Adobe Flash Player version 32.0.0.192 and earlier versions have a Same Origin Policy Bypass vulnerability. Successful exploitation could lead to Information Disclosure in the context of the current user.

Security Bulletin for Adobe Flash Player | APSB19-30

Bulletin ID

Date Published

Priority

APSB19-30

June 11, 2019

 2

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical and an important vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution  and information disclosure respectively in the context of the current user. 

Product

Version

Platform

Adobe Flash Player Desktop Runtime

32.0.0.192 and earlier 

Windows, macOS and Linux

Adobe Flash Player for Google Chrome

32.0.0.192 and earlier

Windows, macOS, Linux and Chrome OS 

Adobe Flash Player for Microsoft Edge and Internet Explorer 11

32.0.0.192  and earlier

Windows 10 and 8.1

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right- click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:

Note:

*   Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, macOS and Linux update to Adobe Flash Player 32.0.0.207 via the update mechanism within the product \[1\] or by visiting the Adobe Flash Player Download Center.
*   Adobe Flash Player installed with Google Chrome will be automatically updated to the latest Google Chrome version, which will include Adobe Flash Player 32.0.0.207  for Windows, macOS, Linux and Chrome OS.
*   Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1 will be automatically updated to the latest version, which will include Adobe Flash Player 32.0.0.207.
*   Please visit the Flash Player Help page for assistance in installing Flash Player.

\[1\] Users who have selected the option to 'Allow Adobe to install updates' will receive the update automatically. Users who do not have the 'Allow Adobe to install updates' option enabled can install the update via the update mechanism within the product when prompted.

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Use After Free

Arbitrary Code Execution

Critical

CVE-2019-7845

Same Origin Policy Bypass

Information Disclosure 

Important

CVE-2019-8075

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Anonymously reported via Trend Micro’s Zero Day Initiative (CVE-2019-7845)
*   Mala (CVE-2019-8075)

September 20, 2019: Reference to CVE-2019-8075 has been added.

CVE-2019-8075: Adobe Security Bulletin

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executors.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 25 Sep 2019 16:42:06 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

\* Jenkins weekly 2.197
\* Jenkins LTS 2.176.4 and 2.190.1
\* Aqua MicroScanner Plugin 1.0.8
\* Aqua Security Scanner Plugin 3.0.18
\* Data Theorem: CI/CD Plugin 1.4.0
\* Git Changelog Plugin 2.18
\* GitLab Logo Plugin 1.0.4
\* Inedo BuildMaster Plugin Plugin 2.5.0
\* Inedo ProGet Plugin Plugin 1.3
\* Log Parser Plugin 2.1
\* NeuVector Vulnerability Scanner Plugin version 1.6
\* Project Inheritance Plugin 19.08.02
\* Violation Comments to GitLab Plugin 2.29

Additionally, we announce unresolved security issues in the following
plugins:

\* Assembla Plugin
\* Azure Event Grid Build Notifier Plugin
\* Call Remote Job Plugin
\* CodeScan Plugin
\* elOyente Plugin
\* Gem Publisher Plugin
\* Google Calendar Plugin
\* Kubernetes :: Pipeline :: Arquillian Steps Plugin
\* Kubernetes :: Pipeline :: Kubernetes Steps Plugin
\* vFabric Application Director Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-09-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1498 / CVE-2019-10401
Jenkins form controls include an expandable textbox that can transform
from a single-line text box to a multi-line text area.

The implementation of this transformation interpreted the text content of
the form field as HTML. This resulted in a cross-site scripting
vulnerability exploitable by attackers able to control the contents of
such f:expandableTextbox form controls.


SECURITY-1525 / CVE-2019-10402
Jenkins interpreted items added to f:combobox form controls as HTML. This
resulted in a cross-site scripting vulnerability exploitable by attackers
able to control the contents of f:combobox form controls.


SECURITY-1537 (1) / CVE-2019-10403
Jenkins did not escape the tag name on the tooltip for tag actions shown
in the build history. This resulted in a cross-site scripting
vulnerability exploitable by attackers able to control the SCM tag name
for these actions.


SECURITY-1537 (2) / CVE-2019-10404
Jenkins did not escape the reason a queue item is blocked in tooltips.
This resulted in a cross-site scripting vulnerability exploitable by
attackers able to control the reason a queue item is blocked, for example
a label expression that does not match idle executors.


SECURITY-1505 / CVE-2019-10405
Jenkins shows various technical information about the current user on the
/whoAmI URL. The information shown includes HTTP request headers.

This allowed attackers able to exploit another cross-site scripting
vulnerability to obtain the Cookie header’s value even if the HttpOnly
flag would prevent direct access via JavaScript.


SECURITY-1471 / CVE-2019-10406
Jenkins did not validate or otherwise limit the possible values
administrators could specify as Jenkins root URL.

This resulted in a cross-site scripting vulnerability exploitable by users
with Overall/Administer permission.


SECURITY-351 / CVE-2019-10407
Mask Passwords Plugin allows users to define secret environment variables
(typically passwords) to be passed to builds, both globally, and for
specific jobs. These environment variables are expected to not be shown.

Project Inheritance Plugin showed the variable values on its Full Build
Flow view and included them in the metadata download without masking.


SECURITY-401 / CVE-2019-10408 (CSRF), CVE-2019-10409 (permission check)
Project Inheritance Plugin allows the creation of projects based on
templates defined in the plugin configuration.

A missing permission check in the HTTP endpoint triggering project
creation allowed users with Overall/Read permission to create these
projects. Additionally, the HTTP endpoint did not require POST requests,
resulting in a CSRF vulnerability.


SECURITY-732 / CVE-2019-10410
Log Parser Plugin did not escape an error message shown when log parsing
patterns are invalid. This resulted in a persisted cross-site scripting
vulnerability exploitable by attackers able to control the log parsing
rules configuration, typically users with Job/Configure permission.

Jenkins applies the missing escaping by default since 2.146 and LTS
2.138.2, so newer Jenkins releases are not affected by this vulnerability.


SECURITY-1504 / CVE-2019-10430
NeuVector Vulnerability Scanner Plugin stored registry credentials
unencrypted in its global configuration file on the Jenkins master. These
credentials could be viewed by users with access to the master file system.


SECURITY-1507 / CVE-2019-10427
Aqua MicroScanner Plugin stores a token credential in its global Jenkins
configuration.

While the token is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
token through browser extensions, cross-site scripting vulnerabilities, and
similar situations.


SECURITY-1508 / CVE-2019-10428
Aqua Security Scanner Plugin stores a password in its global Jenkins
configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1513 / CVE-2019-10411
Inedo BuildMaster Plugin Plugin stores a service password in its global
Jenkins configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1514 / CVE-2019-10412
Inedo ProGet Plugin Plugin stores a service password in its global Jenkins
configuration.

While the password is stored encrypted on disk, it was transmitted in plain
text as part of the configuration form. This could result in exposure of the
password through browser extensions, cross-site scripting vulnerabilities,
and similar situations.


SECURITY-1557 / CVE-2019-10413
Data Theorem: CI/CD Plugin stored a proxy password unencrypted in job
config.xml files on the Jenkins master. This password could be viewed by
users with Extended Read permission, or access to the master file system.


SECURITY-1574 / CVE-2019-10414
Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job
config.xml files on the Jenkins master. These passwords could be viewed by
users with Extended Read permission, or access to the master file system.


SECURITY-1575 / CVE-2019-10429
GitLab Logo Plugin stored a private token unencrypted in its global
configuration file on the Jenkins master. This token could be viewed by
users with access to the master file system.


SECURITY-1577 / CVE-2019-10415 (global password), CVE-2019-10416 (job password)
Violation Comments to GitLab Plugin stored API tokens unencrypted in job
config.xml files and its global configuration file on the Jenkins master.
These credentials could be viewed by users with Extended Read permission, or
access to the master file system.


SECURITY-920 (1) / CVE-2019-10417
Kubernetes :: Pipeline :: Kubernetes Steps Plugin defines a custom whitelist
for all scripts protected by the Script Security sandbox.

This custom whitelist allows the use of methods that can be used to bypass
Script Security sandbox protection. This results in arbitrary code execution
on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.


SECURITY-920 (2) / CVE-2019-10418
Kubernetes :: Pipeline :: Arquillian Steps Plugin defines a custom whitelist
for all scripts protected by the Script Security sandbox.

This custom whitelist allows the use of methods that can be used to bypass
Script Security sandbox protection. This results in arbitrary code execution
on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.


SECURITY-1541 / CVE-2019-10419
vFabric Application Director Plugin stores the Application Director password
unencrypted in its global configuration file on the Jenkins master. This
password can be viewed by users with access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1543 / CVE-2019-10420
Assembla Plugin stores the Assembla password unencrypted in its global
configuration file on the Jenkins master. This password can be viewed by
users with access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1544 / CVE-2019-10421
Azure Event Grid Build Notifier Plugin stores the Azure Event Grid secret
key unencrypted in job config.xml files on the Jenkins master. This key can
be viewed by users with Extended Read permission, or access to the master
file system.

As of publication of this advisory, there is no fix.


SECURITY-1548 / CVE-2019-10422
Call Remote Job Plugin stores a password unencrypted in job config.xml files
on the Jenkins master. This password can be viewed by users with Extended
Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1551 / CVE-2019-10423
CodeScan Plugin stores an API key unencrypted in its global configuration
file on the Jenkins master. This API key can be viewed by users with access
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1561 / CVE-2019-10424
elOyente Plugin stores a password unencrypted in its global configuration
file on the Jenkins master. This password can be viewed by users with access
to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1572 / CVE-2019-10425
Google Calendar Plugin stores a calendar password unencrypted in job
config.xml files on the Jenkins master. This password can be viewed by users
with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix.


SECURITY-1573 / CVE-2019-10426
Gem Publisher Plugin stores an API key unencrypted in its global
configuration file on the Jenkins master. This API key can be viewed by
users with access to the master file system.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2019-10404: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or filter values set as Jenkins URL in the global configuration, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

CVE-2019-10406: Jenkins Security Advisory 2019-09-25

Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2019-10428: Jenkins Security Advisory 2019-09-25

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

CVE-2019-10405: Jenkins Security Advisory 2019-09-25

Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10425: Jenkins Security Advisory 2019-09-25

Jenkins Assembla Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CVE-2019-10420: Jenkins Security Advisory 2019-09-25

Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVE-2019-10422: Jenkins Security Advisory 2019-09-25

Jenkins CodeScan Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

CVE-2019-10423: Jenkins Security Advisory 2019-09-25

Jenkins vFabric Application Director Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Tag

#google