Jenkins Security Advisory 2020-12-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XXE vulnerability in CVS Plugin

SECURITY-2146 / CVE-2020-2324
Severity (CVSS): High
Affected plugin: cvs
Description:

CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVS Plugin 2.17 disables external entity resolution for its XML parser.

Plugin Installation Manager Tool did not verify plugin downloads

SECURITY-1856 / CVE-2020-2320
Severity (CVSS): High
Description:

Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running.

Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.

Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.

Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:

ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar

Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.

CSRF vulnerability in Shelve Project Plugin

SECURITY-2108 / CVE-2020-2321
Severity (CVSS): High
Affected plugin: shelve-project-plugin
Description:

Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to shelve, unshelve, or delete a project.

Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.

Missing permission checks in Chaos Monkey Plugin

SECURITY-2109 (1) / CVE-2020-2322
Severity (CVSS): Medium
Affected plugin: chaos-monkey
Description:

Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and to generate memory leaks.

Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.

Missing permission checks in Chaos Monkey Plugin

SECURITY-2109 (2) / CVE-2020-2323
Severity (CVSS): Medium
Affected plugin: chaos-monkey
Description:

Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.

Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.

Severity

Affected Versions

  • Chaos Monkey Plugin up to and including 0.3
  • Chaos Monkey Plugin up to and including 0.4
  • CVS Plugin up to and including 2.16
  • Shelve Project Plugin up to and including 3.0
  • Plugin Installation Manager Tool up to and including 2.1.3

Fix

  • Chaos Monkey Plugin should be updated to version 0.4
  • Chaos Monkey Plugin should be updated to version 0.4.1
  • CVS Plugin should be updated to version 2.17
  • Shelve Project Plugin should be updated to version 3.1
  • Plugin Installation Manager Tool should be updated to version 2.2.0

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1856, SECURITY-2146