Jenkins Security Advisory 2020-02-12

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin

SECURITY-1710 / CVE-2020-2109

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

Sandbox bypass vulnerability in Script Security Plugin

SECURITY-1713 / CVE-2020-2110

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

Stored XSS vulnerability in Subversion Plugin

SECURITY-1725 / CVE-2020-2111

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

Multiple stored XSS vulnerabilities in Git Parameter Plugin

SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

Credential transmitted in plain text by S3 publisher Plugin

SECURITY-1684 / CVE-2020-2114

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

XXE vulnerability in NUnit Plugin

SECURITY-1752 / CVE-2020-2115

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials

SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin

SECURITY-812 (2) / CVE-2020-2118

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

Client secret transmitted in plain text by Azure AD Plugin

SECURITY-1717 / CVE-2020-2119

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

XXE vulnerability in FitNesse Plugin

SECURITY-1751 / CVE-2020-2120

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

RCE vulnerability in Google Kubernetes Engine Plugin

SECURITY-1731 / CVE-2020-2121

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

Stored XSS vulnerability in brakeman Plugin

SECURITY-1644 / CVE-2020-2122

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

RCE vulnerability in RadarGun Plugin

SECURITY-1733 / CVE-2020-2123

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

Password stored in plain text by Dynamic Extended Choice Parameter Plugin

SECURITY-1560 / CVE-2020-2124

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by debian-package-builder Plugin

SECURITY-1558 / CVE-2020-2125

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Token stored in plain text by DigitalOcean Plugin

SECURITY-1559 / CVE-2020-2126

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Credential stored in plain text by BMC Release Package and Deployment Plugin

SECURITY-1547 / CVE-2020-2127

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by ECX Copy Data Management Plugin

SECURITY-1549 / CVE-2020-2128

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Eagle Tester Plugin

SECURITY-1552 / CVE-2020-2129

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Passwords stored in plain text by Harvest SCM Plugin

SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

Password stored in plain text by Parasoft Environment Manager Plugin

SECURITY-1562 / CVE-2020-2132

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Applatix Plugin

SECURITY-1540 / CVE-2020-2133

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Applatix Plugin up to and including 1.1
  • Azure AD Plugin up to and including 1.1.2
  • BMC Release Package and Deployment Plugin up to and including 1.1
  • brakeman Plugin up to and including 0.12
  • debian-package-builder Plugin up to and including 1.6.11
  • DigitalOcean Plugin up to and including 1.1
  • Dynamic Extended Choice Parameter Plugin up to and including 1.0.1
  • Eagle Tester Plugin up to and including 1.0.9
  • ECX Copy Data Management Plugin up to and including 1.9
  • FitNesse Plugin up to and including 1.30
  • Git Parameter Plugin up to and including 0.9.11
  • Google Kubernetes Engine Plugin up to and including 0.8.0
  • Harvest SCM Plugin up to and including 0.5.1
  • NUnit Plugin up to and including 0.25
  • Parasoft Environment Manager Plugin up to and including 2.14
  • Pipeline GitHub Notify Step Plugin up to and including 1.0.4
  • Pipeline: Groovy Plugin up to and including 2.78
  • RadarGun Plugin up to and including 1.7
  • S3 publisher Plugin up to and including 0.11.4
  • Script Security Plugin up to and including 1.69
  • Subversion Plugin up to and including 2.13.0

Fix

  • Azure AD Plugin should be updated to version 1.2.0
  • brakeman Plugin should be updated to version 0.13
  • FitNesse Plugin should be updated to version 1.31
  • Git Parameter Plugin should be updated to version 0.9.12
  • Google Kubernetes Engine Plugin should be updated to version 0.8.1
  • NUnit Plugin should be updated to version 0.26
  • Pipeline GitHub Notify Step Plugin should be updated to version 1.0.5
  • Pipeline: Groovy Plugin should be updated to version 2.79
  • RadarGun Plugin should be updated to version 1.8
  • S3 publisher Plugin should be updated to version 0.11.5
  • Script Security Plugin should be updated to version 1.70
  • Subversion Plugin should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Applatix Plugin
  • BMC Release Package and Deployment Plugin
  • debian-package-builder Plugin
  • DigitalOcean Plugin
  • Dynamic Extended Choice Parameter Plugin
  • Eagle Tester Plugin
  • ECX Copy Data Management Plugin
  • Harvest SCM Plugin
  • Parasoft Environment Manager Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Adith Sudhakar for SECURITY-1644
  • Daniel Kalinowski of ISEC.pl Research Team for SECURITY-1731, SECURITY-1733
  • Federico Pellegrin for SECURITY-1751, SECURITY-1752
  • James Holderness, IB Boost for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
  • Joseph Petersen @jetersen for SECURITY-1717
  • Nils Emmerich of ERNW Research GmbH for SECURITY-1710, SECURITY-1713
  • Sven Grossmann (@svennergr) for SECURITY-1709
  • Thomas de Grenier de Latour for SECURITY-812 (1), SECURITY-812 (2)
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1684, SECURITY-1725