Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 26. Mar 2018, at 13:22, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-261
> GitHub Pull Request Builder Plugin stored serialized objects in `build.xml` 
> files that contained the credential used to poll Jenkins. This can be used 
> by users with master file system access to obtain GitHub credentials.
>
> Since 1.40.0, the plugin no longer stores serialized objects containing the 
> credential on disk.
>
> Builds started before the plugin was updated to 1.40.0 will retain the 
> encoded credentials on disk. We strongly recommend revoking old GitHub 
> credentials used in Jenkins.

CVE-2018-1000142


> SECURITY-262
> GitHub Pull Request Builder Plugin stored the webhook secret shared between 
> Jenkins and GitHub in plain text.
>
> This allowed users with Jenkins master local file system access and Jenkins 
> administrators to retrieve the stored password. The latter could result in 
> exposure of the passwords through browser extensions, cross-site scripting 
> vulnerabilities, and similar situations.
>
> GitHub Pull Request Builder Plugin 1.32.1 and newer stores the webhook 
> secret encrypted on disk.

CVE-2018-1000143


> SECURITY-308
> Cucumber Living Documentation Plugin disabled the 'Content-Security-Policy' 
> HTTP header XSS protection for files served by Jenkins until Jenkins was 
> restarted whenever a Cucumber peport was viewed by any user.
>
> This has been addressed in version 1.1.0 of the plugin, and it will now 
> request that users manually change the Content-Security-Policy option in 
> Jenkins.

CVE-2018-1000144


> SECURITY-373
> Perforce Plugin encrypts its credentials using DES and a public key stored 
> in its public source code, so it only serves as basic obfuscation. This 
> allowed users with Jenkins master local file system access and Jenkins 
> administrators to retrieve the stored password. The latter could result in 
> exposure of the passwords through browser extensions, cross-site scripting 
> vulnerabilities, and similar situations.
>
> As of publication of this advisory, there is no fix. The plugin has been 
> removed from publication at the request of its former maintainers.

CVE-2018-1000145


> SECURITY-504
> vSphere Plugin disabled SSL/TLS certificate validation unconditionally,
> allowing potential man-in-the-middle attacks.
>
> vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by
> default.

CVE-2018-1000151


> SECURITY-519
> Liquibase Runner Plugin allows users with Job/Configure permission to 
> configure its build step in a way that loads arbitrary class files into the 
> Jenkins master JVM, resulting in arbitrary code execution.
>
> As of publication of this advisory, there is no fix.

CVE-2018-1000146


> SECURITY-536
> Perforce Plugin implements its own credential encryption using DES and an 
> encryption key stored in its public source code. This is not considered a 
> secret by Jenkins, resulting in potential exposure of Perforce credentials 
> stored in job configurations to users with Extended Read permission.
> While these are encrypted, this can only be considered basic obfuscation 
> due to the hard-coded public encryption key used.
>
> As of publication of this advisory, there is no fix.

CVE-2018-1000147


> SECURITY-545
> Copy To Slave Plugin allows users with Job/Configure permissions to 
> configure it in such a way that it allows obtaining arbitrary files 
> accessible to the Jenkins master process from the Jenkins master file
> system.
>
> As of publication of this advisory, there is no fix.

CVE-2018-1000148


> SECURITY-630
> Ansible Plugin disabled host key verification by default, having it only as 
> an opt-in option.
>
> Ansible Plugin 1.0 now enables host key verification by default, adding 
> options allowing users to opt out.
>
> Existing configurations that previously did not opt into host key 
> verification will have host key verification enabled after update, possibly 
> resulting in failures.

CVE-2018-1000149


> SECURITY-736
> Reverse Proxy Auth Plugin persisted a cache of granted authorities (group 
> memberships) on disk.
>
> This could allow users with local Jenkins master file system access to 
> obtain group membership information of Jenkins users.

CVE-2018-1000150


> SECURITY-745
> vSphere Plugin did not perform permission checks on methods implementing 
> form validation. This allowed users with Overall/Read access to Jenkins to 
> perform various actions such as:
>
> * Connect to an attacker-specified vSphere server using attacker-specified 
>  credentials IDs obtained through another method, capturing credentials 
>  stored in Jenkins
> * Connect to configured vSphere servers and looking up information, 
>  potentially resulting in denial of service
>
> Additionally, these form validation methods did not require POST requests, 
> resulting in a CSRF vulnerability.
>
> These form validation methods now require POST requests and appropriate 
> user permissions.

CVE-2018-1000152 (improper authorization) and CVE-2018-1000153 (CSRF)