Jenkins Security Advisory 2020-07-15

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in job build time trend

SECURITY-1868 / CVE-2020-2220

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the agent name.

Stored XSS vulnerability in upstream cause

SECURITY-1901 / CVE-2020-2221

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the job display name.

Stored XSS vulnerability in 'keep forever' badge icons

SECURITY-1902 / CVE-2020-2222

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names.

As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations.

Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.

Stored XSS vulnerability in console links

SECURITY-1945 / CVE-2020-2223

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.

Stored XSS vulnerability in single axis builds tooltips in Matrix Project Plugin

SECURITY-1924 / CVE-2020-2224

Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.

Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.

Stored XSS vulnerability in multiple axis builds tooltips in Matrix Project Plugin

SECURITY-1925 / CVE-2020-2225

Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.

Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.

Stored XSS vulnerability in Matrix Authorization Strategy Plugin

SECURITY-1909 / CVE-2020-2226

Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission.

Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.

Stored XSS vulnerability in Deployer Framework Plugin

SECURITY-1915 / CVE-2020-2227

Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.

The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.

Deployer Framework Plugin 1.3 escapes the URL.

Improper authorization of users and groups with the same base name in Gitlab Authentication Plugin

SECURITY-1792 / CVE-2020-2228

Gitlab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.

Gitlab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.244
  • Jenkins LTS up to and including 2.235.1
  • Deployer Framework Plugin up to and including 1.2
  • Gitlab Authentication Plugin up to and including 1.5
  • Matrix Authorization Strategy Plugin up to and including 2.6.1
  • Matrix Project Plugin up to and including 1.16

Fix

  • Jenkins weekly should be updated to version 2.245
  • Jenkins LTS should be updated to version 2.235.2
  • Deployer Framework Plugin should be updated to version 1.3
  • Gitlab Authentication Plugin should be updated to version 1.6
  • Matrix Authorization Strategy Plugin should be updated to version 2.6.2
  • Matrix Project Plugin should be updated to version 1.17

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Oleg Nenashev, CloudBees, Inc. for SECURITY-1945
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1868, SECURITY-1901, SECURITY-1902, SECURITY-1909, SECURITY-1915, SECURITY-1924, SECURITY-1925