This advisory announces:
multiple security vulnerabilities that were found in Jenkins core.
two security vulnerabilities found in the monitoring plugin
This vulnerability allows unauthenticated users with access to Jenkins' HTTP/HTTPS port to mount a DoS attack on Jenkins through thread exhaustion.
Anonymous users can test if the user of a specific name exists or not through login attempts.
An user with a permission limited to Job/CONFIGURE can exploit this vulnerability to effectively create a new job, which should have been only possible for users with Job/CREATE permission, or to destroy jobs that he/she does not have access otherwise.
Users with Overall/READ permission can access arbitrary files in the file system readable by the Jenkins process, resulting in the exposure of sensitive information, such as encryption keys.
If a parameterized job has a default value in a password field, that default value gets exposed to users with Job/READ permission.
Reflected cross-site scripting vulnerability in Jenkins core. An attacker can navigate the user to a carefully crafted URL and have the user execute unintended actions.
Unauthenticated user can execute arbitrary code on the Jenkins controller by sending carefully crafted packets over the CLI channel.
Programs that constitute plugins can be downloaded by anyone with the Overall/READ permission, resulting in the exposure of otherwise sensitive information, such as hard-coded keys in plugins, if any.
Security vulnerability in commons fileupload allows unauthenticated attacker to upload arbitrary files to the Jenkins controller.
reflective XSS vulnerability in one of the library dependencies of Jenkins.
Monitoring plugin allows an attacker to cause a victim into executing unwanted actions on Jenkins instance.
SECURITY-87 is rated medium, as it results in the loss of functionality.
SECURITY-110 is rated medium, as it results in a limited amount of information exposure.
SECURITY-127 and SECURITY-128 are rated high. The former can be used to further escalate privileges, and the latter results in loss of data.
SECURITY-131 and SECURITY-138 is rated critical. This vulnerabilities results in exposure of sensitie information and is easily exploitable.
SECURITY-143 is rated high. It is a passive attack, but it can result in a compromise of the Jenkins controller or loss of data.
SECURITY-150 is rated critical. This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance, and results in remote code execution on Jenkins.
SECURITY-155 is rated medium. This only affects users who have installed proprietary plugins on publicly accessible instances, which is relatively uncommon.
SECURITY-159 is rated critical. This attack can be mounted by any unauthenticated anonymous user with HTTP reachability to Jenkins instance.
SECURITY-113 is rated high. It is a passive attack, but it can result in a compromise of the Jenkins controller or loss of data.
All the Jenkins releases ⇐ 1.582
All the LTS releases ⇐ 1.565.2
Monitoring plugin ⇐ 1.52.1
The Jenkins project would like to thank the following people for finding the vulnerabilities:
Daniel Beck for finding SECURITY-87, SECURITY-110, SECURITY-127, SECURITY-128
Jesse Glick for finding SECURITY-131, SECURITY-155
Matthias Schmalz for finding SECURITY-138
Seth Graham for finding SECURITY-143
Stephen Connolly for finding SECURITY-150
Manfred Moser for finding SECURITY-159
Wilder Rodrigues for finding SECURITY-113
Kurt Seifried for finding SECURITY-149
Main line users should upgrade to Jenkins 1.583
LTS users should upgrade to 1.565.3
User of monitoring plugin should upgrade to 1.53
These versions include fixes to all the vulnerabilities described above. All the prior versions are affected by these vulnerabilities.