This advisory announces vulnerabilities in these Jenkins plugins:
SECURITY-161 / CVE-2017-2648
The SSH Build Agents Plugin did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
SECURITY-251 / CVE-2017-2649
The Active Directory Plugin did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
SECURITY-336 / CVE-2017-2650
Use of this plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
SECURITY-372 / CVE-2017-2651 (Mailer) and CVE-2017-2654 (Email Extension)
The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like "authors of SCM changes since the last successful build".
This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
SECURITY-386 / CVE-2017-2652
There were no permission checks performed in the Distributed Fork plugin that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.
Active Directory Plugin up to and including version 2.2.
DistFork Plugin up to and including version 1.5.0.
Email Extension (email-ext) Plugin up to and including version 2.57.
Mailer Plugin up to and including version 1.19.
Pipeline: Classpath Step Plugin: All versions. No fix for this plugin is currently planned.
SSH Build Agents Plugin up to and including version 1.14.
Active Directory Plugin should be updated to version 2.3.
DistFork Plugin should be updated to version 1.6.0.
Email Extension (email-ext) Plugin should be updated to version 2.57.1.
Mailer Plugin should be updated to version 1.20.
SSH Build Agents Plugin should be updated to version 1.15.
Pipeline: Classpath Step Plugin should be disabled or uninstalled, and its uses replaced by the Pipeline libraries feature. No fix for this plugin is currently planned.
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities unless otherwise noted.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Tim Otten, CiviCRM LLC for SECURITY-161
Steven Christou, CloudBees, Inc. for SECURITY-251
Jesse Glick, CloudBees, Inc. for SECURITY-336
Caleb Tennis, CloudBees, Inc. for SECURITY-372
James Nord, CloudBees, Inc. for SECURITY-386