oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Sat, 13 Apr 2019 01:13:39 +0200
On 3. Apr 2019, at 15:55, Daniel Beck <ml () beckweb net> wrote: SECURITY-829 IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003051
SECURITY-831 AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher. AWSEBPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003052
SECURITY-837 Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003054
SECURITY-839 HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003053
SECURITY-954 FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003055
SECURITY-956 WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003056
SECURITY-965 Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover. xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003057
SECURITY-974 A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)
SECURITY-1041 Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003060
SECURITY-1042 jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003061
SECURITY-830 AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003062
SECURITY-832 Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier. xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003063
SECURITY-835 aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder. xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003064
SECURITY-838 CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003065
SECURITY-841 Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003066
SECURITY-842 Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003067
SECURITY-945 VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003068
SECURITY-949 Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep. AquaDockerScannerBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003069
SECURITY-952 veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003070
SECURITY-957 OctopusDeploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003071
SECURITY-961 WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003072
SECURITY-962 VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003073
SECURITY-964 Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003074
SECURITY-966 Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003075
SECURITY-977 A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)
SECURITY-979 A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker- specified credentials and settings. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)
SECURITY-981 A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)
SECURITY-991 A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)
SECURITY-993 A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)
SECURITY-1037 A missing permission check in a form validation method in Chef Sinatra Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)
SECURITY-1043 Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003088
SECURITY-1044 Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003089
SECURITY-1054 A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)
SECURITY-1058 A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)
SECURITY-1059 Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003094
SECURITY-1061 Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003095
SECURITY-1062 TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003096
SECURITY-1069 Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-1003097
SECURITY-1084 A missing permission check in a form validation method in openid Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)
SECURITY-1085 StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10277
SECURITY-1091 A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)
SECURITY-1093 Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10280
SECURITY-828 Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10281
SECURITY-843 Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10282
SECURITY-946 mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10283
SECURITY-947 Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10284
SECURITY-955 Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10285
SECURITY-959 DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10286
SECURITY-963 youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system.
CVE-2019-10287
SECURITY-1031 Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10288
SECURITY-1032 A missing permission check in a form validation method in Netsparker Cloud Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)
SECURITY-1040 Netsparker Cloud Scan Plugin stored credentials unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system.
CVE-2019-10291
SECURITY-1055 A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)
SECURITY-1056 Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10294
SECURITY-1063 crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-10295
SECURITY-1066 Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10296
SECURITY-1090 Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10297
SECURITY-1092 Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10298
SECURITY-960 CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system.
CVE-2019-10299
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 03)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 13)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 17)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 30)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 21)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 31)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 11)