Re: Multiple vulnerabilities in Jenkins

[Daniel Beck <ml () beckweb net>]

> On 5. Dec 2018, at 10:18, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-595
> Jenkins uses the Stapler web framework for HTTP request handling. 
> Stapler’s basic premise is that it uses reflective access to code 
> elements matching its naming conventions. For example, any public method 
> whose name starts with get, and that has a String, int, long, or no 
> argument can be invoked this way on objects that are reachable through 
> these means. As these naming conventions closely match common code 
> patterns in Java, accessing crafted URLs could invoke methods never 
> intended to be invoked this way.
>
> The Stapler web framework has been extended with a Service Provider 
> Interface (SPI) that allows methods and fields to be excluded from routing.
> The implementation of that SPI in Jenkins now restricts which getter 
> methods, do* action methods, and fields can be invoked reflectively by 
> Stapler.

CVE-2018-1000861

> SECURITY-1072
> The fix for SECURITY-499 introduced a mechanism that renamed user 
> directories on disk as a user with an unsafe user name (user ID) is loaded.
> Insufficient input validation allowed attackers to rename such user 
> directories even for users with a safe user name by submitting a crafted 
> user name when attempting to log in, even with an invalid password. Doing 
> so prevented users from logging in successfully afterwards.
>
> Jenkins no longer uses directory names as a reference for user names, 
> making the on-load migration of user records unnecessary. Instead, the 
> new file users/users.xml is used to map user names to the directories 
> containing the user metadata.

CVE-2018-1000863

> SECURITY-904
> The file browser used for workspaces, archived artifacts, and 
> $JENKINS_HOME/userContent/ followed symbolic links to locations outside 
> the directory being browsed.
>
> While builds typically have access to the file system outside the 
> workspace allocated by Jenkins, this should not extend to beyond the 
> execution of a build on that agent. Notably, the configuration may have 
> been changed to not allow a build to run on a given agent, but the 
> workspace used during the previous execution still exists, and could 
> allow browsing the file system outside the workspace.
>
> Neither browsing through the UI nor downloading directory content as a 
> ZIP file allow accessing directories and files outside the workspace 
> anymore.

CVE-2018-1000862

> SECURITY-1193
> The form validation for cron expressions (e.g. "Poll SCM", "Build 
> periodically") could enter infinite loops when cron expressions only 
> matching certain rare dates were entered, blocking request handling 
> threads indefinitely.

CVE-2018-1000864