Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 28. Jan 2019, at 15:28, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-1292
> Script Security sandbox protection could be circumvented during the script 
> compilation phase by applying AST transforming annotations such as `@Grab` 
> to source code elements.
>
> This affected an HTTP endpoint used to validate a user-submitted Groovy 
> script that was not covered in the 2019-01-08 fix for SECURITY-1266 and 
> allowed users with Overall/Read permission to bypass the sandbox 
> protection and execute arbitrary code on the Jenkins master.

CVE-2019-1003005

> SECURITY-1293
> Groovy Plugin has a form validation HTTP endpoint used to validate a user-
> submitted Groovy script through compilation, which was not subject to 
> sandbox protection. This allowed attackers with Overall/Read access to 
> execute arbitrary code on the Jenkins master by applying AST transforming 
> annotations such as `@Grab` to source code elements.

CVE-2019-1003006

> SECURITY-1295 (1)
> Warnings Plugin has a form validation HTTP endpoint used to validate a 
> user-submitted Groovy script through compilation, which was not subject to 
> sandbox protection. The endpoint checked for the Overall/RunScripts 
> permission, but did not require POST requests, so it was vulnerable to 
> cross-site request forgery (CSRF). This allowed attackers to execute 
> arbitrary code on the Jenkins master by applying AST transforming 
> annotations such as `@Grab` to source code elements.

CVE-2019-1003007

> SECURITY-1295 (2)
> Warnings Next Generation Plugin has a form validation HTTP endpoint used 
> to validate a Groovy script through compilation, which was not subject to 
> sandbox protection. The endpoint checked for the Overall/RunScripts 
> permission, but did not require POST requests, so it was vulnerable to 
> cross-site request forgery (CSRF). This allowed attackers to execute 
> arbitrary code on the Jenkins master by applying AST transforming 
> annotations such as `@Grab` to source code elements.

CVE-2019-1003008

> SECURITY-859
> Active Directory Plugin performs TLS upgrade (StartTLS) after connecting 
> to domain controllers through insecure LDAP. In this mode, certificates 
> were not properly validated, effectively trusting all certificates, 
> allowing man-in-the-middle attacks.
>
> This only affected TLS upgrades. The LDAPS mode, available by setting the 
> system property hudson.plugins.active_directory.
> ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.

CVE-2019-1003009

> SECURITY-1095
> Git Plugin allows the creation of a tag in a job workspace’s Git 
> repository with accompanying metadata attached to a build record.
>
> The HTTP endpoint to create the tag did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003010

> SECURITY-1102
> Token Macro Plugin recursively applied token expansion.
>
> This could be used by users able to affect input to token expansion (such 
> as change log messages), to inject additional tokens into the input, which 
> would then be expanded, resulting in information disclosure (for example 
> values of environment variables), or denial of service.

CVE-2019-1003011

> SECURITY-1201
> Blue Ocean did not require CSRF tokens ("crumbs") for POST requests with 
> the `Content-Type: application/json`, resulting in CSRF vulnerabilities.

CVE-2019-1003012

> SECURITY-1204
> Blue Ocean did not properly escape HTML/JavaScript content set on the 
> current user’s description field, resulting in a cross-site scripting 
> vulnerability exploitable by administrators and other people accessing 
> Jenkins with the same user account.

CVE-2019-1003013

> SECURITY-1253
> Config File Provider Plugin improperly handled script names in its 
> JavaScript-based UI, resulting in a stored cross-site scripting (XSS) 
> vulnerability.

CVE-2019-1003014

> SECURITY-905 (1)
> Job Import Plugin allows to import jobs from other Jenkins instances. As a 
> first step in this process, Job Import Plugin sends a request to another 
> Jenkins instance, parsing XML REST API output to obtain a list of jobs 
> that could be imported.
>
> Job Import Plugin did not configure the XML parser in a way that would 
> prevent XML External Entity (XXE) processing. This allowed attackers able 
> to control either the server Jenkins will query, or the URL Jenkins 
> queries, to have it parse a maliciously crafted XML response that uses 
> external entities for extraction of secrets from the Jenkins master, 
> server-side request forgery, or denial-of-service attacks.

CVE-2019-1003015

> SECURITY-905 (2)
> Job Import Plugin did not check user permissions on its API endpoint used 
> to access remote Jenkins instances. This allowed users with Overall/Read 
> access to Jenkins to connect to an attacker-specified URL using attacker-
> specified credentials IDs obtained through another method, capturing 
> credentials stored in Jenkins.

CVE-2019-1003016

> SECURITY-1302
> Job Import Plugin did not require that POST requests are sent to its 
> /import URL, which processes requests to import jobs. This resulted in a 
> cross-site request forgery (CSRF) vulnerability that could be exploited to 
> create or replace jobs on the local instance if the remote Jenkins 
> instance has different ones with the same name, or to install additional 
> plugins, if jobs on the remote Jenkins instance reference them in their 
> configuration.

CVE-2019-1003017

> SECURITY-602
> GitHub Authentication Plugin stores the client secret in the global 
> Jenkins configuration.
>
> While the client secret is stored encrypted on disk, it was transmitted in 
> plain text as part of the configuration form and displayed without masking.
> This could result in exposure of the client secret through browser 
> extensions, cross-site scripting vulnerabilities, and similar situations.

CVE-2019-1003018

> SECURITY-797
> GitHub Authentication Plugin did not invalidate the previous session and 
> create a new one upon successful login, allowing attackers able to control 
> or obtain another user’s pre-login session ID to impersonate them.

CVE-2019-1003019

> SECURITY-818
> Kanboard Plugin did not perform permission checks on a method implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> submit a GET request to an attacker-specified URL.
>
> Additionally, this form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003020

> SECURITY-886
> OpenId Connect Authentication Plugin stores the client secret in the 
> global Jenkins configuration.
>
> While the client secret is stored encrypted on disk, it was transmitted in 
> plain text as part of the configuration form and displayed without masking.
> This could result in exposure of the client secret through browser 
> extensions, cross-site scripting vulnerabilities, and similar situations.

CVE-2019-1003021

> SECURITY-1153
> Monitoring Plugin provides a standalone JavaMelody servlet with an 
> independent CSRF protection configuration. Even if Jenkins had CSRF 
> protection enabled, Monitoring Plugin may not have it enabled.

CVE-2019-1003022

> SECURITY-1271
> Warnings Next Generation Plugin did not properly escape HTML content in 
> warnings displayed on the Jenkins UI, resulting in a cross-site scripting 
> vulnerability exploitable by users able to control warnings parser input.

CVE-2019-1003023