Jenkins Security Advisory 2020-10-08

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Improper authorization due to caching in Role-based Authorization Strategy Plugin

SECURITY-1767 / CVE-2020-2286
Severity (CVSS): High
Affected plugin: role-strategy
Description:

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups.

In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no longer grant them.

Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on configuration changes.

Request logging could be bypassed in Audit Trail Plugin

SECURITY-1815 / CVE-2020-2287
Severity (CVSS): Medium
Affected plugin: audit-trail
Description:

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

Incorrect default pattern in Audit Trail Plugin

SECURITY-1846 / CVE-2020-2288
Severity (CVSS): Medium
Affected plugin: audit-trail
Description:

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.

In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.

Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.

Stored XSS vulnerability in Active Choices Plugin

SECURITY-1954 / CVE-2020-2289
Severity (CVSS): High
Affected plugin: uno-choice
Description:

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

Stored XSS vulnerability in Active Choices Plugin

SECURITY-2008 / CVE-2020-2290
Severity (CVSS): High
Affected plugin: uno-choice
Description:

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This issue is caused by an incomplete fix for SECURITY-470.

Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.

Password stored in plain text by couchdb-statistics Plugin

SECURITY-2065 / CVE-2020-2291
Severity (CVSS): Low
Affected plugin: couchdb-statistics
Description:

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

Stored XSS vulnerability in Release Plugin

SECURITY-1928 / CVE-2020-2292
Severity (CVSS): High
Affected plugin: release
Description:

Release Plugin 2.10.2 and earlier does not escape the release version in the badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

As of publication of this advisory, there is no fix.

Arbitrary file read vulnerability in Persona Plugin

SECURITY-2046 / CVE-2020-2293
Severity (CVSS): Medium
Affected plugin: persona
Description:

Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Maven Cascade Release Plugin

SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)
Severity (CVSS): Medium
Affected plugin: maven-release-cascade
Description:

Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability in Shared Objects Plugin

SECURITY-2052 / CVE-2020-2296
Severity (CVSS): Medium
Affected plugin: shared-objects
Description:

Shared Objects Plugin 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure shared objects.

As of publication of this advisory, there is no fix.

Access token stored in plain text by SMS Notification Plugin

SECURITY-2054 / CVE-2020-2297
Severity (CVSS): Low
Affected plugin: sms
Description:

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

XXE vulnerability in Nerrvana Plugin

SECURITY-2097 / CVE-2020-2298
Severity (CVSS): High
Affected plugin: nerrvana-plugin
Description:

Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Active Choices Plugin up to and including 2.4
  • Audit Trail Plugin up to and including 3.6
  • couchdb-statistics Plugin up to and including 0.3
  • Maven Cascade Release Plugin up to and including 1.3.2
  • Nerrvana Plugin up to and including 1.02.06
  • Persona Plugin up to and including 2.4
  • Release Plugin up to and including 2.10.2
  • Role-based Authorization Strategy Plugin up to and including 3.0
  • Shared Objects Plugin up to and including 0.44
  • SMS Notification Plugin up to and including 1.2

Fix

  • Active Choices Plugin should be updated to version 2.5
  • Audit Trail Plugin should be updated to version 3.7
  • couchdb-statistics Plugin should be updated to version 0.4
  • Role-based Authorization Strategy Plugin should be updated to version 3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Maven Cascade Release Plugin
  • Nerrvana Plugin
  • Persona Plugin
  • Release Plugin
  • Shared Objects Plugin
  • SMS Notification Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1846, SECURITY-2046, SECURITY-2097
  • Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for SECURITY-1815
  • Jeff Thompson, CloudBees, Inc. for SECURITY-2052
  • Long Nguyen, Viettel Cyber Security for SECURITY-2054, SECURITY-2065
  • Raihaan Shouhell, Autodesk, Inc for SECURITY-1767
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1928, SECURITY-1954, SECURITY-2008
  • Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc. for SECURITY-2049