oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Wed, 1 Aug 2018 04:38:37 +0200
On 30. Jul 2018, at 16:10, Daniel Beck <ml () beckweb net> wrote: SECURITY-704 When using the `sshagent` step inside a `withDockerContainer` block in Pipeline, the resulting logging of the `ssh-add` command included the SSH key passphrase in plain text.
CVE-2018-1999036
SECURITY-997 Resource Disposer Plugin did not perform permission checks on an API endpoint. This allowed users with Overall/Read access to Jenkins to stop tracking a specified resource. Additionally, this API endpoint did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999037
SECURITY-975 Publish Over CIFS Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate CIFS connections to an attacker specified host. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999038
SECURITY-982 Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker- specified credentials. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999039
SECURITY-1016 Kubernetes Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes cluster using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999040
SECURITY-840 Tinfoil Security Plugin stored the API Secret Key in its configuration unencrypted in its global configuration file on the Jenkins master. This key could be viewed by users with access to the master file system.
CVE-2018-1999041
SECURITY-932 TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.
CVE-2018-1999025
SECURITY-994 TraceTronic ECU-TEST Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL, with the path suffix `/app-version-info` appended. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999026
SECURITY-1009 SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker- specified URLs. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999027
SECURITY-1021 Accurev Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Accurev server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999028
SECURITY-1001 Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability.
CVE-2018-1999029
SECURITY-1022 Maven Artifact ChoiceListProvider (Nexus) Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker- specified Nexus or Artifactory server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999030
SECURITY-847 meliora-testlab Plugin stored the API Key in its configuration unencrypted in its global configuration file on the Jenkins master. This key could be viewed by users with access to the master file system. Additionally, the API key was not masked from view using a password form field.
CVE-2018-1999031
SECURITY-995 Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration. Additionally, the API endpoint did not require POST requests, resulting in a CSRF vulnerability.
CVE-2018-1999032
SECURITY-1039 Anchore Container Image Scanner Plugin stored the password in its configuration unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.
CVE-2018-1999033
SECURITY-933 Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.
CVE-2018-1999034
SECURITY-935 Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins master JVM.
CVE-2018-1999035
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jul 30)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jul 31)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Sep 25)