Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 30. Jul 2018, at 16:10, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-704
> When using the `sshagent` step inside a `withDockerContainer` block in 
> Pipeline, the resulting logging of the `ssh-add` command included the SSH 
> key passphrase in plain text.

CVE-2018-1999036

> SECURITY-997
> Resource Disposer Plugin did not perform permission checks on an API 
> endpoint. This allowed users with Overall/Read access to Jenkins to stop 
> tracking a specified resource.
>
> Additionally, this API endpoint did not require POST requests, resulting 
> in a CSRF vulnerability.

CVE-2018-1999037

> SECURITY-975
> Publish Over CIFS Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to initiate CIFS connections to an attacker specified host.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999038

> SECURITY-982
> Confluence Publisher Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to submit login requests to Confluence using attacker-
> specified credentials.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999039

> SECURITY-1016
> Kubernetes Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified Kubernetes cluster using 
> attacker-specified credentials IDs obtained through another method, 
> capturing credentials stored in Jenkins.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999040

> SECURITY-840
> Tinfoil Security Plugin stored the API Secret Key in its configuration 
> unencrypted in its global configuration file on the Jenkins master. This 
> key could be viewed by users with access to the master file system.

CVE-2018-1999041

> SECURITY-932
> TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate 
> validation for the entire Jenkins master JVM.

CVE-2018-1999025

> SECURITY-994
> TraceTronic ECU-TEST Plugin did not perform permission checks on a method 
> implementing form validation. This allowed users with Overall/Read access 
> to Jenkins to connect to an attacker-specified URL, with the path suffix
> `/app-version-info` appended.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999026

> SECURITY-1009
> SaltStack Plugin did not perform permission checks on methods implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> connect to an attacker-specified URL using attacker-specified credentials 
> IDs obtained through another method, capturing credentials stored in 
> Jenkins, and to cause Jenkins to submit HTTP requests to attacker-
> specified URLs.
>
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999027

> SECURITY-1021
> Accurev Plugin did not perform permission checks on a method implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> connect to an attacker-specified Accurev server using attacker-specified 
> credentials IDs obtained through another method, capturing credentials 
> stored in Jenkins.
>
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999028

> SECURITY-1001
> Shelve Project Plugin did not escape the names of shelved projects on the 
> UI, potentially resulting in a stored XSS vulnerability.

CVE-2018-1999029

> SECURITY-1022
> Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform 
> permission checks on a method implementing form validation. This allowed 
> users with Overall/Read access to Jenkins to connect to an attacker-
> specified Nexus or Artifactory server using attacker-specified credentials 
> IDs obtained through another method, capturing credentials stored in 
> Jenkins.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2018-1999030

> SECURITY-847
> meliora-testlab Plugin stored the API Key in its configuration unencrypted 
> in its global configuration file on the Jenkins master. This key could be 
> viewed by users with access to the master file system.
>
> Additionally, the API key was not masked from view using a password form 
> field.

CVE-2018-1999031

> SECURITY-995
> Agiletestware Pangolin Connector for TestRail Plugin did not perform 
> permission checks on an API endpoint used to validate and save the plugin 
> configuration. This allowed users with Overall/Read access to Jenkins to 
> override the plugin configuration.
>
> Additionally, the API endpoint did not require POST requests, resulting in 
> a CSRF vulnerability.

CVE-2018-1999032

> SECURITY-1039
> Anchore Container Image Scanner Plugin stored the password in its 
> configuration unencrypted in its global configuration file on the Jenkins 
> master. This password could be viewed by users with access to the master 
> file system.

CVE-2018-1999033

> SECURITY-933
> Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate 
> validation for the entire Jenkins master JVM.

CVE-2018-1999034

> SECURITY-935
> Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation 
> for the entire Jenkins master JVM.

CVE-2018-1999035