==================================================================== CERT-Renater Note d'Information No. 2020/VULN487 _____________________________________________________________________ DATE : 02/09/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running database Plugin for Jenkins, Build Failure Analyzer Plugin for Jenkins, Cadence vManager Plugin for Jenkins, Git Parameter Plugin for Jenkins, JSGames Plugin for Jenkins, Klocwork Analysis Plugin for Jenkins, Parameterized Remote Trigger Plugin for Jenkins, SoapUI Pro Functional Testing Plugin for Jenkins, SoapUI Pro Functional Testing Plugin for Jenkins, Team Foundation Server Plugin for Jenkins, Valgrind Plugin for Jenkins. ===================================================================== https://www.jenkins.io/security/advisory/2020-09-01/ _____________________________________________________________________ Jenkins Security Advisory 2020-09-01 This advisory announces vulnerabilities in the following Jenkins deliverables: Build Failure Analyzer Plugin Cadence vManager Plugin database Plugin Git Parameter Plugin JSGames Plugin Klocwork Analysis Plugin Parameterized Remote Trigger Plugin SoapUI Pro Functional Testing Plugin SoapUI Pro Functional Testing Plugin Team Foundation Server Plugin Valgrind Plugin Descriptions Stored XSS vulnerability in Git Parameter Plugin SECURITY-1884 / CVE-2020-2238 Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Git Parameter Plugin 0.9.13 escapes the repository field on the 'Build with Parameters' page. Secret stored in plain text by Parameterized Remote Trigger Plugin SECURITY-1625 / CVE-2020-2239 Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again. CSRF vulnerability in database Plugin SECURITY-1023 / CVE-2020-2240 database Plugin 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary SQL scripts. database Plugin 1.7 removes the database console. CSRF vulnerability and missing permission checks in database Plugin SECURITY-1024 / CVE-2020-2241 (CSRF), CVE-2020-2242 (permission check) database Plugin 1.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. database Plugin 1.7 requires POST requests and Overall/Administer permission for the affected form validation method. Stored XSS vulnerability in Cadence vManager Plugin SECURITY-1936 / CVE-2020-2243 Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission. Cadence vManager Plugin 3.0.5 removes affected tooltips. XSS vulnerability in Build Failure Analyzer Plugin SECURITY-1770 / CVE-2020-2244 Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response. This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications. Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response. XXE vulnerability in Valgrind Plugin SECURITY-1829 / CVE-2020-2245 Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. Stored XSS vulnerability in Valgrind Plugin SECURITY-1830 / CVE-2020-2246 Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents. As of publication of this advisory, there is no fix. XXE vulnerability in Klocwork Analysis Plugin SECURITY-1831 / CVE-2020-2247 Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. Reflected XSS vulnerability in JSGames Plugin SECURITY-1905 / CVE-2020-2248 JSGames Plugin 0.2 and earlier evaluates part of a URL as code. This results in a reflected cross-site scripting (XSS) vulnerability. As of publication of this advisory, there is no fix. Credentials stored in plain text by Team Foundation Server Plugin SECURITY-1506 / CVE-2020-2249 Team Foundation Server Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Passwords stored in plain text by SoapUI Pro Functional Testing Plugin SECURITY-1631 (1) / CVE-2020-2250 SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system. SoapUI Pro Functional Testing Plugin 1.4 stores project passwords encrypted once affected job configurations are saved again. Passwords transmitted in plain text by SoapUI Pro Functional Testing Plugin SECURITY-1631 (2) / CVE-2020-2251 SoapUI Pro Functional Testing Plugin stores project passwords in job config.xml files on the Jenkins controller as part of its configuration. While these passwords are stored encrypted on disk since SoapUI Pro Functional Testing Plugin 1.4, they are transmitted in plain text as part of the global configuration form by SoapUI Pro Functional Testing Plugin 1.5 and earlier. These passwords can be viewed by attackers with Extended Read permission. This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field. As of publication of this advisory, there is no fix. Severity SECURITY-1023: High SECURITY-1024: Medium SECURITY-1506: Low SECURITY-1625: Low SECURITY-1631 (1): Medium SECURITY-1631 (2): Medium SECURITY-1770: High SECURITY-1829: High SECURITY-1830: High SECURITY-1831: High SECURITY-1884: High SECURITY-1905: High SECURITY-1936: High Affected Versions Build Failure Analyzer Plugin up to and including 1.27.0 Cadence vManager Plugin up to and including 3.0.4 database Plugin up to and including 1.6 Git Parameter Plugin up to and including 0.9.12 JSGames Plugin up to and including 0.2 Klocwork Analysis Plugin up to and including 2020.2.1 Parameterized Remote Trigger Plugin up to and including 3.1.3 SoapUI Pro Functional Testing Plugin up to and including 1.3 SoapUI Pro Functional Testing Plugin up to and including 1.5 Team Foundation Server Plugin up to and including 5.157.1 Valgrind Plugin up to and including 0.28 Fix Build Failure Analyzer Plugin should be updated to version 1.27.1 Cadence vManager Plugin should be updated to version 3.0.5 database Plugin should be updated to version 1.7 Git Parameter Plugin should be updated to version 0.9.13 Parameterized Remote Trigger Plugin should be updated to version 3.1.4 SoapUI Pro Functional Testing Plugin should be updated to version 1.4 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: JSGames Plugin Klocwork Analysis Plugin SoapUI Pro Functional Testing Plugin Team Foundation Server Plugin Valgrind Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Federico Pellegrin for SECURITY-1829, SECURITY-1830, SECURITY-1831 James Holderness, IB Boost for SECURITY-1506 Jonathan Leitschuh for SECURITY-1905 Oleg Nenashev, CloudBees, Inc. for SECURITY-1023, SECURITY-1024 Wadeck Follonier, CloudBees, Inc. for SECURITY-1770, SECURITY-1884, SECURITY-1936 Wasin Saengow for SECURITY-1625, SECURITY-1631 (1), SECURITY-1631 (2) ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================