Jenkins Security Advisory 2019-10-01

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Sandbox bypass vulnerability in Script Security Plugin

SECURITY-1579 / CVE-2019-10431
Severity (CVSS): High
Affected plugin: script-security
Description:

Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors.

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are now subject to sandbox protection.

Stored XSS vulnerability in HTML Publisher Plugin

SECURITY-1590 / CVE-2019-10432
Severity (CVSS): Medium
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin did not escape the project or build display name shown in the frame HTML page. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the project or build display name, typically users with Job/Configure or Build/Update permission.

HTML Publisher Plugin now escapes the display name displayed in the frame HTML page.

DingTalk Plugin stores credentials in plain text

SECURITY-1423 / CVE-2019-10433
Severity (CVSS): Low
Affected plugin: dingding-notifications
Description:

DingTalk Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

LDAP Email Plugin shows plain text password in configuration form

SECURITY-1515 / CVE-2019-10434
Severity (CVSS): Low
Affected plugin: ldapemail
Description:

LDAP Email Plugin stores an LDAP bind password in its global Jenkins configuration.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

SourceGear Vault Plugin shows plain text password in configuration form

SECURITY-1524 / CVE-2019-10435
Severity (CVSS): Low
Affected plugin: vault-scm-plugin
Description:

SourceGear Vault Plugin stores an SCM password in job configurations.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • DingTalk Plugin up to and including 1.9
  • HTML Publisher Plugin up to and including 1.20
  • LDAP Email Plugin up to and including 0.8
  • Script Security Plugin up to and including 1.64
  • SourceGear Vault Plugin up to and including 1.1.1

Fix

  • HTML Publisher Plugin should be updated to version 1.21
  • Script Security Plugin should be updated to version 1.65

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • DingTalk Plugin
  • LDAP Email Plugin
  • SourceGear Vault Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative for SECURITY-1423
  • James Holderness, IB Boost for SECURITY-1515, SECURITY-1524
  • Nils Emmerich of ERNW Research GmbH for SECURITY-1579
  • Viktor Gazdag NCC Group for SECURITY-1590