====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN397
_____________________________________________________________________

DATE                : 16/07/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core) versions prior to
                                   weekly 2.245, LTS 2.235.2,
                       Deployer Framework Plugin version prior to 1.3,
                    Gitlab Authentication Plugin version prior to 1.6,
   Matrix Authorization Strategy Plugin version prior to version 2.6.2,

                          Matrix Project Plugin version prior to 1.17.

=====================================================================
https://www.jenkins.io/security/advisory/2020-07-15/
_____________________________________________________________________

 Jenkins Security Advisory 2020-07-15

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)
    Deployer Framework Plugin
    Gitlab Authentication Plugin
    Matrix Authorization Strategy Plugin
    Matrix Project Plugin


Descriptions


Stored XSS vulnerability in job build time trend
SECURITY-1868 / CVE-2020-2220

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
agent name on build time trend pages. This results in a stored cross-
site scripting (XSS) vulnerability exploitable by users with
Agent/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the agent name.


Stored XSS vulnerability in upstream cause
SECURITY-1901 / CVE-2020-2221

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
upstream job’s display name shown as part of a build cause. This results
in a stored cross-site scripting (XSS) vulnerability exploitable by
users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the job display name.


Stored XSS vulnerability in 'keep forever' badge icons
SECURITY-1902 / CVE-2020-2222

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
job name in the 'Keep this build forever' badge tooltip. This results in
a stored cross-site scripting (XSS) vulnerability exploitable by users
able to configure job names.

As job names do not generally support the character set needed for XSS,
this is believed to be difficult to exploit in common configurations.

Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build
forever' badge tooltip.


Stored XSS vulnerability in console links
SECURITY-1945 / CVE-2020-2223

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the
href attribute of links to downstream jobs displayed in the build
console page. This results in a stored cross-site scripting (XSS)
vulnerability exploitable by users with Job/Configure permission.

Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.


Stored XSS vulnerability in single axis builds tooltips in Matrix
Project Plugin
SECURITY-1924 / CVE-2020-2224

Matrix Project Plugin 1.16 and earlier does not escape node names shown
in tooltips on the overview page of builds with a single axis. This
results in a stored cross-site scripting (XSS) vulnerability exploitable
by users with Agent/Configure permission.

Matrix Project Plugin 1.17 escapes the node names shown in these
tooltips.


Stored XSS vulnerability in multiple axis builds tooltips in Matrix
Project Plugin
SECURITY-1925 / CVE-2020-2225

Matrix Project Plugin 1.16 and earlier does not escape the axis names
shown in tooltips on the overview page of builds with multiple axes.
This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users with Job/Configure permission.

Matrix Project Plugin 1.17 escapes the axis names shown in these
tooltips.


Stored XSS vulnerability in Matrix Authorization Strategy Plugin
SECURITY-1909 / CVE-2020-2226

Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape
user names shown in the permission table. This results in a stored
cross-site scripting (XSS) vulnerability. When using project-based
matrix authorization, this vulnerability can be exploited by a user with
Job/Configure or Agent/Configure permission, otherwise by users with
Overall/Administer permission.

Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the
permission table.


Stored XSS vulnerability in Deployer Framework Plugin
SECURITY-1915 / CVE-2020-2227

Deployer Framework Plugin is a framework plugin allowing other plugins
to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and
earlier does not escape the URL displayed in the build home page. This
results in a stored cross-site scripting (XSS) vulnerability exploitable
by users able to provide the location.

The exploitability of this vulnerability depends on the specific
implementation using Deployer Framework Plugin. The Jenkins security
team is not aware of any exploitable implementation.

Deployer Framework Plugin 1.3 escapes the URL.


Improper authorization of users and groups with the same base name in
Gitlab Authentication Plugin
SECURITY-1792 / CVE-2020-2228

Gitlab Authentication Plugin 1.5 and earlier does not differentiate
between user names and hierarchical group names when performing
authorization. This allows an attacker with permissions to create groups
in GitLab to gain the privileges granted to another user or group.

Gitlab Authentication Plugin 1.6 performs user name and group name
authorization checks using the appropriate GitLab APIs.


Severity

    SECURITY-1792: High
    SECURITY-1868: High
    SECURITY-1901: High
    SECURITY-1902: High
    SECURITY-1909: High
    SECURITY-1915: High
    SECURITY-1924: High
    SECURITY-1925: High
    SECURITY-1945: High

Affected Versions

    Jenkins weekly up to and including 2.244
    Jenkins LTS up to and including 2.235.1
    Deployer Framework Plugin up to and including 1.2
    Gitlab Authentication Plugin up to and including 1.5
    Matrix Authorization Strategy Plugin up to and including 2.6.1
    Matrix Project Plugin up to and including 1.16

Fix

    Jenkins weekly should be updated to version 2.245
    Jenkins LTS should be updated to version 2.235.2
    Deployer Framework Plugin should be updated to version 1.3
    Gitlab Authentication Plugin should be updated to version 1.6
    Matrix Authorization Strategy Plugin should be updated to version
       2.6.2
    Matrix Project Plugin should be updated to version 1.17

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Oleg Nenashev, CloudBees, Inc. for SECURITY-1945
    Wadeck Follonier, CloudBees, Inc. for SECURITY-1868, SECURITY-1901,
SECURITY-1902, SECURITY-1909, SECURITY-1915, SECURITY-1924, SECURITY-1925


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================