==================================================================== CERT-Renater Note d'Information No. 2018/VULN331 _____________________________________________________________________ DATE : 11/10/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins weekly versions prior to 2.146, Jenkins LTS versions prior to 2.138.2. ===================================================================== https://jenkins.io/security/advisory/2018-10-10/ _____________________________________________________________________ Jenkins Security Advisory 2018-10-10 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) Descriptions Path traversal vulnerability in Stapler allowed accessing internal data SECURITY-867 / CVE pending A path traversal vulnerability in Stapler allowed viewing routable objects with views defined on any type. This could be used to access internal data of routable objects, commonly by showing their string representation (#toString()). Arbitrary file write vulnerability using file parameter definitions SECURITY-1074 / CVE pending Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to archive the uploaded file on the Jenkins master, resulting in an arbitrary file write vulnerability. File parameters that escape the base directory are no longer accepted and the build will fail. Reflected XSS vulnerability SECURITY-1129 / CVE pending The wrapper query parameter for the XML variant of the Jenkins remote API did not validate the specified tag name. This resulted in a reflected cross-site scripting vulnerability. Only legal XML tag names are now allowed for the wrapper query parameter. Ephemeral user record was created on some invalid authentication attempts SECURITY-1162 / CVE-2018-1999043 When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as (legacy) API tokens could exist without a persisted user record. This behavior could be abused to create a large number of ephemeral user records in memory. This is the same vulnerability as SECURITY-672. The fix for SECURITY-672 was previously incorrectly applied and therefore not effective. This has been fixed. Ephemeral user record creation SECURITY-1128 / CVE pending By accessing a specific crafted URL on Jenkins instances using Jenkins' own user database, users without Overall/Read access could create ephemeral user records. This behavior could be abused to create a large number of ephemeral user records in memory. Accessing this URL now no longer results in a user record getting created. Session fixation vulnerability on user signup SECURITY-1158 / CVE pending When signing up for a new user account on instances using Jenkins' own user database, Jenkins did not invalidate the existing session and create a new one. This allowed session fixation. Jenkins now invalidates the existing session and creates a new one when logging in after user signup. Failures to process form submission data could result in secrets being displayed or written to logs SECURITY-765 / CVE pending When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in plain text. Jenkins now masks values in these error messages from view if they were shown on the UI as password form fields. Severity SECURITY-765: low SECURITY-867: medium SECURITY-1074: medium SECURITY-1128: medium SECURITY-1129: medium SECURITY-1158: medium SECURITY-1162: medium Affected Versions Jenkins weekly up to and including 2.145 Jenkins LTS up to and including 2.138.1 Fix Jenkins weekly should be updated to version 2.146 Jenkins LTS should be updated to version 2.138.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Apple Information Security for SECURITY-867 Evan Grant of Tenable for SECURITY-1128, SECURITY-1129 Oleg Nenashev for SECURITY-1074 Sam Gleske for SECURITY-765 Wadeck Follonier, CloudBees, Inc. for SECURITY-1158 Zhao Xiaojie for SECURITY-1162 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================