Jenkins Security Advisory 2020-07-02

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Sonargraph Integration Plugin

SECURITY-1775 / CVE-2020-2201

Sonargraph Integration Plugin 3.0.0 and earlier does not escape the file path for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by users with Job/Configure permission.

Sonargraph Integration Plugin 3.0.1 escapes the affected part of the error message.

Users with Overall/Read access could enumerate credentials IDs in Fortify on Demand Plugin

SECURITY-1690 / CVE-2020-2202

Fortify on Demand Plugin provides a list of applicable credentials IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions in Fortify on Demand Plugin 6.0.0 and earlier, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Fortify on Demand Plugin 6.0.1 now requires the appropriate permissions.

CSRF vulnerability and missing permission checks in Fortify on Demand Plugin

SECURITY-1691 / CVE-2020-2203 (CSRF), CVE-2020-2204 (missing permission check)

Fortify on Demand Plugin 5.0.1 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs obtained through another method.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires appropriate permission in Fortify on Demand Plugin 6.0.0.

Stored XSS vulnerability in VncRecorder Plugin

SECURITY-1728 (1) / CVE-2020-2205

VncRecorder Plugin 1.25 and earlier does not escape a tool path in the checkVncServ form validation endpoint accessed e.g. via job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by Jenkins administrators.

VncRecorder Plugin 1.35 escapes the tool path.

Reflected XSS vulnerability in VncRecorder Plugin

SECURITY-1728 (2) / CVE-2020-2206

VncRecorder Plugin 1.25 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

VncRecorder Plugin 1.35 escapes the parameter value in the output.

Reflected XSS vulnerability in VncViewer Plugin

SECURITY-1776 / CVE-2020-2207

VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint output.

This results in a reflected cross-site scripting (XSS) vulnerability.

VncViewer Plugin 1.8 escapes the parameter value in the output.

Secret stored in plain text by Slack Upload Plugin

SECURITY-1627 / CVE-2020-2208

Slack Upload Plugin 1.7 and earlier stores a secret unencrypted in job config.xml files as part of its configuration. This secret can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by TestComplete support Plugin

SECURITY-1686 / CVE-2020-2209

TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files as part of its configuration. This password can be viewed by users with Extended Read permission or access to the master file system.

As of publication of this advisory, there is no fix.

Passwords transmitted in plain text by Stash Branch Parameter Plugin

SECURITY-1656 / CVE-2020-2210

Stash Branch Parameter Plugin stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins master as part of its configuration.

While the password is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Stash Branch Parameter Plugin 0.3.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.

As of publication of this advisory, there is no fix.

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin

SECURITY-1738 / CVE-2020-2211

ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to ElasticBox Jenkins Kubernetes CI/CD Plugin’s build step.

As of publication of this advisory, there is no fix.

Secret stored in plain text by GitHub Coverage Reporter Plugin

SECURITY-1632 / CVE-2020-2212

GitHub Coverage Reporter Plugin 1.8 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This token can be viewed by users with access to the Jenkins master file system.

As of publication of this advisory, there is no fix.

Credentials stored in plain text by White Source Plugin

SECURITY-1630 / CVE-2020-2213

White Source Plugin 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins master. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.

As of publication of this advisory, there is no fix.

Content-Security-Policy protection for user content disabled by ZAP Pipeline Plugin

SECURITY-1811 / CVE-2020-2214

Jenkins sets the Content-Security-Policy header to static files served by Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /userContent, or archived artifacts.

ZAP Pipeline Plugin 1.9 and earlier globally disables the Content-Security-Policy header for static files served by Jenkins. This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.

Jenkins instances with Resource Root URL configured are largely unaffected. A possible exception are file parameter downloads. The behavior of those depends on the specific version of Jenkins:

  • Jenkins 2.231 and newer, including 2.235.x LTS, is unaffected, as all resource files from user content are generally served safely from a different domain, without restrictions from Content-Security-Policy header.

  • Jenkins between 2.228 (inclusive) and 2.230 (inclusive), as well as all releases of Jenkins 2.222.x LTS and the 2.204.6 LTS release, are affected by this vulnerability, as file parameters are not served via the Resource Root URL.

  • Jenkins 2.227 and older, 2.204.5 and older, don’t have XSS protection for file parameter values, see SECURITY-1793.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Zephyr for JIRA Test Management Plugin

SECURITY-1762 / CVE-2020-2215 (CSRF), CVE-2020-2216 (missing permission check)

Zephyr for JIRA Test Management Plugin 1.5 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Reflected XSS in Compatibility Action Storage Plugin

SECURITY-1771 / CVE-2020-2217

Compatibility Action Storage Plugin 1.0 and earlier does not escape the content coming from the MongoDB in the testConnection form validation endpoint. This allows attackers able to update the configured document in MongoDB to inject the payload.

This results in a reflected cross-site scripting (XSS) vulnerability.

As of publication of this advisory, there is no fix.

Password stored in plain text by HP ALM Quality Center Plugin

SECURITY-1576 / CVE-2020-2218

HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins master file system.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Link Column Plugin

SECURITY-1803 / CVE-2020-2219

Link Column Plugin allows users with View/Configure permission to add a new column to list views that contains a user-configurable link.

Link Column Plugin 1.0 and earlier does not filter the URL for these links, allowing the javascript: scheme. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure list views.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Compatibility Action Storage Plugin up to and including 1.0
  • Fortify on Demand Plugin up to and including 6.0.0
  • Fortify on Demand Plugin up to and including 5.0.1
  • GitHub Coverage Reporter Plugin up to and including 1.8
  • HP ALM Quality Center Plugin up to and including 1.6
  • ElasticBox Jenkins Kubernetes CI/CD Plugin up to and including 1.3
  • Link Column Plugin up to and including 1.0
  • Slack Upload Plugin up to and including 1.7
  • Sonargraph Integration Plugin up to and including 3.0.0
  • Stash Branch Parameter Plugin up to and including 0.3.0
  • TestComplete support Plugin up to and including 2.4.1
  • VncRecorder Plugin up to and including 1.25
  • VncViewer Plugin up to and including 1.7
  • White Source Plugin up to and including 19.1.1
  • ZAP Pipeline Plugin up to and including 1.9
  • Zephyr for JIRA Test Management Plugin up to and including 1.5

Fix

  • Fortify on Demand Plugin should be updated to version 6.0.1
  • Fortify on Demand Plugin should be updated to version 6.0.0
  • Sonargraph Integration Plugin should be updated to version 3.0.1
  • VncRecorder Plugin should be updated to version 1.35
  • VncViewer Plugin should be updated to version 1.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Compatibility Action Storage Plugin
  • GitHub Coverage Reporter Plugin
  • HP ALM Quality Center Plugin
  • ElasticBox Jenkins Kubernetes CI/CD Plugin
  • Link Column Plugin
  • Slack Upload Plugin
  • Stash Branch Parameter Plugin
  • TestComplete support Plugin
  • White Source Plugin
  • ZAP Pipeline Plugin
  • Zephyr for JIRA Test Management Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Adam Shaver, BAE Systems for SECURITY-1686
  • Daniel Beck, CloudBees, Inc. for SECURITY-1690, SECURITY-1691, SECURITY-1762, SECURITY-1803, SECURITY-1811
  • James Holderness, IB Boost for SECURITY-1576
  • Pavel Roskin for SECURITY-1656
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1728 (1), SECURITY-1771, SECURITY-1775, SECURITY-1776
  • Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for SECURITY-1728 (2)
  • Wasin Saengow for SECURITY-1627, SECURITY-1630, SECURITY-1632