A reflected cross-site scripting vulnerability in Jenkins build-metrics Plugin allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Bitbucket OAuth Plugin
*   build-metrics Plugin
*   Deploy WebLogic Plugin
*   Dynatrace Application Monitoring Plugin
*   Dynatrace Application Monitoring Plugin
*   fireline Plugin
*   Global Post Script Plugin
*   kubernetes-ci Plugin
*   Libvirt Agents Plugin
*   Mattermost Notification Plugin
*   Sonar Gerrit Plugin
*   Zulip Plugin

**Descriptions****Mattermost Notification Plugin stored webhook endpoint token in plain text**

**SECURITY-1628 / CVE-2019-10459**  
**Severity (CVSS):** Medium  
**Affected plugin: mattermost**  
**Description:**

Mattermost allows the definition of incoming (from the perspective of the service) webhook URLs. These contain what is effectively a secret token as part of the URL.

Mattermost Notification Plugin stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Mattermost Notification Plugin now stores these URLs encrypted. As they combine configuration and secret token, they are still shown on the UI.

**Bitbucket OAuth Plugin stored credentials in plain text**

**SECURITY-1546 / CVE-2019-10460**  
**Severity (CVSS):** Low  
**Affected plugin: bitbucket-oauth**  
**Description:**

Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Bitbucket OAuth Plugin now stores this credential encrypted.

**Zulip Plugin stored credentials in plain text**

**SECURITY-1621 / CVE-2019-10476**  
**Severity (CVSS):** Low  
**Affected plugin: zulip**  
**Description:**

Zulip Plugin stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Zulip Plugin now stores this credential encrypted in its global configuration file. The legacy configuration file is deleted when saving the plugin configuration.

**Dynatrace Application Monitoring Plugin stored credentials in plain text**

**SECURITY-1477 / CVE-2019-10461**  
**Severity (CVSS):** Low  
**Affected plugin: dynatrace-dashboard**  
**Description:**

Dynatrace Application Monitoring Plugin stored a credential unencrypted in its global configuration file com.dynatrace.jenkins.dashboard.TAGlobalConfiguration.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Dynatrace Application Monitoring Plugin now stores this credential encrypted.

**CSRF vulnerability in Dynatrace Application Monitoring Plugin**

**SECURITY-1483 (1) / CVE-2019-10462**  
**Severity (CVSS):** Medium  
**Affected plugin: dynatrace-dashboard**  
**Description:**

Dynatrace Application Monitoring Plugin did not require POST requests on a method implementing form validation. This CSRF vulnerability allowed attackers to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Dynatrace Application Monitoring Plugin now requires POST requests for this form validation method.

**Missing permission check in Dynatrace Application Monitoring Plugin**

**SECURITY-1483 (2) / CVE-2019-10463**  
**Severity (CVSS):** Medium  
**Affected plugin: dynatrace-dashboard**  
**Description:**

Dynatrace Application Monitoring Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Deploy WebLogic Plugin**

**SECURITY-820 / CVE-2019-10464 (CSRF), CVE-2019-10465 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: weblogic-deployer-plugin**  
**Description:**

Deploy WebLogic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**XXE vulnerability in fireline Plugin**

**SECURITY-822 / CVE-2019-10466**  
**Severity (CVSS):** High  
**Affected plugin: fireline**  
**Description:**

fireline Plugin accepts XML for part of its configuration. It does not configure the XML parser to prevent XML external entity (XXE) attacks.

A form validation method that accepts XML does not perform permission checks. This allows users with Overall/Read permission to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks.

As of publication of this advisory, there is no fix.

**Sonar Gerrit Plugin stored credentials in plain text**

**SECURITY-1003 / CVE-2019-10467**  
**Severity (CVSS):** Medium  
**Affected plugin: sonar-gerrit**  
**Description:**

Sonar Gerrit Plugin stores a credential unencrypted in job config.xml files on the Jenkins controller if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in kubernetes-ci Plugin allowed capturing credentials**

**SECURITY-1005 (1) / CVE-2019-10468 (CSRF), CVE-2019-10469 (permission check)**  
**Severity (CVSS):** High  
**Affected plugin: kubernetes-ci**  
**Description:**

kubernetes-ci Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access could enumerate credential IDs in kubernetes-ci Plugin**

**SECURITY-1005 (2) / CVE-2019-10470**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes-ci**  
**Description:**

kubernetes-ci Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Libvirt Agents Plugin allowed capturing credentials**

**SECURITY-1014 (1) / CVE-2019-10471 (CSRF), CVE-2019-10472 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: libvirt-slave**  
**Description:**

Libvirt Agents Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access could enumerate credential IDs in Libvirt Agents Plugin**

**SECURITY-1014 (2) / CVE-2019-10473**  
**Severity (CVSS):** Medium  
**Affected plugin: libvirt-slave**  
**Description:**

Libvirt Agents Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**Missing permission check in Global Post Script Plugin allowed obtaining configuration data**

**SECURITY-1073 / CVE-2019-10474**  
**Severity (CVSS):** Medium  
**Affected plugin: global-post-script**  
**Description:**

Global Post Script Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read permission to list the files contained in $JENKINS_HOME/global-post-script that can be used by the plugin.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in build-metrics Plugin**

**SECURITY-1490 / CVE-2019-10475**  
**Severity (CVSS):** Medium  
**Affected plugin: build-metrics**  
**Description:**

build-metrics Plugin does not properly escape the label query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-820: Medium
*   SECURITY-822: High
*   SECURITY-1003: Medium
*   SECURITY-1005 (1): High
*   SECURITY-1005 (2): Medium
*   SECURITY-1014 (1): Medium
*   SECURITY-1014 (2): Medium
*   SECURITY-1073: Medium
*   SECURITY-1477: Low
*   SECURITY-1483 (1): Medium
*   SECURITY-1483 (2): Medium
*   SECURITY-1490: Medium
*   SECURITY-1546: Low
*   SECURITY-1621: Low
*   SECURITY-1628: Medium

**Affected Versions**

*   **Bitbucket OAuth Plugin** up to and including 0.9
*   **build-metrics Plugin** up to and including 1.3
*   **Deploy WebLogic Plugin** up to and including 4.1
*   **Dynatrace Application Monitoring Plugin** up to and including 2.1.3
*   **Dynatrace Application Monitoring Plugin** up to and including 2.1.4
*   **fireline Plugin** up to and including 1.7.2
*   **Global Post Script Plugin** up to and including 1.1.4
*   **kubernetes-ci Plugin** up to and including 1.3
*   **Libvirt Agents Plugin** up to and including 1.8.5
*   **Mattermost Notification Plugin** up to and including 2.7.0
*   **Sonar Gerrit Plugin** up to and including 2.3
*   **Zulip Plugin** up to and including 1.1.0

**Fix**

*   **Bitbucket OAuth Plugin** should be updated to version 0.10
*   **Dynatrace Application Monitoring Plugin** should be updated to version 2.1.4
*   **Mattermost Notification Plugin** should be updated to version 2.7.1
*   **Zulip Plugin** should be updated to version 1.1.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   build-metrics Plugin
*   Deploy WebLogic Plugin
*   Dynatrace Application Monitoring Plugin
*   fireline Plugin
*   Global Post Script Plugin
*   kubernetes-ci Plugin
*   Libvirt Agents Plugin
*   Sonar Gerrit Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **James Holderness, IB Boost** for SECURITY-1546
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1003, SECURITY-1005 (1), SECURITY-1005 (2), SECURITY-1014 (1), SECURITY-1014 (2), SECURITY-1073
*   **Thomas de Grenier de Latour** for SECURITY-820, SECURITY-822
*   **Viktor Gazdag NCC Group** for SECURITY-1477, SECURITY-1483 (1), SECURITY-1483 (2), SECURITY-1490
*   **Wasin Saengow** for SECURITY-1621, SECURITY-1628

CVE-2019-10475: Jenkins Security Advisory 2019-10-23

WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs.

CVE-2019-17670

A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.

**Advisory Information**

*   **Advisory ID:** BOSCH-SA-562575
*   **CVE Numbers and Scores:**
    
    *   CVE-2019-11601
        
        *   Base Score: 9.1 (Critical)
        
    *   CVE-2019-11897
        
        *   Base Score: 8.6 (High)
        
    *   CVE-2019-11602
        
        *   Base Score: 5.3 (Medium)
        
    *   CVE-2019-11603
        
        *   Base Score: 7.5 (High)
        
    
*   **Published:** 19 Aug 2019
*   **Last Updated:** 16 Mar 2020

**Summary**

Recently discovered security vulnerabilities affect the ProSyst mBS SDK and Bosch IoT Gateway Software. They potentially allow to access sensitive information, write and delete data on the host system and forge HTTP GET request on behalf of the server via the network interface. Bosch rates these vulnerabilities with CVSSv3 base scores from 9.1 (Critical) to 5.3 (Medium), where the actual rating depends on the individual vulnerability and the final rating on the customer’s environment. Customers are recommended to upgrade to the fixed versions.

As of August 19th, 2019, updated releases are available and offered to all customers via customer support or sales. Depending on the major version in use, a previous update has already fixed some of the vulnerabilities.

As of August 19th, 2019, there is currently no indication that exploitation code is either publicly known or utilized.

The vulnerabilities were discovered and disclosed to Bosch in a coordinated manner by the external researcher Philip Kazmeier.

**Affected Products**

*   ProSyst mBS SDK < 8.2.6
    
    *   CVE-2019-11601
    *   CVE-2019-11897
    *   CVE-2019-11602
    *   CVE-2019-11603
    
*   Bosch IoT Gateway Software < 9.0.2
    
    *   CVE-2019-11603
    
*   Bosch IoT Gateway Software < 9.2.0
    
    *   CVE-2019-11601
    *   CVE-2019-11602
    
*   Bosch IoT Gateway Software < 9.3.0
    
    *   CVE-2019-11897
    

**Solution****Software Update**

The recommended approach is to update ProSyst mBS SDK and/or Bosch IoT Gateway Software to a fixed version, that is, 8.2.6 and 9.3.0 respectively.

**Mitigations and Workarounds**

In cases where an update is not possible, the following mitigations and workarounds are recommended.

**Disable backup and restore functionality**

CVE-2019-11601, CVE-2019-11602, CVE-2019-11897 can be mitigated by disabling the remote backup and restore functionality.

**Adapt mbs.http.pid configuration to effectively disable the corresponding functionality**

CVE-2019-11603 can be mitigated by setting the values of the properties “rootdiralias” and “rootdirresource” to an empty string in the “mbs.http.pid” configuration. Then the vulnerability would not be reachable, since the related component would not be activated. The only side effect would be a warning log entry about the failure.

**Firewalling**

It is advised that devices running the ProSyst mBS SDK and Bosch IoT Gateway Software should not be exposed directly to the internet or other insecure networks. This includes port-forwarding, which would not protect the device adequately.

**Vulnerability Details****CVE-2019-11601 (Backup/Restore)**

A directory traversal vulnerability in remote access to backup & restore in earlier version than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.

*   CWE-22 : Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
    
    *   CVSS 3.0 Base Score: 9.1 (Critical), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:H/RL:O/RC:C
    *   CVSS 3.0 Temporal Score: 8.7 (High)
    

**CVE-2019-11897 (Backup/Restore)**

A Server-Side Request Forgery (SSRF) vulnerability in the backup & restore functionality in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.3.0 allows a remote attacker to forge GET requests to arbitrary URLs. In addition, this could potentially allow an attacker to read sensitive zip files from the local server.

*   CWE-918 : Server-Side Request Forgery (SSRF)
    
    *   CVSS 3.0 Base Score: 8.6 (High), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:H/RL:O/RC:C
    *   CVSS 3.0 Temporal Score: 8.2 (High)
    

**CVE-2019-11602 (Backup/Restore)**

Leakage of stack traces in remote access to backup & restore in earlier version than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.

*   CWE-209 : Information Exposure Through an Error Message
    
    *   CVSS 3.0 Base Score: 5.3 (Medium), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
    *   CVSS 3.0 Temporal Score: 5.1 (Medium)
    

**CVE-2019-11603 (Backup/Restore)**

A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.0.2 allows remote attackers to read files outside the http root.

*   CWE-22 : Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
    
    *   CVSS 3.0 Base Score: 7.5 (High), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C
    *   CVSS 3.0 Temporal Score: 7.2 (High)
    

**Remark**

Vulnerability classification has been performed using the CVSSv3 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

**Additional Resources**

\[1\] Bosch IoT Gateway Software Release Notes  
\[2\] ProSyst mBS SDK Release Notes  
\[3\] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

**Revision History**

16 Mar 2020: Remove environmental metrics, update advisory description for CVE-2019-11603 to include mBS SDK.  
19 Aug 2019: Initial Publication

CVE-2019-11601: Multiple Vulnerabilities in ProSyst mBS SDK and Bosch IoT Gateway Software

A session fixation vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows unauthorized attackers to impersonate another user if they can control the pre-authentication session.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   Configuration as Code Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   JClouds Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

**Descriptions****Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1497 / CVE-2019-10367**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

**CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials**

**SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: jclouds-jenkins**  
**Description:**

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

**Mask Passwords Plugin shows plain text passwords in global configuration form fields**

**SECURITY-157 / CVE-2019-10370**  
**Severity (CVSS):** Low  
**Affected plugin: mask-passwords**  
**Description:**

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**HTTP session fixation vulnerability in GitLab Authentication Plugin**

**SECURITY-795 / CVE-2019-10371**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

**Open redirect vulnerability in GitLab Authentication Plugin**

**SECURITY-796 / CVE-2019-10372**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Build Pipeline Plugin**

**SECURITY-879 / CVE-2019-10373**  
**Severity (CVSS):** Medium  
**Affected plugin: build-pipeline-plugin**  
**Description:**

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in PegDown Formatter Plugin**

**SECURITY-142 / CVE-2019-10374**  
**Severity (CVSS):** Medium  
**Affected plugin: pegdown-formatter**  
**Description:**

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in File System SCM Plugin**

**SECURITY-569 / CVE-2019-10375**  
**Severity (CVSS):** Medium  
**Affected plugin: filesystem_scm**  
**Description:**

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in Wall Display Master Project Plugin**

**SECURITY-751 / CVE-2019-10376**  
**Severity (CVSS):** Medium  
**Affected plugin: jenkinswalldisplay**  
**Description:**

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Avatar Plugin allows changing other users' avatars**

**SECURITY-1099 / CVE-2019-10377**  
**Severity (CVSS):** Medium  
**Affected plugin: avatar**  
**Description:**

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

**TestLink Plugin stores credentials in plain text**

**SECURITY-1428 / CVE-2019-10378**  
**Severity (CVSS):** Low  
**Affected plugin: testlink**  
**Description:**

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Google Cloud Messaging Notification Plugin stores credentials in plain text**

**SECURITY-591 / CVE-2019-10379**  
**Severity (CVSS):** Low  
**Affected plugin: gcm-notification**  
**Description:**

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin**

**SECURITY-922 / CVE-2019-10380**  
**Severity (CVSS):** High  
**Affected plugin: simple-travis-runner**  
**Description:**

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

**Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-931 / CVE-2019-10381**  
**Severity (CVSS):** Medium  
**Affected plugin: codefresh**  
**Description:**

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-1376 / CVE-2019-10382**  
**Severity (CVSS):** Medium  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**eggplant-plugin Plugin stores credentials in plain text**

**SECURITY-1430 / CVE-2019-10385**  
**Severity (CVSS):** Medium  
**Affected plugin: eggplant-plugin**  
**Description:**

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials**

**SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: xltestview-plugin**  
**Description:**

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF**

**SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: relution-publisher**  
**Description:**

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-142: Medium
*   SECURITY-157: Low
*   SECURITY-569: Medium
*   SECURITY-591: Low
*   SECURITY-751: Medium
*   SECURITY-795: Medium
*   SECURITY-796: Medium
*   SECURITY-879: Medium
*   SECURITY-922: High
*   SECURITY-931: Medium
*   SECURITY-1008: Medium
*   SECURITY-1053: Medium
*   SECURITY-1099: Medium
*   SECURITY-1376: Medium
*   SECURITY-1428: Low
*   SECURITY-1430: Medium
*   SECURITY-1482: Medium
*   SECURITY-1497: Medium

**Affected Versions**

*   **Avatar Plugin** up to and including 1.2
*   **Build Pipeline Plugin** up to and including 1.5.8
*   **Codefresh Integration Plugin** up to and including 1.8
*   **Configuration as Code Plugin** up to and including 1.26
*   **eggplant-plugin Plugin** up to and including 2.2
*   **File System SCM Plugin** up to and including 2.1
*   **Google Cloud Messaging Notification Plugin** up to and including 1.0
*   **GitLab Authentication Plugin** up to and including 1.4
*   **JClouds Plugin** up to and including 2.14
*   **Mask Passwords Plugin** up to and including 2.12.0
*   **PegDown Formatter Plugin** up to and including 1.3
*   **Relution Enterprise Appstore Publisher Plugin** up to and including 1.24
*   **Simple Travis Pipeline Runner Plugin** up to and including 1.0
*   **TestLink Plugin** up to and including 3.16
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8
*   **Wall Display Master Project Plugin** up to and including 0.6.34
*   **XL TestView Plugin** up to and including 1.2.0

**Fix**

*   **Configuration as Code Plugin** should be updated to version 1.27
*   **JClouds Plugin** should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1428, SECURITY-1430
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-922
*   **MWR labs (@mwrlabs)** for SECURITY-751
*   **Matthias Schmalz, SAP SE** for SECURITY-157
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1008, SECURITY-1099
*   **Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group** for SECURITY-1482
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-795, SECURITY-796

CVE-2019-10371: Jenkins Security Advisory 2019-08-07

An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

CVE-2019-10372: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins PegDown Formatter Plugin 1.3 and earlier allows attackers able to edit descriptions and other fields rendered using the configured markup formatter to insert links with the javascript scheme into the Jenkins UI.

CVE-2019-10374: Jenkins Security Advisory 2019-08-07

A stored cross-site scripting vulnerability in Jenkins Build Pipeline Plugin 1.5.8 and earlier allows attackers able to edit the build pipeline description to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

CVE-2019-10373: Jenkins Security Advisory 2019-08-07

Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

CVE-2019-10367: Jenkins Security Advisory 2019-08-07

A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

CVE-2019-10376: Jenkins Security Advisory 2019-08-07

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

Tag

#ssrf