Incorrect implementation in navigation in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.

CVE-2019-13701

Out of bounds memory access in the gamepad API in Google Chrome prior to 78.0.3904.70 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-13700

Use after free in WebAudio in Google Chrome prior to 78.0.3904.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2019-13720: 1019226 - chromium - An open-source project to help move the web forward.

CVE-2019-13720

Integer overflow to buffer overflow vulnerability in PostScript image handling code used by the PostScript- and PDF-compatible interpreters due to incorrect buffer size calculation. in PostScript and PDF printers that use IPS versions prior to 2019.2 in PostScript and PDF printers that use IPS versions prior to 2019.2

CVE-2019-10627: October Security Bulletin 2019 | Qualcomm

In binder_transaction of binder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-136210786References: Upstream kernel

_Published November 4, 2019 | Updated December 16, 2019_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2019-11-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2019-11-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2019-11-01 patch level. Vulnerabilities are grouped under the component that they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2192

A-138441555

EoP

High

9, 10

CVE-2019-2193

A-132261064 \[2\]

EoP

High

8.0, 8.1, 9, 10

CVE-2019-2195

A-139186193

EoP

High

8.0, 8.1, 9, 10

CVE-2019-2199

A-138650665

EoP

High

10

CVE-2019-2211

A-135269669 \[2\]

ID

High

8.0, 8.1, 9, 10

CVE-2019-2197

A-138529441

ID

High

8.0, 8.1, 9, 10

**Library**

The vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2201

A-120551338

RCE

High

8.0, 8.1, 9, 10

**Media framework**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2202

A-137283376

EoP

High

9, 10

CVE-2019-2203

A-137370777

EoP

High

8.0, 8.1, 9, 10

**System**

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2204

A-138442295

RCE

Critical

9

CVE-2019-2205

A-139806216

RCE

Critical

8.0, 8.1, 9, 10

CVE-2019-2206

A-139188579

RCE

Critical

8.0, 8.1, 9, 10

CVE-2019-2233

A-140486529

EoP

High

10

CVE-2019-2207

A-124524315

EoP

High

8.0, 8.1, 9, 10

CVE-2019-2212

A-139690488 \[2\] \[3\]

ID

High

8.0, 8.1, 9, 10

CVE-2019-2208

A-138441919

ID

High

9

CVE-2019-2209

A-139287605

ID

High

8.0, 8.1, 9, 10

**Google Play system updates**

There are no security issues addressed in Google Play system updates this month.

**2019-11-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2019-11-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Framework**

The most severe vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2196

A-135269143 \[2\] \[3\] \[4\]

ID

High

8.0, 8.1, 9, 10

CVE-2019-2198

A-135270103 \[2\] \[3\] \[4\]

ID

High

8.0, 8.1, 9, 10

**System**

The vulnerability in this section could enable a remote attacker using a specially crafted transmission to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2019-2036

A-79703832

EoP

High

8.0, 8.1, 9, 10

**Kernel components**

The most severe vulnerability in this section could enable a local attacker to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Component

CVE-2019-2213

A-133758011  
Upstream kernel

EoP

High

binder driver

CVE-2019-2214

A-136210786  
Upstream kernel

EoP

High

binder driver

CVE-2019-11833

A-133041647  
Upstream kernel

ID

Moderate

ext4 filesystem

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-2310

A-78906648  
QC-CR#2253243

N/A

High

Wi-Fi

CVE-2019-10545

A-138940225  
QC-CR#2353418

N/A

High

Graphics driver

CVE-2019-10571

A-138940226  
QC-CR#2363085

N/A

High

Graphics driver

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-10493

A-132108736\*

N/A

Critical

Closed-source component

CVE-2019-10511

A-132097484\*

N/A

Critical

Closed-source component

CVE-2019-2288

A-132108853\*

N/A

Critical

Closed-source component

CVE-2019-2320

A-132108539\*

N/A

Critical

Closed-source component

CVE-2019-2321

A-132108927\*

N/A

Critical

Closed-source component

CVE-2019-10484

A-132108752\*

N/A

High

Closed-source component

CVE-2019-10485

A-132108463\*

N/A

High

Closed-source component

CVE-2019-2319

A-132107963\*

N/A

High

Closed-source component

CVE-2019-2337

A-132108895\*

N/A

High

Closed-source component

CVE-2019-2338

A-132108464\*

N/A

High

Closed-source component

CVE-2019-10559

A-137030660\*

N/A

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2019-11-01 or later address all issues associated with the 2019-11-01 security patch level.
*   Security patch levels of 2019-11-05 or later address all issues associated with the 2019-11-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2019-11-01\]
*   \[ro.build.version.security\_patch\]:\[2019-11-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2019-11-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2019-11-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2019-11-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

November 04, 2019

Bulletin published

1.1

November 5, 2019

Bulletin revised to include AOSP links

1.2

December 16, 2019

Revised CVE table

CVE-2019-2214: Android Security Bulletin—November 2019  |  Android Open Source Project

A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a malicious server can supply a pathname to the client with separators. This could allow the client to access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to create files outside of the current working directory using the privileges of the client user.

**CVE-2019-10218.html:**

\===========================================================
== Subject:     Client code can return filenames containing
==              path separators.
==
== CVE ID#:     CVE-2019-10218
==
== Versions:    All versions of Samba.
==
== Summary:     Malicious servers can cause Samba client
                code to return filenames containing path
                separators to calling code.
===========================================================

===========
Description
===========

Samba client code (libsmbclient) returns server-supplied filenames to
calling code without checking for pathname separators (such as "/" or
"../") in the server returned names.

A malicious server can craft a pathname containing separators and
return this to client code, causing the client to use this access local
pathnames for reading or writing instead of SMB network pathnames.

This access is done using the local privileges of the client.  

This attack can be achieved using any of SMB1/2/3 as it is not reliant
on any specific SMB protocol version.

Specifically, samba client tools like smbget and smbclient's mget use
the server supplied 'final' name component as a local name when
obtaining multiple files.  While the design of these tools is that
server can always choose the file names, this vulnerability is that it
allows a remote server to create local files outside the current
working directory.

Users of the libsmbclient library external to Samba may also be
vulnerable if they use server returned filenames without adequate
checking and pass them to functions that do local filesystem access.

Note that the Gnome GVFS client library is not believed to be
vulnerable, as it always passes server-returned pathnames back to the
SMB share they were returned from. Such malformed pathnames are then
rejected by the server.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued as
security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSSv3: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N (5.3)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by Michael Hanselmann.

Patches provided by Jeremy Allison of the Samba Team and Google.

Advisory by Jeremy Allison of the Samba Team and Google and Andrew
Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2019-10218: Samba - Security Announcement Archive

Today we are launching the [ElectionGuard Bounty program](«http://www.microsoft.com/msrc/bounty-electionguard> >).
In May 2019, we announced the release of ElectionGuard, a free open-source SDK to make voting more secure, transparent, and accessible. ElectionGuard enables end-to-end verification of elections, open results to third-party organizations for secure validation, and allows individual voters to confirm their votes were correctly counted.

Today we are launching the \[ElectionGuard Bounty program\](«http://www.microsoft.com/msrc/bounty-electionguard> >).

In May 2019, we announced the release of ElectionGuard, a free open-source SDK to make voting more secure, transparent, and accessible. ElectionGuard enables end-to-end verification of elections, open results to third-party organizations for secure validation, and allows individual voters to confirm their votes were correctly counted. The ElectionGuard Bounty program invites security researchers to partner with Microsoft to secure ElectionGuard users, and is a part of Microsoft’s broader commitment to preserving and protecting electoral processes under the Defending Democracy Program.

Researchers from across the globe, whether full time cyber security professionals, part-time hobbyists, or students, are invited to discover high impact vulnerabilities in targeted areas of the ElectionGuard SDK and share them with Microsoft under Coordinated Vulnerability Disclosure (CVD). Eligible submissions with a clear, concise proof of concept (POC) are eligible for awards up to US$15,000.

Bug bounty programs are common among technology companies, where they are used to incentivize the identification and coordinated disclosure of security vulnerabilities. Bug bounty programs have been implemented by a large number of organizations, including the Department of Defense, United Airlines, Twitter, Google, Apple, Microsoft and many others.

Microsoft strongly believes close partnerships with researchers make customers more secure. Security researchers play an integral role in the ecosystem by discovering and reporting vulnerabilities to Microsoft through coordinated vulnerability disclosure. Security researchers have repeatedly demonstrated that working together helps protect customers and each year we partner together to better protect billions of customers worldwide.

Microsoft paid $4.4 million in bounty rewards between July 1, 2018 and June 30, 2019 across 11 bounty programs with a top award of $200,000. Further details about Microsoft’s Bug Bounty Programs are available here.

Microsoft is committed to strengthening our partnership with the security research community as well as pursuing new areas for security improvement in emerging technology. We look forward to sharing more bounty updates and improvements in the coming months.

_Jarek Stanley, Senior Program Manager, MSRC_

Introducing the ElectionGuard Bounty program

Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an untrusted pointer dereference vulnerability. Successful exploitation could lead to arbitrary code execution .

Security updates available for Adobe Acrobat and Reader | APSB19-49

**Bulletin ID**

**Date Published**

**Priority**

APSB19-49

October 15, 2019

2

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and  important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.    

Adobe recommends users update their software installations to the latest versions by following the instructions below.    

The latest product versions are available to end users via one of the following methods:    

*   Users can update their product installations manually by choosing Help > Check for Updates.     
    
*   The products will update automatically, without requiring user intervention, when updates are detected.      
    
*   The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center.     
    

For IT administrators (managed environments):     

*   Download the enterprise installers from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release note version for links to installers.     
    
*   Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH.     
    

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version:    

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVE Number**

Out-of-Bounds Read  

Information Disclosure  

Important   

CVE-2019-8164

CVE-2019-8168

CVE-2019-8172

CVE-2019-8173

CVE-2019-8064

CVE-2019-8182

CVE-2019-8184

CVE-2019-8185

CVE-2019-8189

CVE-2019-8163

CVE-2019-8190

CVE-2019-8193

CVE-2019-8194

CVE-2019-8198

CVE-2019-8201

CVE-2019-8202

CVE-2019-8204

CVE-2019-8207

CVE-2019-8216

CVE-2019-8218

CVE-2019-8222

Out-of-Bounds Write 

Arbitrary Code Execution   

Critical

CVE-2019-8171

CVE-2019-8186

CVE-2019-8165

CVE-2019-8191

CVE-2019-8199

CVE-2019-8206

Use After Free   

Arbitrary Code Execution     

Critical

CVE-2019-8175

CVE-2019-8176

CVE-2019-8177

CVE-2019-8178

CVE-2019-8179

CVE-2019-8180

CVE-2019-8181

CVE-2019-8187

CVE-2019-8188

CVE-2019-8192

CVE-2019-8203

CVE-2019-8208

CVE-2019-8209

CVE-2019-8210

CVE-2019-8211

CVE-2019-8212

CVE-2019-8213

CVE-2019-8214

CVE-2019-8215

CVE-2019-8217

CVE-2019-8219

CVE-2019-8220

CVE-2019-8221

CVE-2019-8223

CVE-2019-8224

CVE-2019-8225

Heap Overflow 

Arbitrary Code Execution     

Critical

CVE-2019-8170

CVE-2019-8183

CVE-2019-8197

Buffer Overrun

Arbitrary Code Execution     

Critical

CVE-2019-8166

Cross-site Scripting 

Information Disclosure

Important   

CVE-2019-8160

Race Condition

Arbitrary Code Execution  

Critical

CVE-2019-8162

Incomplete Implementation of Security Mechanism

Information Disclosure

Important 

CVE-2019-8226

Type Confusion

Arbitrary Code Execution  

Critical

CVE-2019-8161

CVE-2019-8167

CVE-2019-8169

CVE-2019-8200

Untrusted Pointer Dereference

Arbitrary Code Execution 

Critical

CVE-2019-8174

CVE-2019-8195

CVE-2019-8196

CVE-2019-8205

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:    

*   Anonymous working with Trend Micro Zero Day Initiative (CVE-2019-8203, CVE-2019-8208, CVE-2019-8210, CVE-2019-8217, CVE-2019-8219, CVE-2019-8225)
*   Haikuo Xie of Baidu Security Lab working with Trend Micro Zero Day Initiative (CVE-2019-8209, CVE-2019-8223) 
*   hungtt28 of Viettel Cyber Security working with Trend Micro Zero Day Initiative (CVE-2019-8204)
*   Juan Pablo Lopez Yacubian working with Trend Micro Zero Day Initiative (CVE-2019-8172) 
*   Ke Liu of Tencent Security Xuanwu Lab (CVE-2019-8199, CVE-2019-8200, CVE-2019-8201, CVE-2019-8202)
*   L4Nce working with Trend Micro Zero Day Initiative (CVE-2019-8064) 
*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2019-8166, CVE-2019-8175, CVE-2019-8178, CVE-2019-8179, CVE-2019-8180, CVE-2019-8181, CVE-2019-8187, CVE-2019-8188, CVE-2019-8189, CVE-2019-8163, CVE-2019-8190, CVE-2019-8165, CVE-2019-8191)
*   Mateusz Jurczyk of Google Project Zero (CVE-2019-8195, CVE-2019-8196, CVE-2019-8197)
*   peternguyen working with Trend Micro Zero Day Initiative (CVE-2019-8176, CVE-2019-8224) 
*   Steven Seeley (mr\_me) of Source Incite working with Trend Micro Zero Day Initiative (CVE-2019-8170, CVE-2019-8171, CVE-2019-8173, CVE-2019-8174)
*   Heige of Knownsec 404 Security Team (http://www.knownsec.com/) (CVE-2019-8160) 
*   Xizsmin and Lee JinYoung of Codemize Security Research Lab (CVE-2019-8218)
*   Mipu94 of SEFCOM Lab, Arizona State University (CVE-2019-8211, CVE-2019-8212, CVE-2019-8213, CVE-2019-8214, CVE-2019-8215) 
*   Esteban Ruiz (mr\_me) of Source Incite (CVE-2019-8161, CVE-2019-8164, CVE-2019-8167, CVE-2019-8168, CVE-2019-8169, CVE-2019-8182)
*   Ta Dinh Sung of STAR Labs (CVE-2019-8220, CVE-2019-8221) 
*   Behzad Najjarpour Jabbari, Secunia Research at Flexera (CVE-2019-8222)
*   Aleksandar Nikolic of Cisco Talos. (CVE-2019-8183) 
*   Nguyen Hong Quang (https://twitter.com/quangnh89) of Viettel Cyber Security (CVE-2019-8193)
*   Zhiyuan Wang and willJ from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. (CVE-2019-8185, CVE-2019-8186) 
*   Yangkang(@dnpushme) & Li Qi(@leeqwind) & Yang Jianxiong(@sinkland\_) of Qihoo360 CoreSecurity(@360CoreSec) (CVE-2019-8194)
*   Lee JinYoung of Codemize Security Research Lab (http://codemize.co.kr) (CVE-2019-8216) 
*   Bo Qu of Palo Alto Networks and Heige of Knownsec 404 Security Team (CVE-2019-8205)
*   Zhibin Zhang of Palo Alto Networks (CVE-2019-8206) 
*   Andrew Hart (CVE-2019-8226)
*   peternguyen (meepwn ctf) working with Trend Micro Zero Day Initiative (CVE-2019-8192, CVE-2019-8177) 
*   Haikuo Xie of Baidu Security Lab (CVE-2019-8184)
*   Zhiniang Peng of Qihoo 360 Core security & Jiadong Lu of South China University of Technology (CVE-2019-8162)

November 11, 2019: Added acknowledgement for CVE-2019-8195 & CVE-2019-8196.

CVE-2019-8196: Adobe Security Bulletin

Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Bumblebee HP ALM Plugin
*   Cadence vManager Plugin
*   CRX Content Package Deployer Plugin
*   Delphix Plugin
*   ElasticBox CI Plugin
*   Extensive Testing Plugin
*   Fortify on Demand Plugin
*   Google Kubernetes Engine Plugin
*   Google OAuth Credentials Plugin
*   iceScrum Plugin
*   NeoLoad Plugin
*   Oracle Cloud Infrastructure Compute Classic Plugin
*   Puppet Enterprise Pipeline Plugin
*   Rundeck Plugin
*   SOASTA CloudTest Plugin
*   Sofy.AI Plugin
*   View26 Test-Reporting Plugin

**Descriptions****Arbitrary file read vulnerability in Google OAuth Credentials Plugin**

**SECURITY-1583 / CVE-2019-10436**  
**Severity (CVSS):** Medium  
**Affected plugin: google-oauth-plugin**  
**Description:**

Google OAuth Credentials Plugin allowed the creation of credentials based on the content of files on the Jenkins controller through a feature retaining backwards compatibility with earlier plugin releases. This allowed users with the permission to configure jobs and credentials to read arbitrary files on the Jenkins controller by creating a credential referencing an arbitrary file on the Jenkins controller.

Google OAuth Credentials Plugin no longer allows a regular user to create credentials in the legacy format.

**CSRF vulnerability and missing permission check in CRX Content Package Deployer Plugin allowed capturing credentials**

**SECURITY-1006 (1) / CVE-2019-10437 (CSRF), CVE-2019-10438 (permission check)**  
**Severity (CVSS):** High  
**Affected plugin: crx-content-package-deployer**  
**Description:**

CRX Content Package Deployer Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

CRX Content Package Deployer Plugin now requires POST requests and Item/Configure permission.

**Users with Overall/Read access could enumerate credential IDs in CRX Content Package Deployer Plugin**

**SECURITY-1006 (2) / CVE-2019-10439**  
**Severity (CVSS):** Medium  
**Affected plugin: crx-content-package-deployer**  
**Description:**

CRX Content Package Deployer Plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in CRX Content Package Deployer Plugin now requires the appropriate permission.

**NeoLoad Plugin stored credentials in plain text**

**SECURITY-1427 / CVE-2019-10440**  
**Severity (CVSS):** Medium  
**Affected plugin: neoload-jenkins-plugin**  
**Description:**

NeoLoad Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

NeoLoad Plugin now stores these credentials encrypted.

**CSRF vulnerability and missing permission check in iceScrum Plugin**

**SECURITY-1484 / CVE-2019-10441 (CSRF), CVE-2019-10442 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: icescrum**  
**Description:**

iceScrum Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified access token or username and password.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

iceScrum Plugin now requires POST requests and Overall/Administer permission.

**iceScrum Plugin stored credentials in plain text**

**SECURITY-1436 / CVE-2019-10443**  
**Severity (CVSS):** Medium  
**Affected plugin: icescrum**  
**Description:**

iceScrum Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

iceScrum Plugin 1.1.5 and newer now stores these credentials encrypted.

**Bumblebee HP ALM Plugin unconditionally disabled SSL/TLS certificate validation**

**SECURITY-1481 / CVE-2019-10444**  
**Severity (CVSS):** Medium  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin unconditionally disabled SSL/TLS certificate validation for connections to the HP ALM service.

Bumblebee HP ALM Plugin no longer does that. Instead, it now allows users to opt out of certificate validation.

**Missing permission checks in Google Kubernetes Engine Plugin allowed validating and obtaining data**

**SECURITY-1607 / CVE-2019-10445**  
**Severity (CVSS):** Low  
**Affected plugin: google-kubernetes-engine**  
**Description:**

Missing permission checks in Google Kubernetes Engine Plugin allowed users with Overall/Read permission to obtain limited information about the scope and access of a credential with an attacker-specified credential ID obtained through another method.

Google Kubernetes Engine Plugin now requires Job/Configure permission for these operations.

**Cadence vManager Plugin globally and unconditionally disabled SSL/TLS certificate validation**

**SECURITY-1615 / CVE-2019-10446**  
**Severity (CVSS):** Medium  
**Affected plugin: vmanager-plugin**  
**Description:**

Cadence vManager Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM.

Cadence vManager Plugin no longer does that. Instead, it now has an opt-in option to ignore SSL/TLS errors for its connections.

**Script sandbox bypass vulnerability in Puppet Enterprise Pipeline Plugin**

**SECURITY-918 / CVE-2019-10458**  
**Severity (CVSS):** High  
**Affected plugin: puppet-enterprise-pipeline**  
**Description:**

Puppet Enterprise Pipeline Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox.

This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This results in arbitrary code execution on any Jenkins instance with this plugin installed.

As of publication of this advisory there is no fix.

**Sofy.AI Plugin stores API token in plain text**

**SECURITY-1431 / CVE-2019-10447**  
**Severity (CVSS):** Medium  
**Affected plugin: sofy-ai**  
**Description:**

Sofy.AI Plugin stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**Extensive Testing Plugin stores credentials in plain text**

**SECURITY-1432 / CVE-2019-10448**  
**Severity (CVSS):** Medium  
**Affected plugin: extensivetesting**  
**Description:**

Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**Fortify on Demand Plugin stores credentials in plain text**

**SECURITY-1433 / CVE-2019-10449**  
**Severity (CVSS):** Medium  
**Affected plugin: fortify-on-demand-uploader**  
**Description:**

Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**ElasticBox CI Plugin stores access token in plain text**

**SECURITY-1434 / CVE-2019-10450**  
**Severity (CVSS):** Low  
**Affected plugin: elasticbox**  
**Description:**

ElasticBox CI Plugin stores an access token unencrypted in the global config.xml configuration file on the Jenkins controller. This token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**SOASTA CloudTest Plugin stores API token in plain text**

**SECURITY-1439 / CVE-2019-10451**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudtest**  
**Description:**

SOASTA CloudTest Plugin stores credentials unencrypted in its global configuration file com.soasta.jenkins.CloudTestServer.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**View26 Test-Reporting Plugin stores access token in plain text**

**SECURITY-1440 / CVE-2019-10452**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**Delphix Plugin stores credentials in plain text**

**SECURITY-1450 / CVE-2019-10453**  
**Severity (CVSS):** Low  
**Affected plugin: delphix**  
**Description:**

Delphix Plugin stores credentials unencrypted in its global configuration file io.jenkins.plugins.delphix.GlobalConfiguration.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory there is no fix.

**CSRF vulnerability and missing permission check in Rundeck Plugin**

**SECURITY-1460 / CVE-2019-10454 (CSRF), CVE-2019-10455 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory there is no fix.

**CSRF vulnerability and missing permission check in Oracle Cloud Infrastructure Compute Classic Plugin**

**SECURITY-1462 / CVE-2019-10456 (CSRF), CVE-2019-10457 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: oracle-cloud-infrastructure-compute-classic**  
**Description:**

Oracle Cloud Infrastructure Compute Classic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified username and password.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory there is no fix.

**Severity**

*   SECURITY-918: High
*   SECURITY-1006 (1): High
*   SECURITY-1006 (2): Medium
*   SECURITY-1427: Medium
*   SECURITY-1431: Medium
*   SECURITY-1432: Medium
*   SECURITY-1433: Medium
*   SECURITY-1434: Low
*   SECURITY-1436: Medium
*   SECURITY-1439: Medium
*   SECURITY-1440: Medium
*   SECURITY-1450: Low
*   SECURITY-1460: Medium
*   SECURITY-1462: Medium
*   SECURITY-1481: Medium
*   SECURITY-1484: Medium
*   SECURITY-1583: Medium
*   SECURITY-1607: Low
*   SECURITY-1615: Medium

**Affected Versions**

*   **Bumblebee HP ALM Plugin** up to and including 4.1.3
*   **Cadence vManager Plugin** up to and including 2.7.0
*   **CRX Content Package Deployer Plugin** up to and including 1.8.1
*   **Delphix Plugin** up to and including 2.0.4
*   **ElasticBox CI Plugin** up to and including 5.0.1
*   **Extensive Testing Plugin** up to and including 1.4.4b
*   **Fortify on Demand Plugin** up to and including 4.0.0
*   **Google Kubernetes Engine Plugin** up to and including 0.7.0
*   **Google OAuth Credentials Plugin** up to and including 0.9
*   **iceScrum Plugin** up to and including 1.1.5
*   **NeoLoad Plugin** up to and including 2.2.5
*   **Oracle Cloud Infrastructure Compute Classic Plugin** up to and including 1.0.0
*   **Puppet Enterprise Pipeline Plugin** up to and including 1.3.1
*   **Rundeck Plugin** up to and including 3.6.5
*   **SOASTA CloudTest Plugin** up to and including 2.25
*   **Sofy.AI Plugin** up to and including 1.0.3
*   **View26 Test-Reporting Plugin** up to and including 1.0.7

**Fix**

*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.4
*   **Cadence vManager Plugin** should be updated to version 2.7.1
*   **CRX Content Package Deployer Plugin** should be updated to version 1.9
*   **Google Kubernetes Engine Plugin** should be updated to version 0.7.1
*   **Google OAuth Credentials Plugin** should be updated to version 0.10
*   **iceScrum Plugin** should be updated to version 1.1.6
*   **NeoLoad Plugin** should be updated to version 2.2.6

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Delphix Plugin
*   ElasticBox CI Plugin
*   Extensive Testing Plugin
*   Fortify on Demand Plugin
*   Oracle Cloud Infrastructure Compute Classic Plugin
*   Puppet Enterprise Pipeline Plugin
*   Rundeck Plugin
*   SOASTA CloudTest Plugin
*   Sofy.AI Plugin
*   View26 Test-Reporting Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1615
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1427, SECURITY-1431, SECURITY-1432, SECURITY-1433, SECURITY-1434, SECURITY-1436, SECURITY-1439, SECURITY-1440, SECURITY-1450
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-918
*   **Matt Sicker, CloudBees Inc.** for SECURITY-1607
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1006 (1), SECURITY-1006 (2)
*   **Viktor Gazdag NCC Group** for SECURITY-1460, SECURITY-1462, SECURITY-1481, SECURITY-1484
*   **Wadeck Follonier, Jesse Glick, and Daniel Beck, CloudBees, Inc.** for SECURITY-1583

Tag

#google