-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1980
                     Jenkins plugins security advisory
                                3 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins plugins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Request Forgery     -- Remote with User Interaction
                   Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Access Confidential Data       -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10330 CVE-2019-10329 CVE-2019-10328
                   CVE-2019-10327 CVE-2019-10326 CVE-2019-10325
                   CVE-2019-10324 CVE-2019-10323 CVE-2019-10322
                   CVE-2019-10321  

Original Bulletin: 
   https://jenkins.io/security/advisory/2019-05-31/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2019-05-31

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Artifactory Plugin
  o Gitea Plugin
  o InfluxDB Plugin
  o Pipeline Maven Integration Plugin
  o Pipeline Remote Loader Plugin
  o Warnings Next Generation Plugin

Descriptions

Persisted XSS vulnerability in Warnings Next Generation Plugin

SECURITY-1373 / CVE-2019-10325

Warnings Next Generation Plugin rendered the name of a custom warnings parser
unescaped on Jenkins web pages. This allowed attackers with Job/Configure
permission to define a custom parser whose name included HTML and JavaScript,
resulting in a persisted cross-site scripting vulnerability.

Warnings Next Generation Plugin now properly escapes custom warnings parser
names.

CSRF vulnerability in Warnings Next Generation Plugin

SECURITY-1391 / CVE-2019-10326

Warnings Next Generation Plugin did not require that requests sent to the
endpoint used to reset warning counts use POST. This resulted in a cross-site
request forgery vulnerability that allows attackers to reset warning counts for
future builds.

Warnings Next Generation Plugin now requires that these requests be sent via
POST.

XML External Entity processing vulnerability in Pipeline Maven Integration
Plugin

SECURITY-1409 / CVE-2019-10327

Pipeline Maven Integration Plugin did not configure its XML parser in a way
that would prevent XML External Entity (XXE) processing.

This allowed attackers able to control the contents of a temporary directory on
the agent that the Maven build is executing on to have Jenkins parse a
maliciously crafted XML file that uses external entities for extraction of
secrets from the Jenkins master, server-side request forgery, or
denial-of-service attacks.

Pipeline Maven Integration Plugin no longer processes XML External Entities in
XML documents.

Unsafe Script Security whitelist entry in Pipeline Remote Loader Plugin

SECURITY-921 / CVE-2019-10328

Pipeline Remote Loader Plugin provides a custom Script Security whitelist.
Those entries apply to all scripts with sandbox protection, such as Pipeline.

One entry provided here was unsafe, as it allowed invoking arbitrary methods,
bypassing sandbox protection.

The unsafe whitelist entry has been removed.

InfluxDB Plugin stored credentials in plain text

SECURITY-1403 / CVE-2019-10329

InfluxDB Plugin stored target passwords unencrypted in its global configuration
file on the Jenkins master. These credentials could be viewed by users with
access to the master file system.

InfluxDB Plugin now stores its passwords encrypted.

Improper handling of untrusted branches in Gitea Plugin

SECURITY-1046 / CVE-2019-10330

Multibranch pipelines are typically configured so that only committers to the
repository are able to effectively propose changes to Jenkinsfiles. Changes to
Jenkinsfiles in pull requests created by other users would not be trusted, and
the target branch's Jenkinsfile content is used instead.

Gitea Plugin did not implement this behavior. Attackers without commit access
to the Git repository could therefore propose changes to Jenkinsfiles and have
those be applied for PR builds despite the configuration declaring them to be
untrusted.

Gitea Plugin now implements the desired behavior of only trusting pull request
content when those are trusted.

CSRF vulnerability and missing permission check in Artifactory Plugin allow
capturing credentials

SECURITY-1015 (1) / CVE-2019-10321 (CSRF), CVE-2019-10322 (missing permission
check)

Artifactory Plugin does not perform permission checks on a method implementing
form validation. This allows users with Overall/Read access to Jenkins to
connect to an attacker-specified URL using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery vulnerability.

As of publication of this advisory, no release containing a fix is available.

Users with Overall/Read access could enumerate credential IDs in Artifactory
Plugin

SECURITY-1015 (2) / CVE-2019-10323

Artifactory Plugin provides a list of applicable credential IDs to allow users
configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with
Overall/Read permission to get a list of valid credentials IDs. Those can be
used as part of an attack to capture the credentials using another
vulnerability.

As of publication of this advisory, no release containing a fix is available.

CSRF vulnerability in Artifactory Plugin

SECURITY-1347 / CVE-2019-10324

Artifactory Plugin implements a number of API endpoints allowing users to
trigger various actions related to releasing and promotion.

These endpoints do not require POST requests, resulting in a cross-site request
forgery vulnerability.

As of publication of this advisory, no release containing a fix is available.

Severity

  o SECURITY-921: High
  o SECURITY-1015 (1): Medium
  o SECURITY-1015 (2): Medium
  o SECURITY-1046: Medium
  o SECURITY-1347: Low
  o SECURITY-1373: Medium
  o SECURITY-1391: Medium
  o SECURITY-1403: Low
  o SECURITY-1409: High

Affected Versions

  o Artifactory Plugin up to and including 3.2.2
  o Gitea Plugin up to and including 1.1.1
  o InfluxDB Plugin up to and including 1.21
  o Pipeline Maven Integration Plugin up to and including 3.7.0
  o Pipeline Remote Loader Plugin up to and including 1.4
  o Warnings Next Generation Plugin up to and including 5.0.0

Fix

  o Gitea Plugin should be updated to version 1.1.2
  o InfluxDB Plugin should be updated to version 1.22
  o Pipeline Maven Integration Plugin should be updated to version 3.7.1
  o Pipeline Remote Loader Plugin should be updated to version 1.5
  o Warnings Next Generation Plugin should be updated to version 5.1.0

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Artifactory Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-1391
  o Jesse Glick, CloudBees, Inc. for SECURITY-921
  o Kurt Boberg, DocuSign Inc. for SECURITY-1409
  o Oleg Naneshev and Fred Blaise, CloudBees, Inc. for SECURITY-1347
  o Oleg Nenashev, CloudBees, Inc., and Peter Adkins of Cisco Umbrella for
    SECURITY-1015 (1), SECURITY-1015 (2)
  o Rene Scheibe for SECURITY-1403
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-1373

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPSiwmaOgq3Tt24GAQhzahAAg3ulnVEy4gQOQy6YJO1tNpK0rBpefl4O
shLIgQr5bNWueXZuzZecB1COyZh3UtLXdkX9jN4z+TtcPoE2P1Nxdry3w+bzqGgH
IpczkBHIp3G8Np3xuAGxMTvLI0oRTBneQnoR51Y0OeiMaKPmonYGZfqx2rSGACF5
Dyzcuf2wyxWwSYVZ5hD1AsIbOsQr8w4mGQyhEqCYjMODEiTPlitrGzgG1e0JuBK2
kmGSuzcK+jQxYJW2+Nke5QfZB9aaI1HoLgBs2nv8M06klBTB1SvdAMmeBXZq8BA2
x8NqsaawDLak0mDacgk1sG7yIRrsCQBzABjB38cPaTeaDtw1FFZhYNkmJJXEkdcK
g530WWuKsI1/8c77MUiDinSccwgtcmuSeZg1Bo46UX9JsOzWVYYa0Cv2IC0yODri
WL0cxiC1ippkCUFOJNKVcsXsNamiAV0CcueYRu42h5dGtseGMvMvvF3BP7Tnz+uw
00IZsQdCFK5spkoMeyoyGkVqbdPGUTm3p2LhmUvC01PuaEbxoBF3IKkKO1tocT3m
MIo/dFpOtUmFq0Vae3zg+MmMAPjCcbVCaAP5TxbK8nMtWQiFUdF5ltHHmasmgpZN
UTEq0f+Q5sLqAR8HQeTed0N510mzGnwT07Aw4th28VtYKkLUX1gRaKsjrb2bGNJv
vApKXIgt568=
=WhpB
-----END PGP SIGNATURE-----