Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 25. Jun 2018, at 16:10, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-915
> A form action method in GitHub Plugin did not check the permission of the 
> user accessing it, allowing anyone with Overall/Read access to Jenkins to 
> cause Jenkins to send a GitHub API request to create an API token to a an 
> attacker specified URL.
>
> This allowed users with Overall/Read access to Jenkins to connect to an 
> attacker-specified URL using attacker-specified credentials IDs obtained 
> through another method, capturing credentials stored in Jenkins.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1000600

> SECURITY-440
> SSH Credentials Plugin allowed the creation of SSH credentials with keys 
> "From a file on Jenkins master". Credentials Binding Plugin 1.13 and newer 
> allows binding SSH credentials to environment variables. In combination, 
> these two features allow users with the permission to configure a job to 
> read arbitrary files on the Jenkins master by creating an SSH credential 
> referencing an arbitrary file on the Jenkins master, and binding it to an 
> environment variable in a job.

CVE-2018-1000601

> SECURITY-916
> SAML Plugin did not invalidate the previous session and create a new one 
> upon successful login, allowing attackers able to control or obtain 
> another user’s pre-login session ID to impersonate them.

CVE-2018-1000602

> SECURITY-808
> Openstack Cloud Plugin did not perform permission checks on methods 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified URL using attacker-
> specified credentials IDs obtained through another method, capturing 
> credentials stored in Jenkins, and to cause Jenkins to submit HTTP 
> requests to attacker-specified URLs.
>
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1000603

> SECURITY-906
> Badge Plugin stored and displayed user-provided HTML for badges and 
> summaries unprocessed, allowing users with the ability to control badge 
> content to store malicious HTML to be displayed within Jenkins.

CVE-2018-1000604

> SECURITY-941
> CollabNet Plugin disabled SSL/TLS certificate validation for the entire 
> Jenkins master JVM by default.

CVE-2018-1000605

> SECURITY-819
> A form validation method in URLTrigger Plugin did not check the permission 
> of the user accessing them, allowing anyone with Overall/Read access to 
> Jenkins to cause Jenkins to send a GET request to a specified URL.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1000606

> SECURITY-870
> Fortify CloudScan Plugin did not validate file names in rulepack ZIP 
> archives it extracts, resulting in an arbitrary file write vulnerability.

CVE-2018-1000607

> SECURITY-950
> IBM z/OS Connector Plugin did not encrypt password credentials stored in 
> its configuration. This could be used by users with master file system 
> access to obtain the password.
>
> While masked from view using a password form field, the AWS Secret Key was 
> transferred in plain text to administrators when accessing the global 
> configuration form.

CVE-2018-1000608

> SECURITY-927
> Configuration as Code Plugin lacked a permission check in the method 
> handling the URL exporting the system configuration. This allows users 
> with Overall/Read access to Jenkins to obtain this YAML export.

CVE-2018-1000609

> SECURITY-929
> Configuration as Code Plugin logged secrets set via its configuration to 
> the Jenkins master system log in plain text. This allowed users with 
> access to the Jenkins log files to obtain these passwords and similar 
> secrets.

CVE-2018-1000610