ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar
This advisory announces vulnerabilities in the following Jenkins deliverables:
cvs
CVS Plugin 2.16 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
CVS Plugin 2.17 disables external entity resolution for its XML parser.
Plugin Installation Manager Tool is part of the Jenkins project Docker images.
As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running.
Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as mirror operators to provide crafted plugin downloads.
Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of downloaded plugin match the expected checksums.
Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation Manager Tool 2.2.0. Users of older Docker images can change the version they use by extending the Jenkins image and update the tool themselves with:
ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar
Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin Installation Manager Tool 2.2.0.
shelve-project-plugin
Shelve Project Plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to shelve, unshelve, or delete a project.
Shelve Project Plugin 3.1 requires POST requests for the affected HTTP endpoints.
chaos-monkey
Chaos Monkey Plugin 0.3 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to generate load and to generate memory leaks.
Chaos Monkey Plugin 0.4 requires Overall/Administer permission to generate load and to generate memory leaks.
chaos-monkey
Chaos Monkey Plugin 0.4 and earlier does not perform permission checks in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions.
Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and to see the history of actions.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: