin.

Contributors

*    N-Media

**3.4 January 19, 2022**

*   Tweaks: WC latest version check

**3.3 September 19, 2021**

*   WC latest version updated
*   Bug fixed: Product tabs HTML issue fixed

**3.2 June 19, 2020**

*   Feature: It will display a Button on Cart page to remove all Cart Items.
*   Feature: It will hide content on the product page and add to cart button. Just show the login form

**3.1 Jan 11, 2020**

*   Bug fixed: Change Any Text

**3.0 Nov 17, 2019**

*   Feature: Re-arranged settings tabs
*   Feature: Front-end editor to add/edit contents
*   Feature: Disable/Enable related products, set column size
*   Feature: Products limit and columns size in Shop page.
*   Feature: More actions added to on checkout page.
*   Feature: Compatibility check with latest WooCommerce, PHP and WordPress

**2.5 June 3, 2019**

*   Bug fixed: Some security related issue fixed

**2.4 October 23, 2018**

*   Bug fixed: Settings saving issue in php version 7+ fixed.

**2.3 July 28, 2018**

*   Bug fixed: Menu moved under WooCommerce Manin Menu

**2.2 July 21, 2018**

*   Bug fixed: Menu not shown due to some other plugin conflict, it’s fixed now

**2.1 July 14, 2018**

*   Bug fixed: Warnings removed
*   Compatibility check with WooCommerce

**2.0**

*   WooCommerce 3.0 compatible issue fixed.

**1.2**

*   Some minor changes made in options page.

**1.1****Following button title/labels can be change**

*   Add to cart (Single product)
*   Add to cart (Shop/Loop)
*   Out of stock (Single product)
*   View product (Grouped product – Shop/Loop)
*   Select options (Variable products – Shop/Loop)
*   Buy product (External product – Shop/Loop)
*   Place order (Checkout page)

**1.0**

*   It is first version, and working perfectly

CVE-2019-5979: WooHero WooCommerce Store Customizer

Cross-site request forgery (CSRF) vulnerability in Custom CSS Pro 1.0.3 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Professional real-time CSS editor for those who want to code CSS.

**Key Features**

*   professional CSS Editor.
*   Real-time live preview.
*   Simple UI.

*   Live Custom CSS Editor
    

Install Custom CSS Pro just as you would any other WP Plugin:

*   Download Custom CSS Pro from WordPress.org.
*   Unzip the .zip file.
*   Upload the Plugin folder (custom-css-pro/) to the wp-content/plugins folder.
*   Go to Plugins Admin Panel and find the newly uploaded Plugin, “Custom CSS Pro” in the list.
*   Click Activate Plugin to activate it.
*   Begin using the plugin by going to Settings > Custom CSS in the Admin Menu.

I searched a long time and this plugin is the best! It has a nice user interface and most important it shows CSS mistakes! I found with this Plugin why my CSS before was not working.

Поменять стили настолько просто, что особо и добавить больше нечего. Особо полезен этот плагин для начинающих разработчиков.

Absolutely love this; one note; sometimes after saving the changes and go back to change say one character or a line, it doesn't popular "save changes". Maybe a small bug? In either case, I use the plug-in for every WP site I run and can't live without it. No more going through different theme menu's just to edit the CSS!

This is the kind of plugin you'd easily donate $10 for because it's so useful. Much thanks to WASP Themes (creators of the Yellow Pencil plugin) for offering such a lightweight and useful tool for nothing. If you use custom css to regularly style elements like I do, there's nothing quite like being able to preview those live changes in the window while you code. I've been using this for about 16 months, I use it on over 10 different wordpress installs to cleanly and effectively make simple color changes, add padding, etc.

Can see CSS changes live!

Read all 14 reviews

“Custom CSS Pro” is open source software. The following people have contributed to this plugin.

Contributors

*    YellowPencil

**1.0.7**

*   fixed a minor javascript bug.

**1.0.6**

*   Editor loading bug fixed.
*   Bug fixes on surfing on the website while CSS editor active.

**1.0.5**

*   Any more you can coding while surfing on your website.
*   CSS Editor’s core functions updated.

**1.0.4**

*   Added nonce to saving action
*   Sanitizing CSS data

**1.0.3**

*   A minor bug fixed

**1.0.2**

*   CSS @import bug fixed.

**1.0.1**

*   A minor bug fixed

**1.0**

*   Initial Release

CVE-2019-5984: Custom CSS Pro

Cross-site request forgery (CSRF) vulnerability in HTML5 Maps 1.6.5.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Published:2019/06/24  Last Updated:2019/06/24

**Overview**

WordPress Plugin ”HTML5 Maps” contains a cross-site request forgery vulnerability.

**Products Affected**

*   HTML5 Maps 1.6.5.6 and earlier

**Description**

WordPress Plugin ”HTML5 Maps” provided by Fla-Shop.com contains a cross-site request forgery vulnerability (CWE-352).

**Impact**

If a user views a malicious page while logged in, unintended operations may be performed.

**Solution**

**Update the plugin**  
Update the plugin according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Daisuke Shimizu of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University directly reported this vulnerability to the developer and coordinated on his own.  
After coordination was completed, this case was reported to IPA, and JPCERT/CC coordinated with the developer for the publication under Information Security Early Warning Partnership.

**Other Information**

CVE-2019-5983: WordPress Plugin ”HTML5 Maps” vulnerable to cross-site request forgery

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

FYI Security

**JetBrains Security Bulletin Q1 2019**

![Robert Demmer](https://blog.jetbrains.com/wp-content/uploads/2021/03/robert-200x200.png)

This bulletin summarizes the security vulnerabilities detected in JetBrains products and remediated in the first quarter of 2019.

These include issues reported by Jonathan Leitschuh potentially exposing a product user or a project’s infrastructure to man-in-the-middle attacks, namely

*   resolving Gradle, Maven, and sbt project artifacts over an unencrypted connection in various projects; and
*   generating project templates in an IDE causing the above-mentioned issue in a user’s project.

We’ve also run extended verification of the secret storage mechanism in our IDEs’ settings, and identified and fixed several cases of cleartext secret storage.

Here’s a summary report that comprises the affected product, the description of each issue, its severity, and the product version containing the fix.

**Product**

**Description**

**Severity**

**Resolved in**

**CVE/CWE**

CLion

The suggested WSL configuration exposed a local SSH server to the internal network (CPP-15063)

Moderate

No fix versions

CWE-276

Documentation

JetBrains GitHub repositories had a world-editable wiki.(DOC-6532) Reported by Bogdan Gagea

Moderate

No fix versions

CWE-732

Hub

A user password could appear in the audit events for certain server settings (JPS-7895)

High

2018.4.11298

CVE-2019-12847

IntelliJ IDEA

The default configuration for Spring Boot apps was not secure (IDEA-204439)

High

2018.3.4, 2019.1

CVE-2019-9186

IntelliJ IDEA

The application server configuration allowed cleartext storage of secrets (IDEA-201519, IDEA-202483, IDEA-203271)

High

2018.1.8, 2018.2.8, 2018.3.5, 2019.1

CVE-2019-9872

IntelliJ IDEA

The implementation of storage in the KeePass database was not secure (IDEA-200066)

Low

2018.3, 2019.1

CWE-922

IntelliJ IDEA

A certain application server configuration allowed cleartext storage of secrets (IDEA-199911)

Low

2018.3

CWE-317

IntelliJ IDEA

A certain application server configuration allowed cleartext storage of secrets (IDEA-203613)

Moderate

2018.1.8, 2018.2.8, 2018.3.5

CVE-2019-9823

IntelliJ IDEA

A certain remote server configurations allowed cleartext storage of secrets (IDEA-203272, IDEA-203260, IDEA-206556, IDEA-206557)

High

2019.1

CVE-2019-9873

IntelliJ IDEA

The run configuration of certain application servers allowed remote code execution while running the server with the default settings (IDEA-204570)

High

2018.3.7, 2018.1.8, 2018.2.8, 2018.3.4

CVE-2019-10103, CVE-2019-10104

JetBrains Account

An open redirect vulnerability via the backUrl parameter was detected (JPF-8899)

Moderate

No fix version

CWE-601

JetBrains Account

An open redirect vulnerability via the backUrl parameter was detected (JPF-8899)

Moderate

No fix version

CWE-444

Kotlin

The JetBrains Kotlin project was resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Moderate

1.3.30

CVE-2019-10101

Kotlin Plugin

IntelliJ IDEA projects created using the Kotlin IDE template were resolving artifacts using an http connection, potentially allowing an MITM attack.

Moderate

1.3.30

CVE-2019-10102

Plugin Marketplace

Some HTTP Security Headers were missing (MP-2004)

Moderate

No fix version

CWE-693

Plugin Marketplace

A reflected XSS was detected (MP-2001)

Moderate

No fix version

CWE-79

Plugin Marketplace

A CSRF vulnerability was detected (MP-2002)

Moderate

No fix version

CWE-352

PyCharm

A certain remote server configuration allowed cleartext storage of secrets (PY-32885)

Moderate

2018.3.2

CWE-209

TeamCity

A possible stored JavaScript injection was detected (TW-59419)

Moderate

2018.2.3

CVE-2019-12844

TeamCity

The generated Kotlin DSL settings allowed usage of an unencrypted connection for resolving artifacts (TW-59379)

Moderate

2018.2.3

CVE-2019-12845

TeamCity

A possible stored JavaScript injection requiring a deliberate server administrator action was detected (TW-55640)

Moderate

2018.2.3

CVE-2019-12843

TeamCity

Incorrect handling of user input in ZIP extraction (TW-57143)

Moderate

2018.2.2

CVE-2019-12841

TeamCity

A reflected XSS on a user page was detected (TW-58661)

Moderate

2018.2.2

CVE-2019-12842

TeamCity

A user without the required permissions could gain access to some settings (TW-58571)

Moderate

2018.2.2

CVE-2019-12846

YouTrack

An SSRF attack was possible on a YouTrack server (JT-51121)

High

2018.4.49168

CVE-2019-12852

YouTrack

An Insecure Direct Object Reference was possible (JT-51103)

Low

2018.4.49168

CVE-2019-12866

YouTrack

Certain actions could cause privilege escalation for issue attachments (JT-51080)

Moderate

2018.4.49168

CVE-2019-12867

YouTrack

A query injection was possible (JT-51105)

Low

2018.4.49168

CVE-2019-12850

YouTrack Licensing

An unauthorized disclosure of license details to an attacker #2 was possible (JT-51117)

Low

No fix version

CWE-284

YouTrack Licensing

A reflected XSS was detected (JT-51074)

Low

No fix version

CWE-79

YouTrack

A CSRF vulnerability was detected in one of admin endpoints (JT-51110)

Moderate

2018.4.49852

CVE-2019-12851

YouTrack Confluence Integration Plugin

The YouTrack Confluence plugin allowed the SSTI vulnerability (JT-51594)

Moderate

1.8.1.3

CVE-2019-10100

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

_Your JetBrains Team  
The Drive to Develop_

Tag

#csrf