En

Jenkins官网安全更新(2020-02-12)

来源:Jenkins官网 发布日期:2020-02-12 阅读次数:87 评论:0

基本信息

发布日期:2020-02-12(官方当地时间)

更新类型:安全更新

更新版本:未知

感知时间:2020-02-12 22:30:05

风险等级:高危

情报贡献:TSRC

更新标题

Jenkins Security Advisory 2020-02-12

更新详情

Sandbox bypass via default method parameter expression in Pipeline: Groovy PluginSECURITY-1710
/
CVE-2020-2109Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins master JVM.These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.Sandbox bypass vulnerability in Script Security PluginSECURITY-1713
/
CVE-2020-2110Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations.
This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins master.This issue is due to an incomplete fix of SECURITY-1266.Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.Stored XSS vulnerability in Subversion PluginSECURITY-1725
/
CVE-2020-2111Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation.
This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.Subversion Plugin 2.13.1 escapes the affected part of the error message.Multiple stored XSS vulnerabilities in Git Parameter PluginSECURITY-1709
/
CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value.
This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.Credential transmitted in plain text by S3 publisher PluginSECURITY-1684
/
CVE-2020-2114S3 publisher Plugin stores a secret key in its global configuration.While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier.
This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.XXE vulnerability in NUnit PluginSECURITY-1752
/
CVE-2020-2115NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.NUnit Plugin 0.26 disables external entity processing for its XML parser.CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentialsSECURITY-812 (1)
/
CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation.
This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step PluginSECURITY-812 (2)
/
CVE-2020-2118Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs.
Those can be used as part of an attack to capture the credentials using another vulnerability.An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.Client secret transmitted in plain text by Azure AD PluginSECURITY-1717
/
CVE-2020-2119Azure AD Plugin stores a client secret in its global configuration.While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier.
This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.XXE vulnerability in FitNesse PluginSECURITY-1751
/
CVE-2020-2120FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks.FitNesse Plugin 1.31 disables external entity processing for its XML parser.RCE vulnerability in Google Kubernetes Engine PluginSECURITY-1731
/
CVE-2020-2121Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.
This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.Stored XSS vulnerability in Brakeman PluginSECURITY-1644
/
CVE-2020-2122Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.This vulnerability can be exploited by users able to control the Brakeman post-build step input data.Brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.NoteThis fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.RCE vulnerability in RadarGun PluginSECURITY-1733
/
CVE-2020-2123RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.
This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.Password stored in plain text by Dynamic Extended Choice Parameter PluginSECURITY-1560
/
CVE-2020-2124Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the master file system.As of publication of this advisory, there is no fix.Credentials stored in plain text by Debian Package Builder PluginSECURITY-1558
/
CVE-2020-2125Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins master.
This credential can be viewed by users with access to the master file system.As of publication of this advisory, there is no fix.Token stored in plain text by DigitalOcean PluginSECURITY-1559
/
CVE-2020-2126DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration.
This credential can be viewed by users with access to the master file system.As of publication of this advisory, there is no fix.Credential stored in plain text by BMC Release Package and Deployment PluginSECURITY-1547
/
CVE-2020-2127BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master.
This credential can be viewed by users with access to the master file system.As of publication of this advisory, there is no fix.Password stored in plain text by ECX Copy Data Management PluginSECURITY-1549
/
CVE-2020-2128ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the master file system.As of publication of this advisory, there is no fix.Password stored in plain text by Eagle Tester PluginSECURITY-1552
/
CVE-2020-2129Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master.
This credential can be viewed by users with access to the master file system.As of publication of this advisory, there is no fix.Passwords stored in plain text by Harvest SCM PluginSECURITY-1553
/
CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins master.
These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the master file system (both).As of publication of this advisory, there is no fix.Password stored in plain text by Parasoft Environment Manager PluginSECURITY-1562
/
CVE-2020-2132Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the master file system.As of publication of this advisory, there is no fix.Password stored in plain text by Applatix PluginSECURITY-1540
/
CVE-2020-2133Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the master file system.As of publication of this advisory, there is no fix.SeveritySECURITY-812 (1):HighSECURITY-812 (2):MediumSECURITY-1540:MediumSECURITY-1547:LowSECURITY-1549:MediumSECURITY-1552:LowSECURITY-1553:MediumSECURITY-1558:LowSECURITY-1559:LowSECURITY-1560:MediumSECURITY-1562:MediumSECURITY-1644:MediumSECURITY-1684:LowSECURITY-1709:MediumSECURITY-1710:HighSECURITY-1713:HighSECURITY-1717:LowSECURITY-1725:MediumSECURITY-1731:HighSECURITY-1733:HighSECURITY-1751:HighSECURITY-1752:HighAffected VersionsApplatix
Pluginup to and including
1.1Azure AD
Pluginup to and including
1.1.2BMC Release Package and Deployment
Pluginup to and including
1.1Brakeman
Pluginup to and including
0.12Debian Package Builder
Pluginup to and including
1.6.11DigitalOcean
Pluginup to and including
1.1Dynamic Extended Choice Parameter
Pluginup to and including
1.0.1Eagle Tester
Pluginup to and including
1.0.9ECX Copy Data Management
Pluginup to and including
1.9FitNesse
Pluginup to and including
1.30Git Parameter
Pluginup to and including
0.9.11Google Kubernetes Engine
Pluginup to and including
0.8.0Harvest SCM
Pluginup to and including
0.5.1NUnit
Pluginup to and including
0.25Parasoft Environment Manager
Pluginup to and including
2.14Pipeline GitHub Notify Step
Pluginup to and including
1.0.4Pipeline: Groovy
Pluginup to and including
2.78RadarGun
Pluginup to and including
1.7S3 publisher
Pluginup to and including
0.11.4Script Security
Pluginup to and including
1.69Subversion
Pluginup to and including
2.13.0FixAzure AD
Pluginshould be updated to version
1.2.0Brakeman
Pluginshould be updated to version
0.13FitNesse
Pluginshould be updated to version
1.31Git Parameter
Pluginshould be updated to version
0.9.12Google Kubernetes Engine
Pluginshould be updated to version
0.8.1NUnit
Pluginshould be updated to version
0.26Pipeline GitHub Notify Step
Pluginshould be updated to version
1.0.5Pipeline: Groovy
Pluginshould be updated to version
2.79RadarGun
Pluginshould be updated to version
1.8S3 publisher
Pluginshould be updated to version
0.11.5Script Security
Pluginshould be updated to version
1.70Subversion
Pluginshould be updated to version
2.13.1These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.As of publication of this advisory, no fixes are available for the following plugins:Applatix
PluginBMC Release Package and Deployment
PluginDebian Package Builder
PluginDigitalOcean
PluginDynamic Extended Choice Parameter
PluginEagle Tester
PluginECX Copy Data Management
PluginHarvest SCM
PluginParasoft Environment Manager
Plugin

软件描述

Jenkins是一个开源软件项目,是基于Java开发的一种持续集成工具,用于监控持续重复的工作,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能。 [1]

TSRC分析

暂无

业界资讯

暂无

评论

提交评论 您输入的评论有误,请重新输入