This advisory announces multiple vulnerabilities in Jenkins.
SECURITY-153 / CVE-2015-5317
The Jenkins UI allowed users to see the names of jobs and builds otherwise inaccessible to them on the "Fingerprints" pages if those shared file fingerprints with fingerprinted files in accessible jobs.
SECURITY-169 / CVE-2015-5318
The salt used to generate the CSRF protection tokens was a publicly accessible value, allowing malicious users to circumvent CSRF protection by generating the correct token.
SECURITY-173 / CVE-2015-5319
When creating a job using the create-job CLI command, external entities are not discarded (nor processed). If these job configurations are processed by another user with an XML-aware tool (e.g. using get-job/update-job), information from that user’s computer may be disclosed to Jenkins and the attacker.
SECURITY-184 / CVE-2015-5320
JNLP agent connections did not verify that the correct secret was supplied, which allowed malicious users to connect their own machines as agents to Jenkins knowing only the name of the agent. This enables attackers to take over Jenkins (unless the agent-to-controller security subsystem is enabled) or gain access to private data like keys and source code.
SECURITY-186 / CVE-2015-5324
The /queue/api URL could return information about items not accessible to the current user (such as parameter names and values, build names, project descriptions, …).
SECURITY-192 / CVE-2015-5321
The CLI command overview and help pages in Jenkins were accessible without Overall/Read permission, resulting in disclosure of the names of configured agents (and contents of other sidepanel widgets, if present) to unauthorized users.
SECURITY-195 / CVE-2015-5322
Access to the
/jnlpJars/ URL was not limited to the specific JAR files users needed to access, allowing browsing directories and downloading other files in the Jenkins servlet resources, such as
SECURITY-200 / CVE-2015-5323
API tokens of other users were exposed to admins by default. On instances that don’t implicitly grant RunScripts permission to admins, this allowed admins to run scripts with another user’s credentials.
SECURITY-206 / CVE-2015-5325
Agents connecting via JNLP were not subject to the optional agent-to-controller access control documented at security-144 (CVE-2014-3665).
SECURITY-214 / CVE-2015-5326
Users with the permission to take agent nodes offline can enter arbitrary HTML that gets shown unescaped to users visiting the agent overview page.
SECURITY-153 is considered low as users have no control over which information they see, and the kind of information revealed is very limited.
SECURITY-169 is considered critical as it allows attackers to circumvent CSRF protection.
SECURITY-173 is considered low due to the high degree of specific user interaction required, and the limited information that can be gained this way.
SECURITY-184 is considered critical: It enables several different attacks, compromising integrity, stability and confidentiality.
SECURITY-186 is considered medium: Low privileged users can gain some limited information about items they should not have access to.
SECURITY-192 is considered medium: While the amount of information disclosed is very limited, it is trivial to exploit.
SECURITY-195 is considered low: The information gained is very limited, and it requires a specific setup to gain any non-public information this way.
SECURITY-200 is considered medium: In very specific circumstances, it allows admins to gain permissions they would not otherwise have.
SECURITY-206 is considered high as it allows to circumvent the major protection against less trusted node admins.
SECURITY-214 is considered medium as allows admins and users with significant privileges to circumvent XSS protection.
SECURITY-218 is considered critical as it allows unauthenticated remote attackers to run arbitrary code on Jenkins.
All Jenkins main line releases up to and including 1.637
All Jenkins LTS releases up to and including 1.625.1
Jenkins main line users should update to 1.638
Jenkins LTS users should update to 1.625.2
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Akshay Dayal (from Google) for SECURITY-184
Ari Rubinstein for SECURITY-195
Ben Walding, CloudBees, Inc. for SECURITY-192
Daniel Beck, CloudBees, Inc. for SECURITY-186
James Nord, CloudBees, Inc. for SECURITY-169 and SECURITY-173
Jesse Glick, CloudBees, Inc. for SECURITY-206
Nicolas De Loof, CloudBees, Inc. for SECURITY-153
Oleg Nenashev, CloudBees, Inc. for SECURITY-200
Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-214