This advisory announces vulnerabilities in the following Jenkins deliverables:
Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability.
File parameters that escape the base directory are no longer accepted and the build will fail.
This vulnerability is the result of an incomplete fix for SECURITY-1074.
By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim’s IP address remained unchanged.
CSRF tokens will now also check the web session ID to confirm they were created in the same session. Once that’s invalidated or expired, corresponding CSRF tokens will become invalid as well.
|This fix may impact scripts that obtain a crumb from the crumb issuer API. They may need to be updated to retain the session ID for subsequent requests. For further information, see the LTS upgrade guide.|
We also publish the Strict Crumb Issuer Plugin which contains additional protection mechanisms that give administrators more fine-grained control over the validity of CSRF tokens. We plan to improve the built-in default crumb issuer based on user feedback of this implementation.
Jenkins uses the Stapler web framework to render its UI views. These views are frequently comprised of several view fragments, enabling plugins to extend existing views with more content.
In some cases attackers could directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.
The Stapler web framework has been extended with a Service Provider Interface (SPI) that allows preventing views from being rendered. The implementation of that SPI in Jenkins now prevents view fragments from being rendered. Further details are available in the developer documentation.
Most views in Jenkins and Jenkins plugins should be compatible with this change. We track known affected plugins and their status in the Jenkins wiki.
In rare cases, it may be desirable to disable this fix.
To do so, set the Java system property
Learn more about system properties in Jenkins.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: