====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN653
_____________________________________________________________________

DATE                : 04/12/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Chaos Monkey Plugin for Jenkins
                             versions prior to 0.4.1,
                  CVS Plugin for Jenkins versions prior to 2.17,
               Shelve Project Plugin for Jenkins versions prior to 3.1,
   Plugin Installation Manager Tool for Jenkins versions prior to 2.2.0.

=====================================================================
https://www.jenkins.io/security/advisory/2020-12-03/
_____________________________________________________________________

 Jenkins Security Advisory 2020-12-03

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Chaos Monkey Plugin
    Chaos Monkey Plugin
    CVS Plugin
    Shelve Project Plugin
    Plugin Installation Manager Tool


Descriptions


XXE vulnerability in CVS Plugin
SECURITY-2146 / CVE-2020-2324

CVS Plugin 2.16 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control an agent process to have Jenkins
parse a crafted changelog file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

CVS Plugin 2.17 disables external entity resolution for its XML parser.


Plugin Installation Manager Tool did not verify plugin downloads
SECURITY-1856 / CVE-2020-2320

Plugin Installation Manager Tool is part of the Jenkins project Docker
images. As jenkins-plugin-cli it is used to download and install plugins
even before Jenkins is running.

Plugin Installation Manager Tool 2.1.3 and earlier does not verify
plugin downloads. This may allow third parties such as mirror operators
to provide crafted plugin downloads.

Plugin Installation Manager Tool 2.2.0 confirms that actual checksums of
downloaded plugin match the expected checksums.

Docker images of Jenkins 2.269 and 2.263.1 contain Plugin Installation
Manager Tool 2.2.0. Users of older Docker images can change the version
they use by extending the Jenkins image and update the tool themselves
with:

ARG
PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/2.2.0/jenkins-plugin-manager-2.2.0.jar
RUN curl -fsSL ${PLUGIN_CLI_URL} -o /usr/lib/jenkins-plugin-manager.jar

Jenkinsfile Runner 1.0-beta-22 Docker images also include Plugin
Installation Manager Tool 2.2.0.


CSRF vulnerability in Shelve Project Plugin
SECURITY-2108 / CVE-2020-2321

Shelve Project Plugin 3.0 and earlier does not require POST requests for
HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers to shelve, unshelve, or delete a
project.

Shelve Project Plugin 3.1 requires POST requests for the affected HTTP
endpoints.


Missing permission checks in Chaos Monkey Plugin
SECURITY-2109 (1) / CVE-2020-2322

Chaos Monkey Plugin 0.3 and earlier does not perform permission checks
in several HTTP endpoints.

This allows attackers with Overall/Read permission to generate load and
to generate memory leaks.

Chaos Monkey Plugin 0.4 requires Overall/Administer permission to
generate load and to generate memory leaks.


Missing permission checks in Chaos Monkey Plugin
SECURITY-2109 (2) / CVE-2020-2323

Chaos Monkey Plugin 0.4 and earlier does not perform permission checks
in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the Chaos
Monkey page and to see the history of actions.

Chaos Monkey Plugin 0.4.1 requires Overall/Administer permission to
access the Chaos Monkey page and to see the history of actions.


Severity

    SECURITY-1856: High
    SECURITY-2108: High
    SECURITY-2109 (1): Medium
    SECURITY-2109 (2): Medium
    SECURITY-2146: High


Affected Versions

    Chaos Monkey Plugin up to and including 0.3
    Chaos Monkey Plugin up to and including 0.4
    CVS Plugin up to and including 2.16
    Shelve Project Plugin up to and including 3.0
    Plugin Installation Manager Tool up to and including 2.1.3

Fix

    Chaos Monkey Plugin should be updated to version 0.4
    Chaos Monkey Plugin should be updated to version 0.4.1
    CVS Plugin should be updated to version 2.17
    Shelve Project Plugin should be updated to version 3.1
    Plugin Installation Manager Tool should be updated to version 2.2.0

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-1856, SECURITY-2146


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================