Jenkins Security Advisory 2018-06-04

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Server-side request forgery vulnerability in Git Plugin

SECURITY-810 / CVE-2018-1000182
Severity (CVSS): medium
Affected plugin: git
Description:

Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and the Overall/Administer permission.

Server-side request forgery vulnerability in GitHub Plugin

SECURITY-799 / CVE-2018-1000184
Severity (CVSS): medium
Affected plugin: github
Description:

A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL.

If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials

SECURITY-804 / CVE-2018-1000183
Severity (CVSS): medium
Affected plugin: github
Description:

GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and appropriate user permissions.

Server-side request forgery vulnerability in GitHub Branch Source Plugin

SECURITY-806 / CVE-2018-1000185
Severity (CVSS): medium
Affected plugin: github-branch-source
Description:

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials

SECURITY-805 / CVE-2018-1000186
Severity (CVSS): medium
Affected plugin: ghprb
Description:

GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

Kubernetes Plugin printed sensitive build variables to logs

SECURITY-883 / CVE-2018-1000187
Severity (CVSS): low
Affected plugin: kubernetes
Description:

Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry.

The plugin now applies masking of sensitive build variables to these pipeline steps.

Server-side request forgery vulnerability in CAS Plugin

SECURITY-809 / CVE-2018-1000188
Severity (CVSS): medium
Affected plugin: cas-plugin
Description:

A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method now requires POST requests and the Overall/Administer permission.

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller

SECURITY-807 / CVE-2018-1000189
Severity (CVSS): high
Affected plugin: absint-astree
Description:

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller.

Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.

This form validation method no longer implements the validation that required a program to be invoked.

CSRF vulnerability and missing permission checks in Black Duck Hub Plugin allowed server-side request forgery, capturing credentials

SECURITY-865 / CVE-2018-1000190
Severity (CVSS): medium
Affected plugin: blackduck-hub
Description:

Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

SECURITY-866 / CVE-2018-1000191
Severity (CVSS): medium
Affected plugin: blackduck-detect
Description:

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.

Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.

These form validation methods now require POST requests and Overall/Administer permissions.

Severity

Affected Versions

  • AbsInt Astrée Plugin up to and including 1.0.5
  • Black Duck Detect Plugin up to and including 1.4.0
  • Black Duck Hub Plugin up to and including 4.0.0
  • CAS Plugin up to and including 1.4.1
  • Git Plugin up to and including 3.9.0
  • GitHub Plugin up to and including 1.29.0
  • GitHub Branch Source Plugin up to and including 2.3.4
  • GitHub Pull Request Builder Plugin up to and including 1.41.0
  • Kubernetes Plugin up to and including 1.7.0

Fix

  • AbsInt Astrée Plugin should be updated to version 1.0.7
  • Black Duck Detect Plugin should be updated to version 1.4.1
  • Black Duck Hub Plugin should be updated to version 4.0.1
  • CAS Plugin should be updated to version 1.4.2
  • Git Plugin should be updated to version 3.9.1
  • GitHub Plugin should be updated to version 1.29.1
  • GitHub Branch Source Plugin should be updated to version 2.3.5
  • GitHub Pull Request Builder Plugin should be updated to version 1.42.0
  • Kubernetes Plugin should be updated to version 1.7.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Jesse Glick, CloudBees, Inc. for SECURITY-883
  • Thomas de Grenier de Latour for SECURITY-799, SECURITY-804, SECURITY-805, SECURITY-806, SECURITY-807, SECURITY-809, SECURITY-810, SECURITY-865, SECURITY-866