Re: Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 3. Apr 2019, at 15:55, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-829
> IRC Plugin stores credentials unencrypted in its global configuration file 
> hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.

CVE-2019-1003051

> SECURITY-831
> AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its 
> global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.
> AWSEBPublisher.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003052

> SECURITY-837
> Jira Issue Updater Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-1003054

> SECURITY-839
> HockeyApp Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.

CVE-2019-1003053

> SECURITY-954
> FTP publisher Plugin stores credentials unencrypted in its global 
> configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.

CVE-2019-1003055

> SECURITY-956
> WebSphere Deployer Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-1003056

> SECURITY-965
> Bitbucket Approve Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003057

> SECURITY-974
> A missing permission check in a form validation method in FTP publisher 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified FTP server with attacker-specified credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)

> SECURITY-1041
> Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.

CVE-2019-1003060

> SECURITY-1042
> jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.

CVE-2019-1003061

> SECURITY-830
> AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its 
> global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003062

> SECURITY-832
> Amazon SNS Build Notifier Plugin stores credentials unencrypted in its 
> global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003063

> SECURITY-835
> aws-device-farm Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.
> xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003064

> SECURITY-838
> CloudShare Docker-Machine Plugin stores credentials unencrypted in its 
> global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003065

> SECURITY-841
> Bugzilla Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.

CVE-2019-1003066

> SECURITY-842
> Trac Publisher Plugin stores credentials unencrypted in job config.xml files 
> on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-1003067

> SECURITY-945
> VMware vRealize Automation Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.

CVE-2019-1003068

> SECURITY-949
> Aqua Security Scanner Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.
> AquaDockerScannerBuilder.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003069

> SECURITY-952
> veracode-scanner Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-1003070

> SECURITY-957
> OctopusDeploy Plugin stores credentials unencrypted in its global 
> configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on 
> the Jenkins master. These credentials can be viewed by users with access to 
> the master file system.

CVE-2019-1003071

> SECURITY-961
> WildFly Deployer Plugin stores deployment credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.

CVE-2019-1003072

> SECURITY-962
> VS Team Services Continuous Deployment Plugin stores credentials unencrypted 
> in job config.xml files on the Jenkins master. These credentials can be 
> viewed by users with Extended Read permission, or access to the master file 
> system.

CVE-2019-1003073

> SECURITY-964
> Hyper.sh Commons Plugin stores credentials unencrypted in its global 
> configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins 
> master. These credentials can be viewed by users with access to the master 
> file system.

CVE-2019-1003074

> SECURITY-966
> Audit to Database Plugin stores database credentials unencrypted in its 
> global configuration file audit2db.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.

CVE-2019-1003075

> SECURITY-977
> A missing permission check in a form validation method in Audit to Database 
> Plugin allows users with Overall/Read permission to initiate a JDBC database 
> connection test to an attacker-specified server with attacker-specified 
> credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)

> SECURITY-979
> A missing permission check in a form validation method in VMware Lab Manager 
> Slaves Plugin allows users with Overall/Read permission to initiate a Lab 
> Manager connection test to an attacker-specified server with attacker-
> specified credentials and settings.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)

> SECURITY-981
> A missing permission check in a form validation method in OpenShift Deployer 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified server with attacker-specified credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)

> SECURITY-991
> A missing permission check in a form validation method in Gearman Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified server.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)

> SECURITY-993
> A missing permission check in a form validation method in Zephyr Enterprise 
> Test Management Plugin allows users with Overall/Read permission to initiate 
> a connection test to an attacker-specified server with attacker-specified 
> credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)

> SECURITY-1037
> A missing permission check in a form validation method in Chef Sinatra 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified server.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)

> SECURITY-1043
> Fabric Beta Publisher Plugin stores credentials unencrypted in job 
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.

CVE-2019-1003088

> SECURITY-1044
> Upload to pgyer Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-1003089

> SECURITY-1054
> A missing permission check in a form validation method in SOASTA CloudTest 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified URL with attacker-specified credentials and 
> SSH key store options.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)

> SECURITY-1058
> A missing permission check in a form validation method in Nomad Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified URL.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)

> SECURITY-1059
> Open STF Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.

CVE-2019-1003094

> SECURITY-1061
> Perfecto Mobile Plugin stores credentials unencrypted in its global 
> configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on 
> the Jenkins master. These credentials can be viewed by users with access to 
> the master file system.

CVE-2019-1003095

> SECURITY-1062
> TestFairy Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.

CVE-2019-1003096

> SECURITY-1069
> Crowd Integration Plugin stores credentials unencrypted in the global 
> configuration file config.xml on the Jenkins master. These credentials can 
> be viewed by users with access to the master file system.

CVE-2019-1003097

> SECURITY-1084
> A missing permission check in a form validation method in openid Plugin 
> allows users with Overall/Read permission to initiate a connection test to 
> an attacker-specified URL.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)

> SECURITY-1085
> StarTeam Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.

CVE-2019-10277

> SECURITY-1091
> A missing permission check in a form validation method in jenkins-reviewbot 
> Plugin allows users with Overall/Read permission to initiate a connection 
> test to an attacker-specified URL with attacker-specified credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)

> SECURITY-1093
> Assembla Auth Plugin stores credentials unencrypted in the global 
> configuration file config.xml on the Jenkins master. These credentials can 
> be viewed by users with access to the master file system.

CVE-2019-10280

> SECURITY-828
> Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted 
> in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-10281

> SECURITY-843
> Klaros-Testmanagement Plugin stores credentials unencrypted in job
> config.xml files on the Jenkins master. These credentials can be viewed by 
> users with Extended Read permission, or access to the master file system.

CVE-2019-10282

> SECURITY-946
> mabl Plugin stores credentials unencrypted in job config.xml files on the 
> Jenkins master. These credentials can be viewed by users with Extended Read 
> permission, or access to the master file system.

CVE-2019-10283

> SECURITY-947
> Diawi Upload Plugin stores credentials unencrypted in job config.xml files 
> on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-10284

> SECURITY-955
> Minio Storage Plugin stores credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the 
> Jenkins master. These credentials can be viewed by users with access to the 
> master file system.

CVE-2019-10285

> SECURITY-959
> DeployHub Plugin stores credentials unencrypted in job config.xml files on 
> the Jenkins master. These credentials can be viewed by users with Extended 
> Read permission, or access to the master file system.

CVE-2019-10286

> SECURITY-963
> youtrack-plugin Plugin stored credentials unencrypted in its global 
> configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml
> on the Jenkins master. These credentials could be viewed by users with 
> access to the master file system.

CVE-2019-10287

> SECURITY-1031
> Jabber Server Plugin stores credentials unencrypted in its global 
> configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master.
> These credentials can be viewed by users with access to the master file 
> system.

CVE-2019-10288

> SECURITY-1032
> A missing permission check in a form validation method in Netsparker Cloud 
> Scan Plugin allowed users with Overall/Read permission to initiate a 
> connection test to an attacker-specified server with attacker-specified API 
> token.
>
> Additionally, the form validation method did not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)

> SECURITY-1040
> Netsparker Cloud Scan Plugin stored credentials unencrypted in its global 
> configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the 
> Jenkins master. These credentials could be viewed by users with access to 
> the master file system.

CVE-2019-10291

> SECURITY-1055
> A missing permission check in a form validation method in Kmap Plugin allows 
> users with Overall/Read permission to initiate a connection test to an 
> attacker-specified server with attacker-specified credentials.
>
> Additionally, the form validation method does not require POST requests, 
> resulting in a CSRF vulnerability.

CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)

> SECURITY-1056
> Kmap Plugin stores credentials unencrypted in job config.xml files on the 
> Jenkins master. These credentials can be viewed by users with Extended Read 
> permission, or access to the master file system.

CVE-2019-10294

> SECURITY-1063
> crittercism-dsym Plugin stores credentials unencrypted in job config.xml 
> files on the Jenkins master. These credentials can be viewed by users with 
> Extended Read permission, or access to the master file system.

CVE-2019-10295

> SECURITY-1066
> Serena SRA Deploy Plugin stores credentials unencrypted in its global 
> configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-10296

> SECURITY-1090
> Sametime Plugin stores credentials unencrypted in its global configuration 
> file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the 
> Jenkins master. These credentials can be viewed by users with access to the 
> master file system.

CVE-2019-10297

> SECURITY-1092
> Koji Plugin stores credentials unencrypted in its global configuration file 
> org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These 
> credentials can be viewed by users with access to the master file system.

CVE-2019-10298

> SECURITY-960
> CloudCoreo DeployTime Plugin stores credentials unencrypted in its global 
> configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml 
> on the Jenkins master. These credentials can be viewed by users with access 
> to the master file system.

CVE-2019-10299