This advisory announces vulnerabilities in the following Jenkins deliverables:
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the
config.xml file from the Jenkins home directory.
This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy.
If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users.
The fix prevents this behavior.
To mitigate this problem, we strongly advise that administrators of Jenkins instances without this fix, that are reachable by untrusted users, save the global configuration shortly before shutting down Jenkins. Doing so will write the current configuration from memory to the config.xml file, which is only read on startup or when reloading configuration.
If Jenkins has already been shut down after this issue has been exploited, the
config.xml file can be found at
users/$002e$002e/config.xml in the Jenkins home directory.
This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security advisory.
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins master process has access to.
Input validation in Stapler has been improved to prevent this.
The URLs handling cancellation of queued builds did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds.
The URLs handling cancellation of queued builds now ensure that the user has the Item/Cancel permission.
The URL that initiates agent launches on the Jenkins controller did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches.
Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely.
The URL for agent launches now ensures that the user has the Agent/Connect permission.
The build timeline widget shown on URLs like
/view/…/builds did not properly escape display names of items.
This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names.
Jenkins now escapes job display names shown on the timeline widget.
Files indicating when a plugin JPI file was last extracted into a subdirectory of
plugins/ in the Jenkins home directory were accessible via HTTP by users with Overall/Read permission.
This allowed unauthorized users to determine the likely install date of a given plugin.
The affected files are no longer available via HTTP.
Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed, in rare cases resulting in a cross-site scripting vulnerability.
Parts of URLs displayed on these error pages are now properly escaped.
As a workaround, Stapler debug mode should not be enabled on instances accessible to untrusted users.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: