-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Jenkins Security Advisory 2019-07-17
18 July 2019
AusCERT Security Bulletin Summary
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Create Arbitrary Files -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
CVE Names: CVE-2019-10352 CVE-2019-10353 CVE-2019-10354
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2019-07-17
This advisory announces vulnerabilities in the following Jenkins
* Jenkins (core)
Arbitrary file write vulnerability using file parameter definitions
SECURITY-1424 / CVE-2019-10352
Users with Job/Configure permission could specify a relative path escaping
the base directory in the file name portion of a file parameter
definition. This path would be used to store the uploaded file on the
Jenkins master, resulting in an arbitrary file write vulnerability.
File parameters that escape the base directory are no longer accepted and
the build will fail.
This vulnerability is the result of an incomplete fix for SECURITY-1074.
CSRF protection tokens did not expire
SECURITY-626 / CVE-2019-10353
By default, CSRF tokens in Jenkins only checked user authentication and IP
address. This allowed attackers able to obtain a CSRF token for another
user to implement CSRF attacks as long as the victim's IP address remained
CSRF tokens will now also check the web session ID to confirm they were
created in the same session. Once that's invalidated or expired,
corresponding CSRF tokens will become invalid as well.
This fix may impact scripts that obtain a crumb from the crumb issuer
Note API. They may need to be updated to retain the session ID for
subsequent requests. For further information, see the LTS upgrade
We also publish the Strict Crumb Issuer Plugin which contains additional
protection mechanisms that give administrators more fine-grained control
over the validity of CSRF tokens. We plan to improve the built-in default
crumb issuer based on user feedback of this implementation.
Unauthorized view fragment access
SECURITY-534 / CVE-2019-10354
Jenkins uses the Stapler web framework to render its UI views. These views
are frequently comprised of several view fragments, enabling plugins to
extend existing views with more content.
In some cases attackers could directly access a view fragment containing
sensitive information, bypassing any permission checks in the
The Stapler web framework has been extended with a Service Provider
Interface (SPI) that allows preventing views from being rendered. The
implementation of that SPI in Jenkins now prevents view fragments from
being rendered. Further details are available in the developer
Most views in Jenkins and Jenkins plugins should be compatible with this
change. We track known affected plugins and their status in the Jenkins
In rare cases, it may be desirable to disable this fix. To do so, set the
Java system property
jenkins.security.stapler.StaplerDispatchValidator.disabled to true. Learn
more about system properties in Jenkins.
* SECURITY-534: Medium
* SECURITY-626: High
* SECURITY-1424: Medium
* Jenkins weekly up to and including 2.185
* Jenkins LTS up to and including 2.176.1
* Jenkins weekly should be updated to version 2.186
* Jenkins LTS should be updated to version 2.176.2
These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
* Conor O'Neill of Tenable for SECURITY-1424
* Jesse Glick, CloudBees, Inc. for SECURITY-534
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----