This advisory announces multiple vulnerabilities in Jenkins.
SECURITY-95 / CVE-2015-7536
In certain configurations, low privilege users were able to create e.g. HTML files in workspaces and archived artifacts that could result in XSS when accessed by other users. Jenkins now sends
Content-Security-Policy headers that enables sandboxing and prohibits script execution by default.
|If you rely on the previous behavior, or in case of compatibility problems with certain plugins, you can modify the header sent by Jenkins. Learn more: Configuring Content Security Policy.|
SECURITY-225 / CVE-2015-7537
Several administration/configuration related URLs could be accessed using
GET, which allowed attackers to circumvent CSRF protection.
SECURITY-233 / CVE-2015-7538
Malicious users were able to circumvent CSRF protection on any URL by sending specially crafted
SECURITY-234 / CVE-2015-7539
While the Jenkins update site data is digitally signed, and the signature verified by Jenkins, Jenkins did not verify the provided SHA-1 checksums for the plugin files referenced in the update site data. This enabled MITM attacks on the plugin manager, resulting in installation of attacker-provided plugins.
SECURITY-95 is considered medium as it allows low-privilege users to perform limited XSS in certain configurations.
SECURITY-225 is considered high as it allows unprivileged attackers to perform some administrative actions via CSRF.
SECURITY-233 is considered high as it allows unprivileged attackers to circumvent CSRF protection.
SECURITY-234 is considered high as it allows attackers able to manipulate the network path between Jenkins and the update site to install and run arbitrary code on Jenkins.
All Jenkins main line releases up to and including 1.640
All Jenkins LTS releases up to and including 1.625.2
Jenkins main line users should update to 1.641
Jenkins LTS users should update to 1.625.3
These versions include fixes to all the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Alex Soto Bueno, CloudBees, Inc. for SECURITY-234
Antoine Musso and Timo Tijhof for SECURITY-95
Plastunov Andrey, Digital Security (dsec.ru) for SECURITY-225 and SECURITY-233