Jenkins Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to generate load and to generate memory leaks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Chaos Monkey Plugin
*   Chaos Monkey Plugin
*   CVS Plugin
*   Shelve Project Plugin
*   Plugin Installation Manager Tool

**Descriptions****XXE vulnerability in CVS Plugin**

**SECURITY-2146 / CVE-2020-2324**  
**Severity (CVSS):** High  
**Affected plugin: cvs**  
**Description:**

CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVS Plugin 2.17 disables external entity resolution for its XML parser.

**Plugin Installation Manager Tool did not verify plugin downloads**

**SECURITY-1856 / CVE-2020-2320**  
**Severity (CVSS):** High  
**Description:**

Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running.

Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.

Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.

Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:

ARG PLUGIN\_CLI\_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN\_CLI\_URL} -o /usr/lib/jenkins-plugin-manager.jar

Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.

**CSRF vulnerability in Shelve Project Plugin**

**SECURITY-2108 / CVE-2020-2321**  
**Severity (CVSS):** High  
**Affected plugin: shelve-project-plugin**  
**Description:**

Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to shelve, unshelve, or delete a project.

Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.

**Missing permission checks in Chaos Monkey Plugin**

**SECURITY-2109 (1) / CVE-2020-2322**  
**Severity (CVSS):** Medium  
**Affected plugin: chaos-monkey**  
**Description:**

Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and to generate memory leaks.

Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.

**Missing permission checks in Chaos Monkey Plugin**

**SECURITY-2109 (2) / CVE-2020-2323**  
**Severity (CVSS):** Medium  
**Affected plugin: chaos-monkey**  
**Description:**

Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.

Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.

**Severity**

*   SECURITY-1856: High
*   SECURITY-2108: High
*   SECURITY-2109 (1): Medium
*   SECURITY-2109 (2): Medium
*   SECURITY-2146: High

**Affected Versions**

*   **Chaos Monkey Plugin** up to and including 0.3
*   **Chaos Monkey Plugin** up to and including 0.4
*   **CVS Plugin** up to and including 2.16
*   **Shelve Project Plugin** up to and including 3.0
*   **Plugin Installation Manager Tool** up to and including 2.1.3

**Fix**

*   **Chaos Monkey Plugin** should be updated to version 0.4
*   **Chaos Monkey Plugin** should be updated to version 0.4.1
*   **CVS Plugin** should be updated to version 2.17
*   **Shelve Project Plugin** should be updated to version 3.1
*   **Plugin Installation Manager Tool** should be updated to version 2.2.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1856, SECURITY-2146

CVE-2020-2322: Jenkins Security Advisory 2020-12-03

Improper input validation in the Auto-Discovery component of Nagios XI before 5.7.5 allows an authenticated attacker to execute remote code.

CVE-2020-28648: Nagios XI Change Log - Nagios

An XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2.

Avaya WebLM Vulnerability (CVE-2020-7032)

Original Release Date: November 12, 2020  
Last Revised: November 12, 2020  
Number: ASA-2020-153  
Overall Severity Classification: Medium  
Advisory Version: 1.0  
Advisory Status: Final

**1\. Overview:**

Avaya WebLM provides ability to manage licenses of one or more Avaya software products for your organization. WebLM is Web-based and facilitates easy tracking of licenses.

An XML external entity (XXE) vulnerability in WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. This issue has been assigned Common Vulnerabilities and Exposures (cve.mitre.org) identifier CVE-2020-7032.

Avaya would like to thank Markus Koplin of SEC Consult for reporting this issue.

**2\. Avaya Products affected:**

For assessment and severity classification details refer to Section 3 of Avaya's Product Vulnerability Response Policy.  
The "Resolution" column will be updated as fixes are made available. Please reference the "Information" column for any additional information regarding the affected product.

Product:

Version(s):

Resolution:

Information:

Avaya WebLM

7.0 through 7.1.3.6, 8.0.x, 8.1 through 8.1.2 up to Hot Fix 3

For 7.x, upgrade to 7.1.3.7 or later.  
For 8.0.x, upgrade to 8.1.3 or later.  
For 8.1.x, install latest 8.1.2 Hot Fix or upgrade to 8.1.3 or later.

Hot Fix for System Manager 8.1.2  
Avaya Aura Release Notes 8.1.x  
Avaya Aura WebLM 7.1 Product Correction Notice

Avaya Aura® System Manager

7.0 through 7.1.3.6, 8.0 through 8.1.2 including Hot Fix 3 and earlier.

For 7.x, upgrade to 7.1.3.7 or later.  
For 8.0.x, upgrade to 8.1.3 or later.  
For 8.1.x, install latest 8.1.2 Hot Fix or upgrade to 8.1.3 or later.

System Manager is affected because the WebLM component is installed.  
Hot Fix for System Manager 8.1.2  
Avaya Aura Release Notes 8.1.x  
Avaya Aura Release Notes 7.1.x

**Recommended Actions for Products:**  
Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

**CVSS Scoring and Metrics:**

Avaya uses the Common Vulnerability Scoring System (CVSS) base score and metrics as reported by the vendor for the affected component(s) or by the National Institute of Standards and Technology in the National Vulnerability Database. In some cases, such as where CVSS information is not available from the vendor or NIST, Avaya will calculate the CVSS base score and metrics. Customers are encouraged to calculate the Temporal and Environmental CVSS scores to determine how the vulnerability could affect their specific implementation or environment. For more information on CVSS and how the score is calculated, see Common Vulnerability Scoring System: Specification Document.

Vulnerability

CVSSv3 Base Score

CVSSv3 Metrics

CVE-2020-7032  

6.5 (Medium)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H

**3\. Additional Information:**

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

**4\. Disclaimer:**

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

**5\. Revision History:**

V 1.0 - November 12, 2020 - Initial Statement issued.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.  
Independent security researchers can contact Avaya at securityalerts@avaya.com.

© 2020 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

CVE-2020-7032: ASA-2020-153

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

**Describe the bug**

In cases where axios is used by servers to perform http requests to user-supplied urls, a proxy is commonly used to protect internal networks from unauthorized access and SSRF. This bug enables an attacker to bypass the proxy by providing a url that responds with a redirect to a restricted host/ip.

**To Reproduce**

The following code spawns a proxy server that _always_ responds with a 302 redirect, so requests should never reach the target url, however, axios is only reaching the proxy once, and bypassing the proxy after the redirect response.

https://runkit.com/embed/1df5qy8lbgnc

const axios \= require('axios')
const http \= require('http')

const PROXY\_PORT \= 8080

// A fake proxy server
http.createServer(function (req, res) { 
    res.writeHead(302, {location: 'http://example.com'})
    res.end()
  }).listen(PROXY\_PORT)

axios({
  method: "get",
  url: "http://www.google.com/",
  proxy: {
    host: "localhost",
    port: PROXY\_PORT,
  },
})
.then((r) \=> console.log(r.data))
.catch(console.error)

The response is the rendered html of _http://example.com_

**Expected behavior**

_All_ the requests should pass via the proxy. In the provided scenario, there should be a redirect loop.

**Environment**

*   Axios Version \[0.21.0\]
*   Node.js Version \[v12.18.2\]

**Additional context/Screenshots**

Add any other context about the problem here. If applicable, add screenshots to help explain.

CVE-2020-28168: Requests that follow a redirect are not passing via the proxy · Issue #3369 · axios/axios

A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Directory Plugin
*   Static Analysis Utilities Plugin
*   Ansible Plugin
*   AppSpider Plugin
*   AWS Global Configuration Plugin
*   Azure Key Vault Plugin
*   FindBugs Plugin
*   Kubernetes Plugin
*   Mail Commander Plugin for Jenkins-ci Plugin
*   Mercurial Plugin
*   SQLPlus Script Runner Plugin
*   Subversion Plugin
*   Visualworks Store Plugin
*   VMware Lab Manager Slaves Plugin

**Descriptions****Login allowed with hardcoded password by Active Directory Plugin**

**SECURITY-2117 / CVE-2020-2299**  
**Severity (CVSS):** Critical  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The LDAP-based mode in Active Directory Plugin 2.19 and earlier shares code between user lookup and user authentication and distinguishes these behaviors through the use of a magic constant used in place of a real password. This allows attackers to log in as any user if the magic constant is used as the password in Active Directory Plugin 2.19 and earlier.

Active Directory Plugin 2.20 no longer uses a magic constant to distinguish between user lookup and user authentication.

**Login allowed with empty password by Active Directory Plugin**

**SECURITY-2099 / CVE-2020-2300**  
**Severity (CVSS):** High  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The Windows/ADSI mode does not specifically prohibit use of empty passwords in Active Directory Plugin 2.19 and earlier. If the Active Directory server allows the unauthenticated bind operation, this allows attackers to log in to Jenkins as any user by providing an empty password.

Active Directory Plugin 2.20 prohibits the use of an empty password to log in.

**Authentication cache in Active Directory Plugin allows logging in with any password**

**SECURITY-2123 / CVE-2020-2301**  
**Severity (CVSS):** High  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications.

In Active Directory Plugin 2.19 and earlier, when run in Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry. This allows attackers to log in as any user using any password while a successful authentication of that user is still in the cache.

As a workaround for this issue, the cache can be disabled.

Active Directory Plugin 2.20 includes the provided password in cache entry lookup.

Additionally, the Java system property hudson.plugins.active_directory.CacheUtil.noCacheAuth can be set to true to no longer cache user authentications.

**Missing permission check in Active Directory Plugin allows accessing domain health check page**

**SECURITY-1999 / CVE-2020-2302**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin 2.19 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the domain health check diagnostic page.

Active Directory Plugin 2.20 requires Overall/Administer permission to access the domain health check diagnostic page.

**CSRF vulnerability in Active Directory Plugin**

**SECURITY-2126 / CVE-2020-2303**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

Active Directory Plugin 2.20 requires POST requests for the affected HTTP endpoints.

**XXE vulnerability in Subversion Plugin**

**SECURITY-2145 / CVE-2020-2304**  
**Severity (CVSS):** High  
**Affected plugin: subversion**  
**Description:**

Subversion Plugin 2.13.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Subversion Plugin 2.13.2 disables external entity resolution for its XML parser.

**XXE vulnerability in Mercurial Plugin**

**SECURITY-2115 / CVE-2020-2305**  
**Severity (CVSS):** High  
**Affected plugin: mercurial**  
**Description:**

Mercurial Plugin 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Mercurial Plugin 2.12 disables external entity resolution for its XML parser.

**Missing permission check in Mercurial Plugin**

**SECURITY-2104 / CVE-2020-2306**  
**Severity (CVSS):** Medium  
**Affected plugin: mercurial**  
**Description:**

Mercurial Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain a list of names of configured Mercurial installations.

Mercurial Plugin 2.12 performs permission checks when listing configured Mercurial installations.

**Jenkins controller environment variables accessible in Kubernetes Plugin**

**SECURITY-1646 / CVE-2020-2307**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes**  
**Description:**

Kubernetes Plugin 1.27.3 and earlier includes a feature to replace placeholders in pod template and container template fields with environment variable values.

This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Kubernetes Plugin 1.27.4 disables this feature.

The Java system property org.csanchez.jenkins.plugins.kubernetes.PodTemplateUtils.SUBSTITUTE_ENV can be set to true to restore this feature. Administrators are advised that future releases of Kubernetes Plugin will remove this feature entirely.

**Missing permission check in Kubernetes Plugin allows listing pod templates**

**SECURITY-2102 / CVE-2020-2308**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes**  
**Description:**

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to list global pod template names.

Kubernetes Plugin 1.27.4 requires Overall/Administer permission to list global pod template names.

**Missing permission check in Kubernetes Plugin allows enumerating credentials IDs**

**SECURITY-2103 / CVE-2020-2309**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes**  
**Description:**

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Kubernetes Plugin 1.27.4 requires the appropriate permissions.

**Missing permission checks in Ansible Plugin allow enumerating credentials IDs**

**SECURITY-1943 / CVE-2020-2310**  
**Severity (CVSS):** Medium  
**Affected plugin: ansible**  
**Description:**

Ansible Plugin 1.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Ansible Plugin 1.1 requires the appropriate permissions.

**Missing permission check in AWS Global Configuration Plugin allows replacing plugin configuration**

**SECURITY-2101 / CVE-2020-2311**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-global-configuration**  
**Description:**

AWS Global Configuration Plugin 1.5 and earlier does not perform a permission check in an HTTP endpoint processing form submissions.

This allows attackers with Overall/Read permission to replace the global AWS configuration.

AWS Global Configuration Plugin 1.6 properly performs permission checks when processing configuration form submissions.

**Password written to the build log by SQLPlus Script Runner Plugin**

**SECURITY-2129 / CVE-2020-2312**  
**Severity (CVSS):** Medium  
**Affected plugin: sqlplus-script-runner**  
**Description:**

SQLPlus Script Runner Plugin 2.0.12 and earlier prints the sqlplus command invocation to the build log.

This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission.

SQLPlus Script Runner Plugin 2.0.13 no longer prints the password in the build log.

**Missing permission checks in Azure Key Vault Plugin allow enumerating credentials IDs**

**SECURITY-2110 / CVE-2020-2313**  
**Severity (CVSS):** Medium  
**Affected plugin: azure-keyvault**  
**Description:**

Azure Key Vault Plugin 2.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Azure Key Vault Plugin 2.1 requires the appropriate permissions.

**Password stored in plain text by AppSpider Plugin**

**SECURITY-2058 / CVE-2020-2314**  
**Severity (CVSS):** Low  
**Affected plugin: jenkinsci-appspider-plugin**  
**Description:**

AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.

**XXE vulnerability in Visualworks Store Plugin**

**SECURITY-1900 / CVE-2020-2315**  
**Severity (CVSS):** High  
**Affected plugin: visualworks-store**  
**Description:**

Visualworks Store Plugin 1.1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the output of a script that run Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Visualworks Store Plugin 1.1.4 disables external entity resolution for its XML parser.

**Stored XSS vulnerability in Static Analysis Utilities Plugin**

**SECURITY-1907 / CVE-2020-2316**  
**Severity (CVSS):** High  
**Affected plugin: analysis-core**  
**Description:**

Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in FindBugs Plugin**

**SECURITY-1918 / CVE-2020-2317**  
**Severity (CVSS):** High  
**Affected plugin: findbugs**  
**Description:**

FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to FindBugs Plugin’s post build step.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin**

**SECURITY-2085 / CVE-2020-2318**  
**Severity (CVSS):** Medium  
**Affected plugin: mailcommander**  
**Description:**

Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by VMware Lab Manager Slaves Plugin**

**SECURITY-2084 / CVE-2020-2319**  
**Severity (CVSS):** Low  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1646: Medium
*   SECURITY-1900: High
*   SECURITY-1907: High
*   SECURITY-1918: High
*   SECURITY-1943: Medium
*   SECURITY-1999: Medium
*   SECURITY-2058: Low
*   SECURITY-2084: Low
*   SECURITY-2085: Medium
*   SECURITY-2099: High
*   SECURITY-2101: Medium
*   SECURITY-2102: Medium
*   SECURITY-2103: Medium
*   SECURITY-2104: Medium
*   SECURITY-2110: Medium
*   SECURITY-2115: High
*   SECURITY-2117: Critical
*   SECURITY-2123: High
*   SECURITY-2126: Medium
*   SECURITY-2129: Medium
*   SECURITY-2145: High

**Affected Versions**

*   **Active Directory Plugin** up to and including 2.19
*   **Static Analysis Utilities Plugin** up to and including 1.96
*   **Ansible Plugin** up to and including 1.0
*   **AppSpider Plugin** up to and including 1.0.12
*   **AWS Global Configuration Plugin** up to and including 1.5
*   **Azure Key Vault Plugin** up to and including 2.0
*   **FindBugs Plugin** up to and including 5.0.0
*   **Kubernetes Plugin** up to and including 1.27.3
*   **Mail Commander Plugin for Jenkins-ci Plugin** up to and including 1.0.0
*   **Mercurial Plugin** up to and including 2.11
*   **SQLPlus Script Runner Plugin** up to and including 2.0.12
*   **Subversion Plugin** up to and including 2.13.1
*   **Visualworks Store Plugin** up to and including 1.1.3
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8

**Fix**

*   **Active Directory Plugin** should be updated to version 2.20
*   **Ansible Plugin** should be updated to version 1.1
*   **AppSpider Plugin** should be updated to version 1.0.13
*   **AWS Global Configuration Plugin** should be updated to version 1.6
*   **Azure Key Vault Plugin** should be updated to version 2.1
*   **Kubernetes Plugin** should be updated to version 1.27.4
*   **Mercurial Plugin** should be updated to version 2.12
*   **SQLPlus Script Runner Plugin** should be updated to version 2.0.13
*   **Subversion Plugin** should be updated to version 2.13.2
*   **Visualworks Store Plugin** should be updated to version 1.1.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Static Analysis Utilities Plugin
*   FindBugs Plugin
*   Mail Commander Plugin for Jenkins-ci Plugin
*   VMware Lab Manager Slaves Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Chris Maggiulli, Build and Integrations Engineer, Excelsior College** for SECURITY-2129
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2117, SECURITY-2145
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-1900
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2058, SECURITY-2084, SECURITY-2085
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1999
*   **Vic Chappill, Lee Jones, and Matthew Maylin, Siemens** for SECURITY-2099
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1907, SECURITY-1918, SECURITY-1943

CVE-2020-2303: Jenkins Security Advisory 2020-11-04

Jenkins FindBugs Plugin 5.0.0 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to Jenkins FindBugs Plugin's post build step.

CVE-2020-2317: Jenkins Security Advisory 2020-11-04

Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2316: Jenkins Security Advisory 2020-11-04

Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.

CVE-2020-26948

A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   Audit Trail Plugin
*   couchdb-statistics Plugin
*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Role-based Authorization Strategy Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

**Descriptions****Improper authorization due to caching in Role-based Authorization Strategy Plugin**

**SECURITY-1767 / CVE-2020-2286**  
**Severity (CVSS):** High  
**Affected plugin: role-strategy**  
**Description:**

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups.

In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no longer grant them.

Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on configuration changes.

**Request logging could be bypassed in Audit Trail Plugin**

**SECURITY-1815 / CVE-2020-2287**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

**Incorrect default pattern in Audit Trail Plugin**

**SECURITY-1846 / CVE-2020-2288**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.

In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.

Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-1954 / CVE-2020-2289**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2008 / CVE-2020-2290**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for _Reactive Reference Parameter_.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This issue is caused by an incomplete fix for SECURITY-470.

Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.

**Password stored in plain text by couchdb-statistics Plugin**

**SECURITY-2065 / CVE-2020-2291**  
**Severity (CVSS):** Low  
**Affected plugin: couchdb-statistics**  
**Description:**

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

**Stored XSS vulnerability in Release Plugin**

**SECURITY-1928 / CVE-2020-2292**  
**Severity (CVSS):** High  
**Affected plugin: release**  
**Description:**

Release Plugin 2.10.2 and earlier does not escape the release version in the badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Persona Plugin**

**SECURITY-2046 / CVE-2020-2293**  
**Severity (CVSS):** Medium  
**Affected plugin: persona**  
**Description:**

Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Maven Cascade Release Plugin**

**SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-release-cascade**  
**Description:**

Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Shared Objects Plugin**

**SECURITY-2052 / CVE-2020-2296**  
**Severity (CVSS):** Medium  
**Affected plugin: shared-objects**  
**Description:**

Shared Objects Plugin 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure shared objects.

As of publication of this advisory, there is no fix.

**Access token stored in plain text by SMS Notification Plugin**

**SECURITY-2054 / CVE-2020-2297**  
**Severity (CVSS):** Low  
**Affected plugin: sms**  
**Description:**

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Nerrvana Plugin**

**SECURITY-2097 / CVE-2020-2298**  
**Severity (CVSS):** High  
**Affected plugin: nerrvana-plugin**  
**Description:**

Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1767: High
*   SECURITY-1815: Medium
*   SECURITY-1846: Medium
*   SECURITY-1928: High
*   SECURITY-1954: High
*   SECURITY-2008: High
*   SECURITY-2046: Medium
*   SECURITY-2049: Medium
*   SECURITY-2052: Medium
*   SECURITY-2054: Low
*   SECURITY-2065: Low
*   SECURITY-2097: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.4
*   **Audit Trail Plugin** up to and including 3.6
*   **couchdb-statistics Plugin** up to and including 0.3
*   **Maven Cascade Release Plugin** up to and including 1.3.2
*   **Nerrvana Plugin** up to and including 1.02.06
*   **Persona Plugin** up to and including 2.4
*   **Release Plugin** up to and including 2.10.2
*   **Role-based Authorization Strategy Plugin** up to and including 3.0
*   **Shared Objects Plugin** up to and including 0.44
*   **SMS Notification Plugin** up to and including 1.2

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5
*   **Audit Trail Plugin** should be updated to version 3.7
*   **couchdb-statistics Plugin** should be updated to version 0.4
*   **Role-based Authorization Strategy Plugin** should be updated to version 3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1846, SECURITY-2046, SECURITY-2097
*   **Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1815
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2052
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2054, SECURITY-2065
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1767
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1928, SECURITY-1954, SECURITY-2008
*   **Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc.** for SECURITY-2049

CVE-2020-2296: Jenkins Security Advisory 2020-10-08

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

Tag

#ssrf