Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 23. Oct 2017, at 14:20, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-470
> Active Choices plugin allowed users with Job/Configure permission to
> provide arbitrary HTML to be shown on the Build With Parameters page
> through the Active Choices Reactive Reference Parameter type. This could
> include, for example, arbitrary JavaScript.


CVE-2017-1000386


> SECURITY-50
> Some URLs provided by global-build-stats plugin returned a JSON response 
> that contained request parameters. These responses had the 
> Content-Type: text/html, so could have been interpreted as HTML by clients,
> resulting in a potential reflected cross-site scripting vulnerability.
>
> Additionally, some URLs provided by global-build-stats plugin that modify 
> data did not require POST requests to be sent, resulting in a potential 
> cross-site request forgery vulnerability.


CVE-2017-1000389


> SECURITY-57
> Dependency Graph Viewer plugin did not perform permission checks for the 
> API endpoint that modifies the dependency graph, allowing anyone with 
> Overall/Read permission to modify this data.


CVE-2017-1000388


> SECURITY-378
> Build-Publisher plugin stores credentials to other Jenkins instances in the 
> file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins 
> master home directory. These credentials were stored unencrypted, allowing 
> anyone with local file system access to access them.
>
> Additionally, the credentials were also transmitted in plain text as part 
> of the configuration form. This could result in exposure of the API key 
> through browser extensions, cross-site scripting vulnerabilities, and 
> similar situations.


CVE-2017-1000387


> JENKINS-36333
> Multijob plugin did not check permissions in the Resume Build action, 
> allowing anyone with Job/Read permission to resume the build.


CVE-2017-1000390