==================================================================== CERT-Renater Note d'Information No. 2020/VULN073 _____________________________________________________________________ DATE : 13/02/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Applatix Plugin for Jenkins, Azure AD Plugin for Jenkins, BMC Release Package and Deployment Plugin for Jenkins, Brakeman Plugin for Jenkins, Debian Package Builder Plugin for Jenkins, DigitalOcean Plugin for Jenkins, Dynamic Extended Choice Parameter Plugin for Jenkins, Eagle Tester Plugin for Jenkins, ECX Copy Data Management Plugin for Jenkins, FitNesse Plugin for Jenkins, Git Parameter Plugin for Jenkins, Google Kubernetes Engine Plugin for Jenkins, Harvest SCM Plugin for Jenkins, NUnit Plugin for Jenkins, Parasoft Environment Manager Plugin for Jenkins, Pipeline GitHub Notify Step Plugin for Jenkins, Pipeline: Groovy Plugin for Jenkins, RadarGun Plugin for Jenkins, S3 publisher Plugin for Jenkins, Script Security Plugin for Jenkins, Subversion Plugin for Jenkins. ===================================================================== https://jenkins.io/security/advisory/2020-02-12/ _____________________________________________________________________ Jenkins Security Advisory 2020-02-12 This advisory announces vulnerabilities in the following Jenkins deliverables: Applatix Plugin Azure AD Plugin BMC Release Package and Deployment Plugin Brakeman Plugin Debian Package Builder Plugin DigitalOcean Plugin Dynamic Extended Choice Parameter Plugin Eagle Tester Plugin ECX Copy Data Management Plugin FitNesse Plugin Git Parameter Plugin Google Kubernetes Engine Plugin Harvest SCM Plugin NUnit Plugin Parasoft Environment Manager Plugin Pipeline GitHub Notify Step Plugin Pipeline: Groovy Plugin RadarGun Plugin S3 publisher Plugin Script Security Plugin Subversion Plugin Descriptions Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin SECURITY-1710 / CVE-2020-2109 Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins master JVM. These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79. Sandbox bypass vulnerability in Script Security Plugin SECURITY-1713 / CVE-2020-2110 Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation. Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins master. This issue is due to an incomplete fix of SECURITY-1266. Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations. Stored XSS vulnerability in Subversion Plugin SECURITY-1725 / CVE-2020-2111 Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines. Subversion Plugin 2.13.1 escapes the affected part of the error message. Multiple stored XSS vulnerabilities in Git Parameter Plugin SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value) Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission. Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI. Credential transmitted in plain text by S3 publisher Plugin SECURITY-1684 / CVE-2020-2114 S3 publisher Plugin stores a secret key in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations. S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted. XXE vulnerability in NUnit Plugin SECURITY-1752 / CVE-2020-2115 NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. NUnit Plugin 0.26 disables external entity processing for its XML parser. CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check) Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5. Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin SECURITY-812 (2) / CVE-2020-2118 Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project. Client secret transmitted in plain text by Azure AD Plugin SECURITY-1717 / CVE-2020-2119 Azure AD Plugin stores a client secret in its global configuration. While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations. Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted. XXE vulnerability in FitNesse Plugin SECURITY-1751 / CVE-2020-2120 FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins master, server-side request forgery, or denial-of-service attacks. FitNesse Plugin 1.31 disables external entity processing for its XML parser. RCE vulnerability in Google Kubernetes Engine Plugin SECURITY-1731 / CVE-2020-2121 Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step. Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types. Stored XSS vulnerability in Brakeman Plugin SECURITY-1644 / CVE-2020-2122 Brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability. This vulnerability can be exploited by users able to control the Brakeman post-build step input data. Brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded. Note This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values. RCE vulnerability in RadarGun Plugin SECURITY-1733 / CVE-2020-2123 RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step. RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types. Password stored in plain text by Dynamic Extended Choice Parameter Plugin SECURITY-1560 / CVE-2020-2124 Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system. As of publication of this advisory, there is no fix. Credentials stored in plain text by Debian Package Builder Plugin SECURITY-1558 / CVE-2020-2125 Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins master. This credential can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix. Token stored in plain text by DigitalOcean Plugin SECURITY-1559 / CVE-2020-2126 DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix. Credential stored in plain text by BMC Release Package and Deployment Plugin SECURITY-1547 / CVE-2020-2127 BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master. This credential can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix. Password stored in plain text by ECX Copy Data Management Plugin SECURITY-1549 / CVE-2020-2128 ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system. As of publication of this advisory, there is no fix. Password stored in plain text by Eagle Tester Plugin SECURITY-1552 / CVE-2020-2129 Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins master. This credential can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix. Passwords stored in plain text by Harvest SCM Plugin SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration) Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the master file system (both). As of publication of this advisory, there is no fix. Password stored in plain text by Parasoft Environment Manager Plugin SECURITY-1562 / CVE-2020-2132 Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system. As of publication of this advisory, there is no fix. Password stored in plain text by Applatix Plugin SECURITY-1540 / CVE-2020-2133 Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the master file system. As of publication of this advisory, there is no fix. Severity SECURITY-812 (1): High SECURITY-812 (2): Medium SECURITY-1540: Medium SECURITY-1547: Low SECURITY-1549: Medium SECURITY-1552: Low SECURITY-1553: Medium SECURITY-1558: Low SECURITY-1559: Low SECURITY-1560: Medium SECURITY-1562: Medium SECURITY-1644: Medium SECURITY-1684: Low SECURITY-1709: Medium SECURITY-1710: High SECURITY-1713: High SECURITY-1717: Low SECURITY-1725: Medium SECURITY-1731: High SECURITY-1733: High SECURITY-1751: High SECURITY-1752: High Affected Versions Applatix Plugin up to and including 1.1 Azure AD Plugin up to and including 1.1.2 BMC Release Package and Deployment Plugin up to and including 1.1 Brakeman Plugin up to and including 0.12 Debian Package Builder Plugin up to and including 1.6.11 DigitalOcean Plugin up to and including 1.1 Dynamic Extended Choice Parameter Plugin up to and including 1.0.1 Eagle Tester Plugin up to and including 1.0.9 ECX Copy Data Management Plugin up to and including 1.9 FitNesse Plugin up to and including 1.30 Git Parameter Plugin up to and including 0.9.11 Google Kubernetes Engine Plugin up to and including 0.8.0 Harvest SCM Plugin up to and including 0.5.1 NUnit Plugin up to and including 0.25 Parasoft Environment Manager Plugin up to and including 2.14 Pipeline GitHub Notify Step Plugin up to and including 1.0.4 Pipeline: Groovy Plugin up to and including 2.78 RadarGun Plugin up to and including 1.7 S3 publisher Plugin up to and including 0.11.4 Script Security Plugin up to and including 1.69 Subversion Plugin up to and including 2.13.0 Fix Azure AD Plugin should be updated to version 1.2.0 Brakeman Plugin should be updated to version 0.13 FitNesse Plugin should be updated to version 1.31 Git Parameter Plugin should be updated to version 0.9.12 Google Kubernetes Engine Plugin should be updated to version 0.8.1 NUnit Plugin should be updated to version 0.26 Pipeline GitHub Notify Step Plugin should be updated to version 1.0.5 Pipeline: Groovy Plugin should be updated to version 2.79 RadarGun Plugin should be updated to version 1.8 S3 publisher Plugin should be updated to version 0.11.5 Script Security Plugin should be updated to version 1.70 Subversion Plugin should be updated to version 2.13.1 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: Applatix Plugin BMC Release Package and Deployment Plugin Debian Package Builder Plugin DigitalOcean Plugin Dynamic Extended Choice Parameter Plugin Eagle Tester Plugin ECX Copy Data Management Plugin Harvest SCM Plugin Parasoft Environment Manager Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Adith Sudhakar for SECURITY-1644 Daniel Kalinowski of ISEC.pl Research Team for SECURITY-1731, SECURITY-1733 Federico Pellegrin for SECURITY-1751, SECURITY-1752 James Holderness, IB Boost for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562 Joseph Petersen @casz for SECURITY-1717 Nils Emmerich of ERNW Research GmbH for SECURITY-1710, SECURITY-1713 Sven Grossmann (@svennergr) for SECURITY-1709 Thomas de Grenier de Latour for SECURITY-812 (1), SECURITY-812 (2) Wadeck Follonier, CloudBees, Inc. for SECURITY-1684, SECURITY-1725 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================