oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Sat, 18 Nov 2017 08:26:09 +0100
On 23. Oct 2017, at 14:20, Daniel Beck <ml () beckweb net> wrote: SECURITY-470 Active Choices plugin allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the Build With Parameters page through the Active Choices Reactive Reference Parameter type. This could include, for example, arbitrary JavaScript.
CVE-2017-1000386
SECURITY-50 Some URLs provided by global-build-stats plugin returned a JSON response that contained request parameters. These responses had the Content-Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
CVE-2017-1000389
SECURITY-57 Dependency Graph Viewer plugin did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
CVE-2017-1000388
SECURITY-378 Build-Publisher plugin stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the API key through browser extensions, cross-site scripting vulnerabilities, and similar situations.
CVE-2017-1000387
JENKINS-36333 Multijob plugin did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build.
CVE-2017-1000390
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 11)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Oct 23)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Nov 17)