Jenkins Security Advisory 2019-11-21

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Sandbox bypass vulnerability in Script Security Plugin

SECURITY-1658 / CVE-2019-16538
Severity (CVSS): High
Affected plugin: script-security
Description:

Sandbox protection in Script Security Plugin could be circumvented through closure default parameter expressions.

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are now subject to sandbox protection.

Support Core Plugin allowed users with Overall/Read permission to delete arbitrary files

SECURITY-1634 / CVE-2019-16539 (permission check), CVE-2019-16540 (path traversal)
Severity (CVSS): High
Affected plugin: support-core
Description:

Support Core Plugin did not validate the paths submitted for the "Delete Support Bundles" feature. This allowed users to delete arbitrary files on the Jenkins controller file system accessible to the OS user account running Jenkins.

Additionally, this endpoint did not perform a permission check, allowing users with Overall/Read permission to delete support bundles, and any arbitrary other file, with a known name/path.

Support Core Plugin now only allows the deletion of support bundles and related files listed on the UI through this feature. It also ensures that only users with "Download Bundle" permission are able to delete support bundles.

Folder-scoped Jira sites in Jira Plugin were able to access System-scoped credentials

SECURITY-1106 / CVE-2019-16541
Severity (CVSS): Medium
Affected plugin: jira
Description:

Jira Plugin allows the definition of per-folder Jira sites.

The credentials lookup for this feature did not set the appropriate context, allowing the use of System-scoped credentials otherwise reserved for use in the global configuration. This allowed users with Item/Configure permission on the folder to access credentials they’re not entitled to, and potentially capture them.

Jira Plugin now defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.

Anchore Container Image Scanner Plugin stored credentials in plain text

SECURITY-1539 / CVE-2019-16542
Severity (CVSS): Medium
Affected plugin: anchore-container-scanner
Description:

Anchore Container Image Scanner Plugin stored an Anchore.io service password unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As the affected functionality has been deprecated, and the affected Anchore.io service has been shut down in late 2018, the affected feature has been removed. The password will be removed from the job configuration once it is saved again.

Spira Importer Plugin stored credentials in plain text

SECURITY-1554 / CVE-2019-16543
Severity (CVSS): Low
Affected plugin: inflectra-spira-integration
Description:

Spira Importer Plugin stored a credential unencrypted in its global configuration file com.inflectra.spiratest.plugins.SpiraBuilder.xml on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system.

Spira Importer Plugin now stores this credential encrypted once its configuration is saved again.

Google Compute Engine Plugin did not verify SSH host keys

SECURITY-1584 / CVE-2019-16546
Severity (CVSS): Medium
Affected plugin: google-compute-engine
Description:

Google Compute Engine Plugin did not use SSH host key verification when connecting to VMs launched by the plugin. This lack of verification could be abused by a MitM attacker to intercept these connections to attacker-specified build agents without warning.

Google Compute Engine Plugin now verifies SSH host keys before executing any commands on agents.

Google Compute Engine Plugin disclosed environment information to users with Overall/Read permission

SECURITY-1585 / CVE-2019-16547
Severity (CVSS): Medium
Affected plugin: google-compute-engine
Description:

Google Compute Engine Plugin did not verify permissions on multiple auto-complete API endpoints. This allowed users with Overall/Read permissions to view various metadata about the running cloud environment.

Google Compute Engine Plugin now requires the appropriate Job/Configure permission to view these metadata.

CSRF vulnerability in Google Compute Engine Plugin allowed provisioning agents

SECURITY-1586 / CVE-2019-16548
Severity (CVSS): Medium
Affected plugin: google-compute-engine
Description:

Google Compute Engine Plugin did not require POST requests on an API endpoint. This CSRF vulnerability allowed attackers to provision new agents.

Google Compute Engine Plugin now requires POST requests for this API endpoint.

QMetry for JIRA - Test Management Plugin stored credentials in plain text

SECURITY-727 (1) / CVE-2019-16544
Severity (CVSS): Medium
Affected plugin: qmetry-for-jira-test-management
Description:

QMetry for JIRA - Test Management Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller as part of its post-build step configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

QMetry for JIRA - Test Management Plugin now stores these credentials encrypted once the job configuration is saved again.

QMetry for JIRA - Test Management Plugin shows plain text password in configuration form

SECURITY-727 (2) / CVE-2019-16545
Severity (CVSS): Low
Affected plugin: qmetry-for-jira-test-management
Description:

QMetry for JIRA - Test Management Plugin stores a credential as part of its post-build step configuration.

While the password is stored encrypted on disk since QMetry for JIRA - Test Management Plugin 1.13, it is transmitted in plain text as part of the configuration form. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

Severity

SECURITY-727 (1): Medium
SECURITY-727 (2): Low
SECURITY-1106: Medium
SECURITY-1539: Medium
SECURITY-1554: Low
SECURITY-1584: Medium
SECURITY-1585: Medium
SECURITY-1586: Medium
SECURITY-1634: High
SECURITY-1658: High

Affected Versions

Anchore Container Image Scanner Plugin up to and including 1.0.19
Google Compute Engine Plugin up to and including 4.1.1
Jira Plugin up to and including 3.0.10
QMetry for JIRA - Test Management Plugin up to and including 1.12
QMetry for JIRA - Test Management Plugin up to and including 1.13
Script Security Plugin up to and including 1.67
Spira Importer Plugin up to and including 3.2.2
Support Core Plugin up to and including 2.63

Fix

Anchore Container Image Scanner Plugin should be updated to version 1.0.20
Google Compute Engine Plugin should be updated to version 4.2.0
Jira Plugin should be updated to version 3.0.11
QMetry for JIRA - Test Management Plugin should be updated to version 1.13
Script Security Plugin should be updated to version 1.68
Spira Importer Plugin should be updated to version 3.2.3
Support Core Plugin should be updated to version 2.64

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

QMetry for JIRA - Test Management Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

Daniel Beck, CloudBees, Inc. for SECURITY-1106, SECURITY-1634
James Holderness, IB Boost for SECURITY-1539, SECURITY-1554
Matt Sicker, CloudBees, Inc. for SECURITY-1584, SECURITY-1585, SECURITY-1586
Nils Emmerich of ERNW Research GmbH for SECURITY-1658