Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1148 Jenkins Security Advisory 2019-04-03 4 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins plugins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-1003099 CVE-2019-1003098 CVE-2019-1003097 CVE-2019-1003096 CVE-2019-1003095 CVE-2019-1003094 CVE-2019-1003093 CVE-2019-1003092 CVE-2019-1003091 CVE-2019-1003090 CVE-2019-1003089 CVE-2019-1003088 CVE-2019-1003087 CVE-2019-1003086 CVE-2019-1003085 CVE-2019-1003084 CVE-2019-1003083 CVE-2019-1003082 CVE-2019-1003081 CVE-2019-1003080 CVE-2019-1003079 CVE-2019-1003078 CVE-2019-1003077 CVE-2019-1003076 CVE-2019-1003075 CVE-2019-1003074 CVE-2019-1003073 CVE-2019-1003072 CVE-2019-1003071 CVE-2019-1003070 CVE-2019-1003069 CVE-2019-1003068 CVE-2019-1003067 CVE-2019-1003066 CVE-2019-1003065 CVE-2019-1003064 CVE-2019-1003063 CVE-2019-1003062 CVE-2019-1003061 CVE-2019-1003060 CVE-2019-1003059 CVE-2019-1003058 CVE-2019-1003057 CVE-2019-1003056 CVE-2019-1003055 CVE-2019-1003054 CVE-2019-1003053 CVE-2019-1003052 CVE-2019-1003051 CVE-2019-10299 CVE-2019-10298 CVE-2019-10297 CVE-2019-10296 CVE-2019-10295 CVE-2019-10294 CVE-2019-10293 CVE-2019-10292 CVE-2019-10291 CVE-2019-10290 CVE-2019-10289 CVE-2019-10288 CVE-2019-10287 CVE-2019-10286 CVE-2019-10285 CVE-2019-10284 CVE-2019-10283 CVE-2019-10282 CVE-2019-10281 CVE-2019-10280 CVE-2019-10279 CVE-2019-10278 CVE-2019-10277 Original Bulletin: https://jenkins.io/security/advisory/2019-04-03/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2019-04-03 This advisory announces vulnerabilities in the following Jenkins deliverables: o Amazon SNS Build Notifier Plugin o Aqua Security Scanner Plugin o Assembla Auth Plugin o Audit to Database Plugin o AWS CloudWatch Logs Publisher Plugin o AWS Elastic Beanstalk Publisher Plugin o aws-device-farm Plugin o Bitbucket Approve Plugin o Bugzilla Plugin o Chef Sinatra Plugin o CloudCoreo DeployTime Plugin o CloudShare Docker-Machine Plugin o crittercism-dsym Plugin o Crowd Integration Plugin o DeployHub Plugin o Diawi Upload Plugin o Fabric Beta Publisher Plugin o FTP publisher Plugin o Gearman Plugin o HockeyApp Plugin o Hyper.sh Commons Plugin o IRC Plugin o Jabber Server Plugin o jenkins-cloudformation-plugin Plugin o jenkins-reviewbot Plugin o Jira Issue Updater Plugin o Klaros-Testmanagement Plugin o Kmap Plugin o Koji Plugin o mabl Plugin o Minio Storage Plugin o Netsparker Cloud Scan Plugin o Nomad Plugin o OctopusDeploy Plugin o Official OWASP ZAP Plugin o Open STF Plugin o openid Plugin o OpenShift Deployer Plugin o Perfecto Mobile Plugin o Relution Enterprise Appstore Publisher Plugin o Sametime Plugin o Serena SRA Deploy Plugin o SOASTA CloudTest Plugin o StarTeam Plugin o TestFairy Plugin o Trac Publisher Plugin o Upload to pgyer Plugin o veracode-scanner Plugin o VMware Lab Manager Slaves Plugin o VMware vRealize Automation Plugin o VS Team Services Continuous Deployment Plugin o WebSphere Deployer Plugin o WildFly Deployer Plugin o youtrack-plugin Plugin o Zephyr Enterprise Test Management Plugin Descriptions IRC Plugin stores credentials in plain text SECURITY-829 / CVE-2019-1003051 IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text SECURITY-831 / CVE-2019-1003052 AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. HockeyApp Plugin stores credentials in plain text SECURITY-839 / CVE-2019-1003053 HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Jira Issue Updater Plugin stores credentials in plain text SECURITY-837 / CVE-2019-1003054 Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. FTP publisher Plugin stores credentials in plain text SECURITY-954 / CVE-2019-1003055 FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. WebSphere Deployer Plugin stores credentials in plain text SECURITY-956 / CVE-2019-1003056 WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Bitbucket Approve Plugin stores credentials in plain text SECURITY-965 / CVE-2019-1003057 Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CSRF vulnerability and missing permission check in FTP publisher Plugin allow connecting to arbitrary FTP servers SECURITY-974 / CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check) A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. Official OWASP ZAP Plugin stores credentials in plain text SECURITY-1041 / CVE-2019-1003060 Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. jenkins-cloudformation-plugin Plugin stores credentials in plain text SECURITY-1042 / CVE-2019-1003061 jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. AWS CloudWatch Logs Publisher Plugin stores credentials in plain text SECURITY-830 / CVE-2019-1003062 AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Amazon SNS Build Notifier Plugin stores credentials in plain text SECURITY-832 / CVE-2019-1003063 Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. aws-device-farm Plugin stores credentials in plain text SECURITY-835 / CVE-2019-1003064 aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CloudShare Docker-Machine Plugin stores credentials in plain text SECURITY-838 / CVE-2019-1003065 CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Bugzilla Plugin stores credentials in plain text SECURITY-841 / CVE-2019-1003066 Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Trac Publisher Plugin stores credentials in plain text SECURITY-842 / CVE-2019-1003067 Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. VMware vRealize Automation Plugin stores credentials in plain text SECURITY-945 / CVE-2019-1003068 VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Aqua Security Scanner Plugin stores credentials in plain text SECURITY-949 / CVE-2019-1003069 Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. veracode-scanner Plugin stores credentials in plain text SECURITY-952 / CVE-2019-1003070 veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. OctopusDeploy Plugin stores credentials in plain text SECURITY-957 / CVE-2019-1003071 OctopusDeploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. WildFly Deployer Plugin stores credentials in plain text SECURITY-961 / CVE-2019-1003072 WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. VS Team Services Continuous Deployment Plugin stores credentials in plain text SECURITY-962 / CVE-2019-1003073 VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Hyper.sh Commons Plugin stores credentials in plain text SECURITY-964 / CVE-2019-1003074 Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Audit to Database Plugin stores credentials in plain text SECURITY-966 / CVE-2019-1003075 Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CSRF vulnerability and missing permission check in Audit to Database Plugin allow connecting to arbitrary databases SECURITY-977 / CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check) A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in VMware Lab Manager Slaves Plugin SECURITY-979 / CVE-2019-1003078 (CSRF) and CVE-2019-1003079 (permission check) A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in OpenShift Deployer Plugin SECURITY-981 / CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check) A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in Gearman Plugin SECURITY-991 / CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check) A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in Zephyr Enterprise Test Management Plugin allow SSRF SECURITY-993 / CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check) A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in Chef Sinatra Plugin allow SSRF SECURITY-1037 / CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check) A missing permission check in a form validation method in Chef Sinatra Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. Fabric Beta Publisher Plugin stores credentials in plain text SECURITY-1043 / CVE-2019-1003088 Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Upload to pgyer Plugin stores credentials in plain text SECURITY-1044 / CVE-2019-1003089 Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin allow SSRF SECURITY-1054 / CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check) A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF SECURITY-1058 / CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check) A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. Open STF Plugin stores credentials in plain text SECURITY-1059 / CVE-2019-1003094 Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Perfecto Mobile Plugin stores credentials in plain text SECURITY-1061 / CVE-2019-1003095 Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. TestFairy Plugin stores credentials in plain text SECURITY-1062 / CVE-2019-1003096 TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Crowd Integration Plugin stores credentials in plain text SECURITY-1069 / CVE-2019-1003097 Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CSRF vulnerability and missing permission check in openid Plugin allow SSRF SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check) A missing permission check in a form validation method in openid Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. StarTeam Plugin stores credentials in plain text SECURITY-1085 / CVE-2019-10277 StarTeam Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin allow SSRF SECURITY-1091 / CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check) A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. Assembla Auth Plugin stores credentials in plain text SECURITY-1093 / CVE-2019-10280 Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Relution Enterprise Appstore Publisher Plugin stores credentials in plain text SECURITY-828 / CVE-2019-10281 Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Klaros-Testmanagement Plugin stores credentials in plain text SECURITY-843 / CVE-2019-10282 Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. mabl Plugin stores credentials in plain text SECURITY-946 / CVE-2019-10283 mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Diawi Upload Plugin stores credentials in plain text SECURITY-947 / CVE-2019-10284 Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Minio Storage Plugin stores credentials in plain text SECURITY-955 / CVE-2019-10285 Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. DeployHub Plugin stores credentials in plain text SECURITY-959 / CVE-2019-10286 DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. youtrack-plugin Plugin stored credentials in plain text SECURITY-963 / CVE-2019-10287 youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins master. These credentials could be viewed by users with access to the master file system. youtrack-plugin Plugin now stores credentials encrypted. Jabber Server Plugin stores credentials in plain text SECURITY-1031 / CVE-2019-10288 Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CSRF vulnerability and missing permission check in Netsparker Cloud Scan Plugin allowed SSRF SECURITY-1032 / CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check) A missing permission check in a form validation method in Netsparker Cloud Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability. The form validation method now performs a permission check for Overall/ Administer and requires that requests be sent via POST. Netsparker Cloud Scan Plugin stored credentials in plain text SECURITY-1040 / CVE-2019-10291 Netsparker Cloud Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins master. These API tokens could be viewed by users with access to the master file system. Netsparker Cloud Scan Plugin now stores API tokens encrypted. CSRF vulnerability and missing permission check in Kmap Plugin allow SSRF SECURITY-1055 / CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check) A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability. Kmap Plugin stores credentials in plain text SECURITY-1056 / CVE-2019-10294 Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. crittercism-dsym Plugin stores API key in plain text SECURITY-1063 / CVE-2019-10295 crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission, or access to the master file system. Serena SRA Deploy Plugin stores credentials in plain text SECURITY-1066 / CVE-2019-10296 Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Sametime Plugin stores credentials in plain text SECURITY-1090 / CVE-2019-10297 Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Koji Plugin stores credentials in plain text SECURITY-1092 / CVE-2019-10298 Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. CloudCoreo DeployTime Plugin stores credentials in plain text SECURITY-960 / CVE-2019-10299 CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins master. These credentials can be viewed by users with access to the master file system. Severity o SECURITY-828: Low o SECURITY-829: Low o SECURITY-830: Low o SECURITY-831: Low o SECURITY-832: Low o SECURITY-835: Low o SECURITY-837: Medium o SECURITY-838: Low o SECURITY-839: Medium o SECURITY-841: Medium o SECURITY-842: Medium o SECURITY-843: Medium o SECURITY-945: Medium o SECURITY-946: Medium o SECURITY-947: Medium o SECURITY-949: Low o SECURITY-952: Low o SECURITY-954: Low o SECURITY-955: Low o SECURITY-956: Medium o SECURITY-957: Low o SECURITY-959: Medium o SECURITY-960: Low o SECURITY-961: Medium o SECURITY-962: Medium o SECURITY-963: Low o SECURITY-964: Low o SECURITY-965: Low o SECURITY-966: Low o SECURITY-974: Medium o SECURITY-977: Medium o SECURITY-979: Medium o SECURITY-981: Medium o SECURITY-991: Medium o SECURITY-993: Medium o SECURITY-1031: Low o SECURITY-1032: Medium o SECURITY-1037: Medium o SECURITY-1040: Low o SECURITY-1041: Low o SECURITY-1042: Medium o SECURITY-1043: Medium o SECURITY-1044: Medium o SECURITY-1054: Medium o SECURITY-1055: Medium o SECURITY-1056: Medium o SECURITY-1058: Medium o SECURITY-1059: Low o SECURITY-1061: Low o SECURITY-1062: Medium o SECURITY-1063: Medium o SECURITY-1066: Low o SECURITY-1069: Low o SECURITY-1084: Medium o SECURITY-1085: Medium o SECURITY-1090: Low o SECURITY-1091: Medium o SECURITY-1092: Low o SECURITY-1093: Low Affected Versions o Amazon SNS Build Notifier Plugin (all versions) o Aqua Security Scanner Plugin (all versions) o Assembla Auth Plugin (all versions) o Audit to Database Plugin (all versions) o AWS CloudWatch Logs Publisher Plugin (all versions) o AWS Elastic Beanstalk Publisher Plugin (all versions) o aws-device-farm Plugin (all versions) o Bitbucket Approve Plugin (all versions) o Bugzilla Plugin (all versions) o Chef Sinatra Plugin (all versions) o CloudCoreo DeployTime Plugin (all versions) o CloudShare Docker-Machine Plugin (all versions) o crittercism-dsym Plugin (all versions) o Crowd Integration Plugin (all versions) o DeployHub Plugin (all versions) o Diawi Upload Plugin (all versions) o Fabric Beta Publisher Plugin (all versions) o FTP publisher Plugin (all versions) o Gearman Plugin (all versions) o HockeyApp Plugin (all versions) o Hyper.sh Commons Plugin (all versions) o IRC Plugin (all versions) o Jabber Server Plugin (all versions) o jenkins-cloudformation-plugin Plugin (all versions) o jenkins-reviewbot Plugin (all versions) o Jira Issue Updater Plugin (all versions) o Klaros-Testmanagement Plugin (all versions) o Kmap Plugin (all versions) o Koji Plugin (all versions) o mabl Plugin (all versions) o Minio Storage Plugin (all versions) o Netsparker Cloud Scan Plugin up to and including 1.1.5 o Nomad Plugin (all versions) o OctopusDeploy Plugin (all versions) o Official OWASP ZAP Plugin (all versions) o Open STF Plugin (all versions) o openid Plugin (all versions) o OpenShift Deployer Plugin (all versions) o Perfecto Mobile Plugin (all versions) o Relution Enterprise Appstore Publisher Plugin (all versions) o Sametime Plugin (all versions) o Serena SRA Deploy Plugin (all versions) o SOASTA CloudTest Plugin (all versions) o StarTeam Plugin (all versions) o TestFairy Plugin (all versions) o Trac Publisher Plugin (all versions) o Upload to pgyer Plugin (all versions) o veracode-scanner Plugin (all versions) o VMware Lab Manager Slaves Plugin (all versions) o VMware vRealize Automation Plugin (all versions) o VS Team Services Continuous Deployment Plugin (all versions) o WebSphere Deployer Plugin (all versions) o WildFly Deployer Plugin (all versions) o youtrack-plugin Plugin up to and including 0.7.1 o Zephyr Enterprise Test Management Plugin (all versions) Fix o Netsparker Cloud Scan Plugin should be updated to version 1.1.6 o youtrack-plugin Plugin should be updated to version 0.7.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: o Amazon SNS Build Notifier Plugin o Aqua Security Scanner Plugin o Assembla Auth Plugin o Audit to Database Plugin o AWS CloudWatch Logs Publisher Plugin o AWS Elastic Beanstalk Publisher Plugin o aws-device-farm Plugin o Bitbucket Approve Plugin o Bugzilla Plugin o Chef Sinatra Plugin o CloudCoreo DeployTime Plugin o CloudShare Docker-Machine Plugin o crittercism-dsym Plugin o Crowd Integration Plugin o DeployHub Plugin o Diawi Upload Plugin o Fabric Beta Publisher Plugin o FTP publisher Plugin o Gearman Plugin o HockeyApp Plugin o Hyper.sh Commons Plugin o IRC Plugin o Jabber Server Plugin o jenkins-cloudformation-plugin Plugin o jenkins-reviewbot Plugin o Jira Issue Updater Plugin o Klaros-Testmanagement Plugin o Kmap Plugin o Koji Plugin o mabl Plugin o Minio Storage Plugin o Nomad Plugin o OctopusDeploy Plugin o Official OWASP ZAP Plugin o Open STF Plugin o openid Plugin o OpenShift Deployer Plugin o Perfecto Mobile Plugin o Relution Enterprise Appstore Publisher Plugin o Sametime Plugin o Serena SRA Deploy Plugin o SOASTA CloudTest Plugin o StarTeam Plugin o TestFairy Plugin o Trac Publisher Plugin o Upload to pgyer Plugin o veracode-scanner Plugin o VMware Lab Manager Slaves Plugin o VMware vRealize Automation Plugin o VS Team Services Continuous Deployment Plugin o WebSphere Deployer Plugin o WildFly Deployer Plugin o Zephyr Enterprise Test Management Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Viktor Gazdag for SECURITY-828, SECURITY-829, SECURITY-830, SECURITY-831, SECURITY-832, SECURITY-835, SECURITY-837, SECURITY-838, SECURITY-839, SECURITY-841, SECURITY-842, SECURITY-843, SECURITY-945, SECURITY-946, SECURITY-947, SECURITY-949, SECURITY-952, SECURITY-954, SECURITY-955, SECURITY-956, SECURITY-957, SECURITY-959, SECURITY-960, SECURITY-961, SECURITY-962, SECURITY-963, SECURITY-964, SECURITY-965, SECURITY-966, SECURITY-974, SECURITY-977, SECURITY-979, SECURITY-981, SECURITY-991, SECURITY-993, SECURITY-1031, SECURITY-1032, SECURITY-1037, SECURITY-1040, SECURITY-1041, SECURITY-1042, SECURITY-1043, SECURITY-1044, SECURITY-1054, SECURITY-1055, SECURITY-1056, SECURITY-1058, SECURITY-1059, SECURITY-1061, SECURITY-1062, SECURITY-1063, SECURITY-1066, SECURITY-1069, SECURITY-1084, SECURITY-1085, SECURITY-1090, SECURITY-1091, SECURITY-1092, SECURITY-1093 The content driving this site is licensed under the Creative Commons Attribution-ShareAlike 4.0 license. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXKWVc2aOgq3Tt24GAQjwAw//Qs1psaFxrb5IYZ+K5lV/8l87+WR+zOQy Ht1KE7lAEMpCLToTrEaEhUR+9UhtbkMdbyJ/TsRyjimGgW/EyTynUn571LCkxIMP WkUJL+ZDTP/D9m6ByGYFPPya4ebRlEKgUM0v1fFOhmG5IxM2tdpiMNCP4MvAEscQ JE1CK4ZT9ojXqO9FD/EYbn6ZtkTBIxYCA9hJx8PZECqMNV5boo7bJrlWKYMYADae idhgCjvi/q0wTk1zJralf9LtETidUCrzdjfG1/E7A/xhX7Byu2w//bGleX3sxqTe HU4gFMVDyuYY1Y6SdAPgtIa3t9b+Pha6LY4MdMwIfkTi74kz4/cZVrqcvThl2L5V E4edLra2YTh3f6Ble/qrmJukdlx/7R+jo7KwaiFHX04qCBC7cGDbgucgZxj8ZTci hdm+6UB+xcvOY4wXOJ0ViJO15OCIUq8dQp6iLNHZZVqRMUCrQgpOVngw3j1Npyb8 yffFi+gTrd6kgkvTKnO5gcbC2RT42eAx+Lr9kndzbIsrI/lzb/ZgzMcdC1btHBdb kT45tVN6SeFxFghyM5yEb+RWPVvG+kVMVG3+5VKI0lZ0DLkXY+20ISi4AffLdQum 0HsvU237NxwD3AESHzXVDoseTK4xtzOv6XzGpZ7gCUiuuMDn+qiwNrnqrjKofJgF ZyZ3EQlR0aM= =smMF -----END PGP SIGNATURE-----