This advisory announces vulnerabilities in the following Jenkins deliverables:
A missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file
/etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as.
Depending on configuration, one of the following messages could be obtained by an attacker:
"Jenkins needs to be able to read /etc/shadow"
"(1) needs to belong to group (2) to read /etc/shadow"
"Either Jenkins needs to run as (3) or (1) needs to belong to group (2) and 'chmod g+r /etc/shadow' needs to be done to enable Jenkins to read /etc/shadow"
The numeric placeholders in the messages above would be populated with the following values:
The system user that the Jenkins controller process is running as (usually
The group owning
The user owning
This form validation method now requires Overall/Administer permission.
Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins controller. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path.
Additionally, they could create credentials from any valid PKCS#12 file on the Jenkins controller. With the ability to configure jobs to access these credentials, they could obtain the certificate content.
Credentials Plugin no longer supports Certificate credentials from PKCS#12 files on the Jenkins controller file system. Existing Certificate credentials of this kind are automatically migrated to directly entered Certificate credentials during Jenkins startup.
Due to technical limitations, these migrated credentials are not immediately persisted. In rare situations a non-administrator user might access a credential migrated this way and encounter a permission error. The solution is to save affected credentials manually, either individually through the UI or with the following script for the Script Console:
This operation may impact performance.
In almost all cases the automatic migration will work and these additional steps will be unnecessary.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: