This advisory announces vulnerabilities in the following Jenkins deliverables:
URL
objects with host components
Jenkins allowed deserialization of URL
objects via Remoting (agent communication) and XStream.
This could in rare cases be used by attackers to have Jenkins look up specified hosts' DNS records.
Jenkins now injects a URLStreamHandler
when deserializing URLs that overrides the affected URL
methods.
This can be disabled if needed by setting the system property hudson.remoting.URLDeserializationHelper.avoidUrlWrapping
to true
.
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record.
This behavior could be abused to create a large number of ephemeral user records in memory.
The API token validation on authentication has been improved to no longer create ephemeral user records.
The form validation for cron expressions (e.g. "Poll SCM", "Build periodically") could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely.
The "Remember me" feature can be disabled in the Jenkins security configuration.
This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in.
"Remember me" cookies are no longer evaluated when the corresponding feature is disabled.
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks.
Access to the affected URL is now limited to users with the correct Agent/Connect permission.
Users with Overall/Read permission were able to access the URL used to cancel scheduled restart jobs initiated via the update center ("Restart Jenkins when installation is complete and no jobs are running") due to a lack of permission checks.
Access to the affected URL is now limited to users with Overall/Administer permission.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: