====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN606
_____________________________________________________________________

DATE                : 06/11/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):Systems running Active Directory Plugin for Jenkins,
                                  Ansible Plugin for Jenkins,
                                  AppSpider Plugin for Jenkins,
                            AWS Global Configuration Plugin for Jenkins,
                                  Azure Key Vault Plugin for Jenkins,
                                  FindBugs Plugin for Jenkins,
                                  Kubernetes Plugin for Jenkins,
                Mail Commander Plugin for Jenkins-ci Plugin for Jenkins,
                                  Mercurial Plugin for Jenkins,
                               SQLPlus Script Runner Plugin for Jenkins,
                           Static Analysis Utilities Plugin for Jenkins,
                                  Subversion Plugin for Jenkins,
                                  Visualworks Store Plugin for Jenkins,
                          VMware Lab Manager Slaves Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2020-11-04/
_____________________________________________________________________

 Jenkins Security Advisory 2020-11-04

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Active Directory Plugin
    Ansible Plugin
    AppSpider Plugin
    AWS Global Configuration Plugin
    Azure Key Vault Plugin
    FindBugs Plugin
    Kubernetes Plugin
    Mail Commander Plugin for Jenkins-ci Plugin
    Mercurial Plugin
    SQLPlus Script Runner Plugin
    Static Analysis Utilities Plugin
    Subversion Plugin
    Visualworks Store Plugin
    VMware Lab Manager Slaves Plugin


Descriptions

Login allowed with hardcoded password by Active Directory Plugin
SECURITY-2117 / CVE-2020-2299

Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

The LDAP-based mode in Active Directory Plugin 2.19 and earlier shares
code between user lookup and user authentication and distinguishes these
behaviors through the use of a magic constant used in place of a real
password. This allows attackers to log in as any user if the magic
constant is used as the password in Active Directory Plugin 2.19 and
earlier.

Active Directory Plugin 2.20 no longer uses a magic constant to
distinguish between user lookup and user authentication.


Login allowed with empty password by Active Directory Plugin
SECURITY-2099 / CVE-2020-2300

Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

The Windows/ADSI mode does not specifically prohibit use of empty
passwords in Active Directory Plugin 2.19 and earlier. If the Active
Directory server allows the unauthenticated bind operation, this allows
attackers to log in to Jenkins as any user by providing an empty
password.

Active Directory Plugin 2.20 prohibits the use of an empty password to
log in.


Authentication cache in Active Directory Plugin allows logging in with
any password
SECURITY-2123 / CVE-2020-2301

Active Directory Plugin implements two separate modes: Integration with
ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to
reduce lookup time, a cache can be configured to remember user lookups
and user authentications.

In Active Directory Plugin 2.19 and earlier, when run in Windows/ADSI
mode, the provided password was not used when looking up an applicable
cache entry. This allows attackers to log in as any user using any
password while a successful authentication of that user is still in the
cache.

As a workaround for this issue, the cache can be disabled.

Active Directory Plugin 2.20 includes the provided password in cache
entry lookup.

Additionally, the Java system property
hudson.plugins.active_directory.CacheUtil.noCacheAuth can be set to true
to no longer cache user authentications.


Missing permission check in Active Directory Plugin allows accessing
domain health check page
SECURITY-1999 / CVE-2020-2302

Active Directory Plugin 2.19 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the domain
health check diagnostic page.

Active Directory Plugin 2.20 requires Overall/Administer permission to
access the domain health check diagnostic page.


CSRF vulnerability in Active Directory Plugin
SECURITY-2126 / CVE-2020-2303

Active Directory Plugin 2.19 and earlier does not require POST requests
for multiple HTTP endpoints implementing connection and authentication
tests, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to perform connection tests,
connecting to attacker-specified or previously configured Active
Directory servers using attacker-specified credentials.

Active Directory Plugin 2.20 requires POST requests for the affected
HTTP endpoints.


XXE vulnerability in Subversion Plugin
SECURITY-2145 / CVE-2020-2304

Subversion Plugin 2.13.1 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins
parse a crafted changelog file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

Subversion Plugin 2.13.2 disables external entity resolution for its XML
parser.


XXE vulnerability in Mercurial Plugin
SECURITY-2115 / CVE-2020-2305

Mercurial Plugin 2.11 and earlier does not configure its XML changelog
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins
parse a crafted changelog file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

Mercurial Plugin 2.12 disables external entity resolution for its XML
parser.


Missing permission check in Mercurial Plugin
SECURITY-2104 / CVE-2020-2306

Mercurial Plugin 2.11 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain a list of
names of configured Mercurial installations.

Mercurial Plugin 2.12 performs permission checks when listing configured
Mercurial installations.


Jenkins controller environment variables accessible in Kubernetes Plugin
SECURITY-1646 / CVE-2020-2307

Kubernetes Plugin 1.27.3 and earlier includes a feature to replace
placeholders in pod template and container template fields with
environment variable values.

This feature allows low-privilege users to access possibly sensitive
Jenkins controller environment variables.

Kubernetes Plugin 1.27.4 disables this feature.
Note
	The Java system property
org.csanchez.jenkins.plugins.kubernetes.PodTemplateUtils.SUBSTITUTE_ENV
can be set to true to restore this feature. Administrators are advised
that future releases of Kubernetes Plugin will remove this feature
entirely.


Missing permission check in Kubernetes Plugin allows listing pod templates
SECURITY-2102 / CVE-2020-2308

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check
in an HTTP endpoint.

This allows attackers with Overall/Read permission to list global pod
template names.

Kubernetes Plugin 1.27.4 requires Overall/Administer permission to list
global pod template names.


Missing permission check in Kubernetes Plugin allows enumerating
credentials IDs
SECURITY-2103 / CVE-2020-2309

Kubernetes Plugin 1.27.3 and earlier does not perform a permission check
in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Kubernetes Plugin 1.27.4 requires
the appropriate permissions.


Missing permission checks in Ansible Plugin allow enumerating
credentials IDs
SECURITY-1943 / CVE-2020-2310

Ansible Plugin 1.0 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Ansible Plugin 1.1 requires the
appropriate permissions.


Missing permission check in AWS Global Configuration Plugin allows
replacing plugin configuration
SECURITY-2101 / CVE-2020-2311

AWS Global Configuration Plugin 1.5 and earlier does not perform a
permission check in an HTTP endpoint processing form submissions.

This allows attackers with Overall/Read permission to replace the global
AWS configuration.

AWS Global Configuration Plugin 1.6 properly performs permission checks
when processing configuration form submissions.


Password written to the build log by SQLPlus Script Runner Plugin
SECURITY-2129 / CVE-2020-2312

SQLPlus Script Runner Plugin 2.0.12 and earlier prints the sqlplus
command invocation to the build log.

This log message does not redact a password provided as part of a
command line argument. This password can be viewed by users with
Item/Read permission.

SQLPlus Script Runner Plugin 2.0.13 no longer prints the password in the
build log.


Missing permission checks in Azure Key Vault Plugin allow enumerating
credentials IDs
SECURITY-2110 / CVE-2020-2313

Azure Key Vault Plugin 2.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Azure Key Vault Plugin 2.1 requires
the appropriate permissions.


Password stored in plain text by AppSpider Plugin
SECURITY-2058 / CVE-2020-2314

AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its
global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on
the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins
controller file system.

AppSpider Plugin 1.0.13 stores a password encrypted once its
configuration is saved again.


XXE vulnerability in Visualworks Store Plugin
SECURITY-1900 / CVE-2020-2315

Visualworks Store Plugin 1.1.3 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the output of a script
that run Visualworks with StoreCI, or able to control an agent process,
to have Jenkins parse a crafted file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

Visualworks Store Plugin 1.1.4 disables external entity resolution for
its XML parser.


Stored XSS vulnerability in Static Analysis Utilities Plugin
SECURITY-1907 / CVE-2020-2316

Static Analysis Utilities Plugin 1.96 and earlier does not escape the
annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.


Stored XSS vulnerability in FindBugs Plugin
SECURITY-1918 / CVE-2020-2317

FindBugs Plugin 5.0.0 and earlier does not escape the annotation message
in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to provide report files to FindBugs
Plugin’s post build step.

As of publication of this advisory, there is no fix.


Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci
Plugin
SECURITY-2085 / CVE-2020-2318

Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores
passwords unencrypted in job config.xml files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by users with Item/Extended Read
permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


Password stored in plain text by VMware Lab Manager Slaves Plugin
SECURITY-2084 / CVE-2020-2319

VMware Lab Manager Slaves Plugin 0.2.8 and earlier stores a password
unencrypted in the global config.xml file on the Jenkins controller as
part of its configuration.

This password can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.



Severity

    SECURITY-1646: Medium
    SECURITY-1900: High
    SECURITY-1907: High
    SECURITY-1918: High
    SECURITY-1943: Medium
    SECURITY-1999: Medium
    SECURITY-2058: Low
    SECURITY-2084: Low
    SECURITY-2085: Medium
    SECURITY-2099: High
    SECURITY-2101: Medium
    SECURITY-2102: Medium
    SECURITY-2103: Medium
    SECURITY-2104: Medium
    SECURITY-2110: Medium
    SECURITY-2115: High
    SECURITY-2117: Critical
    SECURITY-2123: High
    SECURITY-2126: Medium
    SECURITY-2129: Medium
    SECURITY-2145: High


Affected Versions

    Active Directory Plugin up to and including 2.19
    Ansible Plugin up to and including 1.0
    AppSpider Plugin up to and including 1.0.12
    AWS Global Configuration Plugin up to and including 1.5
    Azure Key Vault Plugin up to and including 2.0
    FindBugs Plugin up to and including 5.0.0
    Kubernetes Plugin up to and including 1.27.3
    Mail Commander Plugin for Jenkins-ci Plugin up to and including 1.0.0
    Mercurial Plugin up to and including 2.11
    SQLPlus Script Runner Plugin up to and including 2.0.12
    Static Analysis Utilities Plugin up to and including 1.96
    Subversion Plugin up to and including 2.13.1
    Visualworks Store Plugin up to and including 1.1.3
    VMware Lab Manager Slaves Plugin up to and including 0.2.8


Fix

    Active Directory Plugin should be updated to version 2.20
    Ansible Plugin should be updated to version 1.1
    AppSpider Plugin should be updated to version 1.0.13
    AWS Global Configuration Plugin should be updated to version 1.6
    Azure Key Vault Plugin should be updated to version 2.1
    Kubernetes Plugin should be updated to version 1.27.4
    Mercurial Plugin should be updated to version 2.12
    SQLPlus Script Runner Plugin should be updated to version 2.0.13
    Subversion Plugin should be updated to version 2.13.2
    Visualworks Store Plugin should be updated to version 1.1.4

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.

As of publication of this advisory, no fixes are available for the
following plugins:

    FindBugs Plugin
    Mail Commander Plugin for Jenkins-ci Plugin
    Static Analysis Utilities Plugin
    VMware Lab Manager Slaves Plugin


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Chris Maggiulli, Build and Integrations Engineer, Excelsior College
for SECURITY-2129
    Daniel Beck, CloudBees, Inc. for SECURITY-2117, SECURITY-2145
    Jeff Thompson, CloudBees, Inc. for SECURITY-1900
    Long Nguyen, Viettel Cyber Security for SECURITY-2058,
SECURITY-2084, SECURITY-2085
    Matt Sicker, CloudBees, Inc. for SECURITY-1999
    Vic Chappill, Lee Jones, and Matthew Maylin, Siemens for SECURITY-2099
    Wadeck Follonier, CloudBees, Inc. for SECURITY-1907, SECURITY-1918,
SECURITY-1943


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================