====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN311
_____________________________________________________________________

DATE                : 24/10/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Build-Publisher for Jenkins,
                      Active Choices (uno-choice) for Jenkins,
                      Dependency Graph Viewer for Jenkins,
                      global-build-stats for Jenkins,
                      Multijob for Jenkins,
                      SCP publisher for Jenkins.

=====================================================================
https://jenkins.io/security/advisory/2017-10-23/
____________________________________________________________________


Jenkins Security Advisory 2017-10-23

This advisory announces vulnerabilities in these Jenkins plugins:

    Active Choices (uno-choice)

    Build-Publisher

    Dependency Graph Viewer

    global-build-stats

    Multijob

    SCP publisher


Description

Persisted Cross-Site Scripting vulnerability in Active Choices plugin

SECURITY-470 / CVE pending

Active Choices plugin allowed users with Job/Configure permission to
provide arbitrary HTML to be shown on the Build With Parameters page
through the Active Choices Reactive Reference Parameter type. This
could include, for example, arbitrary JavaScript.

Active Choices now sanitizes the HTML inserted on the Build With
Parameters page if and only if the script is executed in a sandbox. As
unsandboxed scripts are subject to administrator approval, it is up to
the administrator to allow or disallow problematic script output.
	

Sandboxed Groovy scripts for Active Choices Reactive Reference
Parameter will no longer emit HTML that is considered unsafe, such as
<script> tags. This may result in behavior changes on Build With
Parameters forms, such as missing elements.

To resolve this issue, Groovy scripts emitting HTML will need to be
configured to run outside the script security sandbox, possibly
requiring separate administrator approval in In-Process Script Approval.
Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting
vulnerability in global-build-stats plugin

SECURITY-50 / CVE pending

Some URLs provided by global-build-stats plugin returned a JSON
response that contained request parameters. These responses had the
Content Type: text/html, so could have been interpreted as HTML by
clients, resulting in a potential reflected cross-site scripting
vulnerability.

Additionally, some URLs provided by global-build-stats plugin that
modify data did not require POST requests to be sent, resulting in a
potential cross-site request forgery vulnerability.

Affected URLs now specify the correct Content-Type for JSON responses,
and require that requests be sent via POST.
Missing permission checks in Dependency Graph Viewer plugin

SECURITY-57 / CVE pending

Dependency Graph Viewer plugin did not perform permission checks for
the API endpoint that modifies the dependency graph, allowing anyone
with Overall/Read permission to modify this data.

Dependency graph modification now requires that users have the
permission to configure all jobs involved in the operation.
Build-Publisher plugin stores Jenkins credentials unencrypted on disk,
round-trips in unencrypted form

SECURITY-378 / CVE pending

Build-Publisher plugin stores credentials to other Jenkins instances in
the file hudson.plugins.build_publisher.BuildPublisher.xml in the
Jenkins master home directory. These credentials were stored
unencrypted, allowing anyone with local file system access to access
them.

Additionally, the credentials were also transmitted in plain text as
part of the configuration form. This could result in exposure of the
credentials through browser extensions, cross-site scripting
vulnerabilities, and similar situations.

Build-Publisher Plugin now encrypts the credentials on disk, and only
transmits their encrypted form to users viewing the configuration form.
Missing permission check in Multijob plugin Resume Build action

JENKINS-36333 / CVE pending

Multijob plugin did not check permissions in the Resume Build action,
allowing anyone with Job/Read permission to resume the build.

Multijob plugin 1.26 introduced a permission check requiring
Overall/Administer. This was lowered to Job/Build in version 1.27.
SCP publisher plugin stores credentials unencrypted on disk,
round-trips in unencrypted form

SECURITY-374

SCP publisher plugin stores SSH credentials in the file
be.certipost.hudson.plugin.SCPRepositoryPublisher.xml in the Jenkins
master home directory. These credentials are stored unencrypted,
allowing anyone with local file system access to access them.

Additionally, the credentials are also transmitted in plain text as
part of the configuration form. This could result in exposure of
credentials through browser extensions, cross-site scripting
vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.


Severity

    SECURITY-50: medium

    SECURITY-57: medium

    SECURITY-374: medium

    SECURITY-378: medium

    SECURITY-470: medium

    JENKINS-36333: medium


Affected versions

    Active Choices Plugin up to and including 1.5.3

    Build-Publisher Plugin up to and including 1.21

    Dependency Graph Viewer Plugin up to and including 0.12

    global-build-stats Plugin up to and including 1.4

    Multijob Plugin up to and including 1.25

    All versions of SCP publisher plugin


Fix

    Active Choices Plugin should be updated to version 2.0

    Build-Publisher Plugin should be updated to version 1.22

    Dependency Graph Viewer Plugin should be updated to version 0.13

    global-build-stats Plugin should be updated to version 1.5

    Multijob Plugin should be updated to version 1.26


These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.

As of publication of this advisory, there is no fix available for SCP
publisher plugin.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees Inc. for SECURITY-470

    Eddie Allan for SECURITY-50

    Kenichi Maehashi for SECURITY-57

    Lars Hupel for SECURITY-246 (fixed as JENKINS-36333)

    Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG for SECURITY-378



==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================