Jenkins Security Advisory 2020-06-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Script Security Plugin

SECURITY-1866 / CVE-2020-2190

Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure sandboxed scripts.

Script Security Plugin 1.73 escapes pending and approved classpath entries before rendering them in the Jenkins UI.

CSRF vulnerability and improper permission checks in Swarm Plugin

SECURITY-1200 / CVE-2020-2191 (permission checks), CVE-2020-2192 (CSRF)

Swarm Plugin adds API endpoints to add or remove agent labels. In Swarm Plugin 3.20 and earlier these only require a global Swarm secret to use, and no regular permission check is performed. This allows users with Agent/Create permission to add or remove labels of any agent.

Additionally, these API endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Swarm Plugin 3.21 requires POST requests and Agent/Configure permission for the affected agent to these endpoints. It no longer uses the global Swarm secret for these API endpoints.

Stored XSS vulnerability in ECharts API Plugin

SECURITY-1841 / CVE-2020-2193

ECharts API Plugin 4.7.0-3 and earlier does not escape the parser identifier when rendering charts.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.

ECharts API Plugin 4.7.0-4 escapes the parser identifier.

Stored XSS vulnerability in ECharts API Plugin

SECURITY-1842 / CVE-2020-2194

ECharts API Plugin 4.7.0-3 and earlier does not escape the display name of the builds in the trend chart.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Run/Update permission.

ECharts API Plugin 4.7.0-4 escapes the display name.

Stored XSS vulnerability in Compact Columns Plugin

SECURITY-1837 / CVE-2020-2195

Compact Columns Plugin 1.11 and earlier displays the unprocessed job description in tooltips.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Compact Columns Plugin 1.12 applies the configured markup formatter to the job description shown in tooltips.

Complete lack of CSRF protection in Selenium Plugin can lead to OS command injection

SECURITY-1766 / CVE-2020-2196

Selenium Plugin 3.141.59 and earlier has no CSRF protection for its HTTP endpoints.

This allows attackers to perform the following actions:

  • Restart the Selenium Grid hub.

  • Delete or replace the plugin configuration.

  • Start, stop, or restart Selenium configurations on specific nodes.

Through carefully chosen configuration parameters, these actions can result in OS command injection on the Jenkins master.

As of publication of this advisory, there is no fix.

Missing permission check in Project Inheritance Plugin

SECURITY-1582 / CVE-2020-2197 (permission check), CVE-2020-2198 (unredacted encrypted secrets)

Jenkins limits access to job configuration XML data (config.xml) to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…​/getConfigAsXML for its Inheritance Project job type that does something similar.

Project Inheritance Plugin 19.08.02 and earlier does not check permissions for this new endpoint, granting access to job configuration XML data to every user with Job/Read permission.

Additionally, the encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Job/Configure permission.

As of publication of this advisory, there is no fix.

XSS vulnerability in Subversion Partial Release Manager Plugin

SECURITY-1726 / CVE-2020-2199

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation.

This results in a reflected cross-site scripting (XSS) vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

OS command injection vulnerability in Play Framework Plugin

SECURITY-1879 / CVE-2020-2200

A form validation endpoint in Play Framework Plugin executes the play command to validate a given input file.

Play Framework Plugin 1.0.2 and earlier lets users specify the path to the play command on the Jenkins master. This results in an OS command injection vulnerability exploitable by users able to store such a file on the Jenkins master (e.g. through archiving artifacts).

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Compact Columns Plugin up to and including 1.11
  • ECharts API Plugin up to and including 4.7.0-3
  • Play Framework Plugin up to and including 1.0.2
  • Project Inheritance Plugin up to and including 19.08.02
  • Script Security Plugin up to and including 1.72
  • Selenium Plugin up to and including 3.141.59
  • Subversion Partial Release Manager Plugin up to and including 1.0.1
  • Swarm Plugin up to and including 3.20

Fix

  • Compact Columns Plugin should be updated to version 1.12
  • ECharts API Plugin should be updated to version 4.7.0-4
  • Script Security Plugin should be updated to version 1.73
  • Swarm Plugin should be updated to version 3.21

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Play Framework Plugin
  • Project Inheritance Plugin
  • Selenium Plugin
  • Subversion Partial Release Manager Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-1879
  • Daniel Beck, CloudBees, Inc. and, independently, Markus Winter, SAP SE for SECURITY-1582
  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1200
  • Tobias Gruetzmacher for SECURITY-1837
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1726, SECURITY-1841, SECURITY-1842, SECURITY-1866
  • Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for SECURITY-1766