oss-sec mailing list archives
Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Tue, 7 Apr 2020 14:19:48 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * AWSEB Deployment Plugin 0.3.20 * Code Coverage API Plugin 1.1.5 * FitNesse Plugin 1.33 * Gatling Plugin 1.3.0 * useMango Runner Plugin 1.5 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2020-04-07/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1699 / CVE-2020-2172 Code Coverage API Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master or server-side request forgery. SECURITY-1633 / CVE-2020-2173 Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the `Content-Security-Policy` protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. SECURITY-1769 / CVE-2020-2174 AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output. This results in a reflected cross-site scripting (XSS) vulnerability. SECURITY-1801 / CVE-2020-2175 FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin. SECURITY-1780 / CVE-2020-2176 Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 07)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 16)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 06)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 03)