====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN164

_____________________________________________________________________

DATE                : 31/05/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Gitea Plugin for Jenkins,
                         InfluxDB Plugin for Jenkins,
                         Pipeline Maven Integration Plugin for Jenkins,
                         Pipeline Remote Loader Plugin for Jenkins,
                         Warnings Next Generation Plugin for Jenkins.

=====================================================================
https://jenkins.io/security/advisory/2019-05-31/
_____________________________________________________________________

Jenkins is an open source automation server which enables developers
around the world to reliably build, test, and deploy their software. The
following releases contain fixes for security vulnerabilities:

* Gitea Plugin 1.1.2
* InfluxDB Plugin 1.22
* Pipeline Maven Integration Plugin 3.7.1
* Pipeline Remote Loader Plugin 1.5
* Warnings Next Generation Plugin 5.1.0

Additionally, we announce unresolved security issues in the following
plugins:

* Artifactory Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-05-31/

We provide advance notification for security updates on this mailing
list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them
as described here:
https://jenkins.io/security/#reporting-vulnerabilities

---


SECURITY-1373 / CVE-2019-10325
Warnings Next Generation Plugin rendered the name of a custom warnings
parser unescaped on Jenkins web pages. This allowed attackers with
Job/Configure permission to define a custom parser whose name included
HTML and JavaScript, resulting in a persisted cross-site scripting
vulnerability.

Warnings Next Generation Plugin now properly escapes custom warnings
parser names.


SECURITY-1391 / CVE-2019-10326
Warnings Next Generation Plugin did not require that requests sent to
the endpoint used to reset warning counts use POST. This resulted in a
cross-site request forgery vulnerability that allows attackers to reset
warning counts for future builds.

Warnings Next Generation Plugin now requires that these requests be sent
via POST.


SECURITY-1409 / CVE-2019-10327
Pipeline Maven Integration Plugin did not configure its XML parser in a
way that would prevent XML External Entity (XXE) processing.

This allowed attackers able to control the contents of a temporary
directory on the agent that the Maven build is executing on to have
Jenkins parse a maliciously crafted XML file that uses external entities
for extraction of secrets from the Jenkins master, server-side request
forgery, or denial-of-service attacks.

Pipeline Maven Integration Plugin no longer processes XML External
Entities in XML documents.


SECURITY-921 / CVE-2019-10328
Pipeline Remote Loader Plugin provides a custom Script Security
whitelist.
Those entries apply to all scripts with sandbox protection, such as
Pipeline.

One entry provided here was unsafe, as it allowed invoking arbitrary
methods, bypassing sandbox protection.

The unsafe whitelist entry has been removed.


SECURITY-1403 / CVE-2019-10329
InfluxDB Plugin stored target passwords unencrypted in its global
configuration file on the Jenkins master. These credentials could be
viewed by users with access to the master file system.

InfluxDB Plugin now stores its passwords encrypted.


SECURITY-1046 / CVE-2019-10330
Multibranch pipelines are typically configured so that only committers
to the repository are able to effectively propose changes to
Jenkinsfiles.
Changes to Jenkinsfiles in pull requests created by other users would
not be trusted, and the target branch’s Jenkinsfile content is used
instead.

Gitea Plugin did not implement this behavior. Attackers without commit
access to the Git repository could therefore propose changes to
Jenkinsfiles and have those be applied for PR builds despite the
configuration declaring them to be untrusted.

Gitea Plugin now implements the desired behavior of only trusting pull

request content when those are trusted.


SECURITY-1015 (1) / CVE-2019-10321 (CSRF), CVE-2019-10322 (permission check)
Artifactory Plugin does not perform permission checks on a method
implementing form validation. This allows users with Overall/Read access
to Jenkins to connect to an attacker-specified URL using attacker-
specified credentials IDs obtained through another method, capturing
credentials stored in Jenkins.

Additionally, this form validation method does not require POST
requests, resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, no release containing a fix is
available.


SECURITY-1015 (2) / CVE-2019-10323
Artifactory Plugin provides a list of applicable credential IDs to allow
users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any
user with Overall/Read permission to get a list of valid credentials
IDs. Those can be used as part of an attack to capture the credentials
using another vulnerability.

As of publication of this advisory, no release containing a fix is
available.


SECURITY-1347 / CVE-2019-10324
Artifactory Plugin implements a number of API endpoints allowing users
to trigger various actions related to releasing and promotion.

These endpoints do not require POST requests, resulting in a cross-site
request forgery vulnerability.

As of publication of this advisory, no release containing a fix is
available.



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================