oss-sec mailing list archives
Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Mon, 4 Jun 2018 14:37:28 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * AbsInt Astrée 1.0.7 * Black Duck Detect 1.4.1 * Black Duck Hub 4.0.1 * CAS 1.4.2 * Git 3.9.1 * GitHub 1.29.1 * GitHub Branch Source 2.3.5 * GitHub Pull Request Builder 1.42.0 * Kubernetes 1.7.1 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2018-06-04/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-810 Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. SECURITY-799 A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL. If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. SECURITY-804 GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. SECURITY-806 A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. SECURITY-805 GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker- specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. SECURITY-883 Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and master log, when using pipeline steps like withDockerRegistry. SECURITY-809 A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. SECURITY-807 AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins master. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. SECURITY-865 Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker- specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability. SECURITY-866 Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker- specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
Current thread:
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 05)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 16)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 04)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 05)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 25)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 25)