====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN260
_____________________________________________________________________

DATE                : 07/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Amazon EC2 Plugin for Jenkins
                         versions prior to 1.50.2 ,
           Copy Artifact Plugin for Jenkins versions prior to 1.44,
         Credentials Binding Plugin for Jenkins versions prior to 1.23,
           CVS Plugin for Jenkins versions prior to 2.16,
           SCM Filter Jervis Plugin for Jenkins versions prior to 0.3.

=====================================================================
https://www.jenkins.io/security/advisory/2020-05-06/
_____________________________________________________________________

 Jenkins Security Advisory 2020-05-06

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Amazon EC2 Plugin
    Copy Artifact Plugin
    Credentials Binding Plugin
    CVS Plugin
    SCM Filter Jervis Plugin


Descriptions

Secrets are not masked by Credentials Binding Plugin in builds without
build steps
SECURITY-1374 / CVE-2020-2181

Credentials Binding Plugin 1.22 and earlier does not mask (i.e., replace
with asterisks) secrets in the build log when the build contains no
build steps.

Credentials Binding Plugin 1.23 now masks secrets when the build
contains no build steps.


Improper masking of some secrets in Credentials Binding Plugin
SECURITY-1835 / CVE-2020-2182

Credentials Binding Plugin allows specifying passwords and other secrets
as environment variables, and will hide them from console output in
builds. As a side effect of the fix for SECURITY-698, $ characters in
secrets are escaped to $$. This will then be expanded to $ again once
the secret is passed to (post) build steps.

Credentials Binding Plugin 1.22 and earlier does not mask the escaped
form of the secret (containing $$). This occurs for example in the
"Execute Maven top-level targets" build step included in Jenkins.

Credentials Binding Plugin 1.23 now masks secrets both in their original
form and with escaped $ characters so they will be masked even if
printed before value expansion.


Improper permission checks in Copy Artifact Plugin
SECURITY-988 / CVE-2020-2183

Copy Artifact Plugin 1.43.1 and earlier performs improper permission
checks when determining whether a build can copy artifacts from another
project build. This allows attackers, usually with Job/Configure
permission, to configure jobs to copy artifacts from jobs they have no
permission to access.

Copy Artifact Plugin 1.44 now properly performs permission checks when
copying artifacts. When updating the plugin from a previous version, the
previous behavior is retained ("Migration mode"). To enable the
additional protections, switch to the new "Production mode". Doing so
may cause existing jobs to fail to copy artifacts. For more information
see the plugin documentation.


CSRF vulnerability in CVS Plugin
SECURITY-1094 / CVE-2020-2184

CVS Plugin 2.15 and earlier does not require POST requests in several
HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities. This allows attackers to create and manipulate tags,
and to connect to an attacker-specified URL.

CVS Plugin 2.16 now requires POST requests for the affected HTTP
endpoints.


Missing SSH host key validation in Amazon EC2 Plugin
SECURITY-381 / CVE-2020-2185

Amazon EC2 Plugin 1.50.1 and earlier does not use SSH host key
validation when connecting to agents. This lack of validation could be
abused using a man-in-the-middle attack to intercept these connections
to build agents.

Amazon EC2 Plugin 1.50.2 provides strategies for performing host key
validation for administrators to select the one that meets their
security needs. It includes assistance for administrators to migrate to
a new, more secure strategy. For more information see the plugin
documentation.


CSRF vulnerability in Amazon EC2 Plugin
SECURITY-1408 / CVE-2020-2186

Amazon EC2 Plugin 1.50.1 and earlier does not require POST requests in
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities. This allows an attacker to provision instances with an
attacker-specified template ID.

Amazon EC2 Plugin 1.50.2 now requires POST requests for the affected
HTTP endpoints.


Lack of SSL/TLS certificate and hostname validation in Amazon EC2 Plugin
SECURITY-1528 / CVE-2020-2187

Amazon EC2 Plugin connects to Windows agents via HTTPS.

Amazon EC2 Plugin 1.50.1 and earlier unconditionally accepts self-signed
HTTPS certificates and does not perform hostname validation when
connecting to Windows agents. This lack of validation could be abused
using a man-in-the-middle attack to intercept these connections to build
agents.

Amazon EC2 Plugin 1.50.2 by default no longer accepts self-signed HTTPS
certificates and performs hostname validation. A new configuration
option allows restoring the previous, unsafe behavior. For more
information see the plugin documentation.


Users with Overall/Read access can enumerate credentials IDs in Amazon
EC2 Plugin
SECURITY-1844 / CVE-2020-2188

Amazon EC2 Plugin provides a list of applicable credentials IDs to allow
users configuring the plugin to select the one to use.

This functionality does not correctly check permissions in Amazon EC2
Plugin 1.50.1 and earlier, allowing any user with Overall/Read
permission to get a list of valid credentials IDs. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Amazon EC2 Plugin 1.50.2 now
requires Overall/Administer permission.


RCE vulnerability in SCM Filter Jervis Plugin
SECURITY-1826 / CVE-2020-2189

SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML
parser to prevent the instantiation of arbitrary types. This results in
a remote code execution (RCE) vulnerability exploitable by users able to
configure jobs with the filter, or control the contents of a previously
configured job’s SCM repository.

SCM Filter Jervis Plugin 0.3 configures its YAML parser to only
instantiate safe types.


Severity

    SECURITY-381: Medium
    SECURITY-988: Medium
    SECURITY-1094: Medium
    SECURITY-1374: Medium
    SECURITY-1408: Low
    SECURITY-1528: Medium
    SECURITY-1826: High
    SECURITY-1835: Low
    SECURITY-1844: Medium


Affected Versions

    Amazon EC2 Plugin up to and including 1.50.1
    Copy Artifact Plugin up to and including 1.43.1
    Credentials Binding Plugin up to and including 1.22
    CVS Plugin up to and including 2.15
    SCM Filter Jervis Plugin up to and including 0.2.1

Fix

    Amazon EC2 Plugin should be updated to version 1.50.2
    Copy Artifact Plugin should be updated to version 1.44
    Credentials Binding Plugin should be updated to version 1.23
    CVS Plugin should be updated to version 2.16
    SCM Filter Jervis Plugin should be updated to version 0.3

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Jesse Glick, CloudBees, Inc. for SECURITY-381, SECURITY-988
    Oleg Nenashev, CloudBees, Inc. for SECURITY-1094, SECURITY-1408
    Raihaan Shouhell, Autodesk, Inc for SECURITY-1528
    Wadeck Follonier, CloudBees, Inc. for SECURITY-1844



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================