oss-sec mailing list archives
Re: Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Thu, 28 Mar 2019 19:53:45 +0100
On 25. Mar 2019, at 16:09, Daniel Beck <ml () beckweb net> wrote: SECURITY-1353 Sandbox projection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types.
CVE-2019-1003040 (Script Security) and CVE-2019-1003041 (Pipeline: Groovy)
SECURITY-1361 Lockable Resources Plugin did not properly escape resource names in generated JavaScript code, thus leading to a cross-site scripting (XSS) vulnerability.
CVE-2019-1003042
SECURITY-976 [Slack Notification Plugin] did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
CVE-2019-1003043
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
CVE-2019-1003044
SECURITY-846 ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins master. This token could be viewed by users with Extended Read permission, or access to the master file system.
CVE-2019-1003045
SECURITY-992 A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server.
CVE-2019-1003047
Additionally, the form validation methods did not require POST requests, resulting in a CSRF vulnerability.
CVE-2019-1003046
SECURITY-1089 PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins master. This password could be viewed by users with access to the master file system.
CVE-2019-1003048
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jan 28)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 06)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 19)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Feb 23)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 06)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 25)
- Re: Multiple vulnerabilities in Jenkins plugins Daniel Beck (Mar 28)