Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

                   Jenkins Security Advisory 2019-07-17
                               18 July 2019


        AusCERT Security Bulletin Summary

Product:           Jenkins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Create Arbitrary Files     -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Access Confidential Data   -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10352 CVE-2019-10353 CVE-2019-10354

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

                      Jenkins Security Advisory 2019-07-17

   This advisory announces vulnerabilities in the following Jenkins

     * Jenkins (core)


  Arbitrary file write vulnerability using file parameter definitions

   SECURITY-1424 / CVE-2019-10352

   Users with Job/Configure permission could specify a relative path escaping
   the base directory in the file name portion of a file parameter
   definition. This path would be used to store the uploaded file on the
   Jenkins master, resulting in an arbitrary file write vulnerability.

   File parameters that escape the base directory are no longer accepted and
   the build will fail.

   This vulnerability is the result of an incomplete fix for SECURITY-1074.

  CSRF protection tokens did not expire

   SECURITY-626 / CVE-2019-10353

   By default, CSRF tokens in Jenkins only checked user authentication and IP
   address. This allowed attackers able to obtain a CSRF token for another
   user to implement CSRF attacks as long as the victim's IP address remained

   CSRF tokens will now also check the web session ID to confirm they were
   created in the same session. Once that's invalidated or expired,
   corresponding CSRF tokens will become invalid as well.

        This fix may impact scripts that obtain a crumb from the crumb issuer
   Note API. They may need to be updated to retain the session ID for
        subsequent requests. For further information, see the LTS upgrade

   We also publish the Strict Crumb Issuer Plugin which contains additional
   protection mechanisms that give administrators more fine-grained control
   over the validity of CSRF tokens. We plan to improve the built-in default
   crumb issuer based on user feedback of this implementation.

  Unauthorized view fragment access

   SECURITY-534 / CVE-2019-10354

   Jenkins uses the Stapler web framework to render its UI views. These views
   are frequently comprised of several view fragments, enabling plugins to
   extend existing views with more content.

   In some cases attackers could directly access a view fragment containing
   sensitive information, bypassing any permission checks in the
   corresponding view.

   The Stapler web framework has been extended with a Service Provider
   Interface (SPI) that allows preventing views from being rendered. The
   implementation of that SPI in Jenkins now prevents view fragments from
   being rendered. Further details are available in the developer

   Most views in Jenkins and Jenkins plugins should be compatible with this
   change. We track known affected plugins and their status in the Jenkins

   In rare cases, it may be desirable to disable this fix. To do so, set the
   Java system property
   jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn
   more about system properties in Jenkins.


     * SECURITY-534: Medium
     * SECURITY-626: High
     * SECURITY-1424: Medium

Affected Versions

     * Jenkins weekly up to and including 2.185
     * Jenkins LTS up to and including 2.176.1


     * Jenkins weekly should be updated to version 2.186
     * Jenkins LTS should be updated to version 2.176.2

   These versions include fixes to the vulnerabilities described above. All
   prior versions are considered to be affected by these vulnerabilities
   unless otherwise indicated.


   The Jenkins project would like to thank the reporters for discovering and
   reporting these vulnerabilities:

     * Conor O'Neill of Tenable for SECURITY-1424
     * Jesse Glick, CloudBees, Inc. for SECURITY-534

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967