====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN446
_____________________________________________________________________

DATE                : 14/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core) versions prior to
                            weekly 2.252, LTS 2.235.4,
                      Email Extension Plugin versions prior to 2.74,
          Flaky Test Handler Plugin versions  up to and including 1.0.4,
              Pipeline Maven Integration Plugin versions prior to 3.8.3,
            Yet Another Build Visualizer Plugin versions prior to 1.12.

=====================================================================
https://www.jenkins.io/security/advisory/2020-08-12/
_____________________________________________________________________

 Jenkins Security Advisory 2020-08-12

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)
    Email Extension Plugin
    Flaky Test Handler Plugin
    Pipeline Maven Integration Plugin
    Yet Another Build Visualizer Plugin


Descriptions


Stored XSS vulnerability in help icons
SECURITY-1955 / CVE-2020-2229

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the
tooltip content of help icons. Tooltip values can be contributed by
plugins, some of which use user-specified values.

This results in a stored cross-site scripting (XSS) vulnerability.

Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.


Stored XSS vulnerability in project naming strategy
SECURITY-1957 / CVE-2020-2230

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the
project naming strategy description that is displayed on item creation.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users with Overall/Manage permission.

Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy
description.


Stored XSS vulnerability in 'Trigger builds remotely'
SECURITY-1960 / CVE-2020-2231

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the
remote address of the host starting a build via 'Trigger builds
remotely'.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users with Job/Configure permission or knowledge of the
Authentication Token.

Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.


SMTP password transmitted and displayed in plain text by Email Extension
Plugin
SECURITY-1975 / CVE-2020-2232

Email Extension Plugin stores an SMTP password in its global
configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on
the Jenkins master as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and
displayed in plain text as part of the configuration form by Email
Extension Plugin 2.72 and 2.73. This can result in exposure of the
password.

Email Extension Plugin 2.74 transmits the SMTP password in its global
configuration encrypted and masks it using a password field.


Missing permission check in Pipeline Maven Integration Plugin allows
enumerating credentials IDs
SECURITY-1794 (1) / CVE-2020-2233

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Pipeline Maven Integration Plugin
3.8.3 requires the appropriate permissions.


CSRF vulnerability and missing permission check in Pipeline Maven
Integration Plugin allow capturing credentials
SECURITY-1794 (2) / CVE-2020-2234 (permission check), CVE-2020-2235 (CSRF)

Pipeline Maven Integration Plugin 3.8.2 and earlier does not perform a
permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an
attacker-specified JDBC URL using attacker-specified credentials IDs
obtained through another method, potentially capturing credentials
stored in Jenkins.

Additionally, this form validation method does not require POST
requests, resulting in a cross-site request forgery (CSRF)
vulnerability.

Pipeline Maven Integration Plugin 3.8.3 requires POST requests and
Job/Configure permission for the affected form validation method.


Stored XSS vulnerability in Yet Another Build Visualizer Plugin
SECURITY-1940 / CVE-2020-2236

Yet Another Build Visualizer Plugin 1.11 and earlier does not escape
tooltip content.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by users with Run/Update permission.

Yet Another Build Visualizer Plugin 1.12 escapes tooltip content.


CSRF vulnerability in Flaky Test Handler Plugin
SECURITY-1763 / CVE-2020-2237

Flaky Test Handler Plugin 1.0.4 and earlier does not require POST
requests for the "Deflake this build" feature, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a project at a previous
git revision where the tests were failing.

As of publication of this advisory, there is no fix.


Severity

    SECURITY-1763: Medium
    SECURITY-1794 (1): Medium
    SECURITY-1794 (2): High
    SECURITY-1940: High
    SECURITY-1955: High
    SECURITY-1957: High
    SECURITY-1960: High
    SECURITY-1975: Low

Affected Versions

    Jenkins weekly up to and including 2.251
    Jenkins LTS up to and including 2.235.3
    Email Extension Plugin up to and including 2.73
    Flaky Test Handler Plugin up to and including 1.0.4
    Pipeline Maven Integration Plugin up to and including 3.8.2
    Yet Another Build Visualizer Plugin up to and including 1.11

Fix

    Jenkins weekly should be updated to version 2.252
    Jenkins LTS should be updated to version 2.235.4
    Email Extension Plugin should be updated to version 2.74
    Pipeline Maven Integration Plugin should be updated to version 3.8.3
    Yet Another Build Visualizer Plugin should be updated to version 1.12

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.

As of publication of this advisory, no fixes are available for the
following plugins:

    Flaky Test Handler Plugin


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Bjoern Kasteleiner for SECURITY-1975
    Pierre Beitz, CloudBees, Inc. for SECURITY-1957
    Tim Jacomb for SECURITY-1794 (1), SECURITY-1794 (2)
    Wadeck Follonier, CloudBees, Inc. for SECURITY-1763, SECURITY-1940,
SECURITY-1955, SECURITY-1960


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================