This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted.
This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling threads waiting indefinitely.
Jenkins 2.541, LTS 2.528.3 properly closes HTTP-based CLI connections when the connection stream becomes corrupted.
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views.
This allows attackers with View/Read permission to view encrypted password values in views.
The regular view configuration form requires View/Configure permission to access.
This vulnerability requires that a plugin implements a page for a view that shows a password field without performing a View/Configure permission check, and does not set the readOnlyMode variable introduced to support JEP-224.
As of the publication of this advisory, the Jenkins security team is not aware of any exploitable implementation.
|
Jenkins 2.541, LTS 2.528.3 requires View/Configure permission to view encrypted password values in views.
In case of problems, administrators can disable this security fix by setting the system property hudson.Functions.nonRecursivePasswordMaskingPermissionCheck to true.
|
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
Jenkins 2.541, LTS 2.528.3 masks build authorization tokens displayed on the configuration form, and stores them encrypted once job configurations are saved again.
| All affected job configurations can be migrated to the new (encrypted) format at once. Navigate to Manage Jenkins » Manage Old Data and choose Upgrade in the section Old Data Format. |
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery (CSRF) token (crumb) for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trick users into logging in to the attacker’s account.
Jenkins 2.541, LTS 2.528.3 validates CSRF tokens when processing login requests.
In case of problems, administrators can disable this security fix by setting the system property hudson.security.AuthenticationProcessingFilter2.skipCSRFCheck to true.
|
git-client
Git client Plugin generates temporary script files to provide credentials (e.g., SSH_ASKPASS).
In Git client Plugin 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the workspace directory name to inject arbitrary OS commands.
This vulnerability only has an impact when attackers can control working directories (e.g., the argument to the dir(…) Pipeline step) while not being able to control the Pipeline itself or the programs or build scripts it executes.
|
Git client Plugin 6.4.1 passes the workspace directory path as an environment variable to the script, preventing command injection.
coverage
Coverage Plugin uses coverage results IDs to create the links to coverage results on the Jenkins UI.
Coverage Plugin 2.3054.ve1ff7b_a_a_123b_ and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI.
This allows attackers with Item/Configure permission to use a javascript: scheme URL as identifier by configuring the job through the REST API, resulting in a stored cross-site scripting (XSS) vulnerability.
| This vulnerability is not exploitable on Jenkins 2.539 or newer with Content Security Policy protection enforced. |
Coverage Plugin 2.3056.v1dfe888b_0249 validates coverage results IDs when creating coverage results, ensuring no result is created with a javascript: scheme URL as identifier.
Additionally, the plugin will refuse to load any existing coverage results with invalid identifiers.
hashicorp-vault-plugin
HashiCorp Vault Plugin 371.v884a_4dd60fb_6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.
As of publication of this advisory, there is no fix. Learn why we announce this.
BlazeMeterJenkinsPlugin
BlazeMeter Plugin 4.26 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in BlazeMeter Plugin 4.27 requires the appropriate permissions.
pipeline-reporter-by-redpen
Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b_9517b_6b_202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira.
Additionally, Redpen - Pipeline Reporter for Jira Plugin does not support distributed builds, causing artifact uploads to occur from the Jenkins controller rather than from the agent executing the build.
This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspace directory.
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: