oss-sec mailing list archives
Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Thu, 16 Apr 2020 15:28:36 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * AWS SAM Plugin 1.2.3 * Copr Plugin 0.6.1 * Parasoft Findings Plugin 10.4.4 * Yaml Axis Plugin 0.2.1 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2020-04-16/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1556 / CVE-2020-2177 Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the master file system. SECURITY-1753 / CVE-2020-2178 Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the Parasoft Findings parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master or server-side request forgery. SECURITY-1825 / CVE-2020-2179 Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a multi-configuration (Matrix) job, or control the contents of a previously configured job's SCM repository. SECURITY-1736 / CVE-2020-2180 AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a previously configured "AWS SAM deploy application" build step's YAML SAM template file (`template.yaml` or equivalent) file.
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 07)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 16)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 06)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 03)