Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Artifactory Plugin
*   Azure Container Service Plugin
*   OpenShift Pipeline Plugin
*   Pipeline: AWS Steps Plugin
*   Queue cleanup Plugin
*   RapidDeploy Plugin

**Descriptions****CSRF protection for any URL could be bypassed**

**SECURITY-1774 / CVE-2020-2160**  
**Severity (CVSS):** High  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

**Stored XSS vulnerability in label expression validation**

**SECURITY-1781 / CVE-2020-2161**  
**Severity (CVSS):** Medium  
**Description:**

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels.

Jenkins now correctly escapes node labels that are shown in form validation on job configuration pages.

**Stored XSS vulnerability in file parameters**

**SECURITY-1793 / CVE-2020-2162**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.

The system property hudson.model.DirectoryBrowserSupport.CSP can be set to override the value of Content-Security-Policy headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the Resource Root URL and works the same way for file parameters. See Configuring Content Security Policy to learn more.

Even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to Content-Security-Policy restrictions.

**Stored XSS vulnerability in list view column headers**

**SECURITY-1796 / CVE-2020-2163**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers.

The following plugins are known to allow users to define column headers:

*   Warnings NG
    
*   Maven Info
    
*   Link Column
    

Further plugins may also allow users to define column headers.

Jenkins no longer processes HTML embedded in list view column headers.

**Passwords stored in plain text by Artifactory Plugin**

**SECURITY-1542 (1) / CVE-2020-2164**  
**Severity (CVSS):** Low  
**Description:**

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

**Passwords transmitted in plain text by Artifactory Plugin**

**SECURITY-1542 (2) / CVE-2020-2165**  
**Severity (CVSS):** Low  
**Affected plugin: artifactory**  
**Description:**

Artifactory Plugin stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

**RCE vulnerability in Pipeline: AWS Steps Plugin**

**SECURITY-1741 / CVE-2020-2166**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aws**  
**Description:**

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in OpenShift Pipeline Plugin**

**SECURITY-1739 / CVE-2020-2167**  
**Severity (CVSS):** High  
**Affected plugin: openshift-pipeline**  
**Description:**

OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step.

OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in Azure Container Service Plugin**

**SECURITY-1732 / CVE-2020-2168**  
**Severity (CVSS):** High  
**Affected plugin: azure-acs**  
**Description:**

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

**Reflected XSS vulnerability in Queue cleanup Plugin**

**SECURITY-1724 / CVE-2020-2169**  
**Severity (CVSS):** Medium  
**Affected plugin: queue-cleanup**  
**Description:**

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).

Queue cleanup Plugin 1.4 correctly escapes the query parameter.

**Stored XSS vulnerability in RapidDeploy Plugin**

**SECURITY-1676 / CVE-2020-2170**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

**XXE vulnerability in RapidDeploy Plugin**

**SECURITY-1677 / CVE-2020-2171**  
**Severity (CVSS):** High  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

**Severity**

*   SECURITY-1542 (1): Low
*   SECURITY-1542 (2): Low
*   SECURITY-1676: Medium
*   SECURITY-1677: High
*   SECURITY-1724: Medium
*   SECURITY-1732: High
*   SECURITY-1739: High
*   SECURITY-1741: High
*   SECURITY-1774: High
*   SECURITY-1781: Medium
*   SECURITY-1793: Medium
*   SECURITY-1796: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.227
*   **Jenkins LTS** up to and including 2.204.5
*   **Artifactory Plugin** up to and including 3.6.0
*   **Azure Container Service Plugin** up to and including 1.0.1
*   **OpenShift Pipeline Plugin** up to and including 1.0.56
*   **Pipeline: AWS Steps Plugin** up to and including 1.40
*   **Queue cleanup Plugin** up to and including 1.3
*   **RapidDeploy Plugin** up to and including 4.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.228
*   **Jenkins LTS** should be updated to version 2.204.6 or 2.222.1
*   **Artifactory Plugin** should be updated to version 3.6.1
*   **Azure Container Service Plugin** should be updated to version 1.0.2
*   **OpenShift Pipeline Plugin** should be updated to version 1.0.57
*   **Pipeline: AWS Steps Plugin** should be updated to version 1.41
*   **Queue cleanup Plugin** should be updated to version 1.4
*   **RapidDeploy Plugin** should be updated to version 4.2.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1676, SECURITY-1677
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1732
*   **James Holderness, IB Boost, and independently, ethorsa** for SECURITY-1542 (1)
*   **Nick Collisson from Gemini Trust Company, LLC.** for SECURITY-1774
*   **Phu X. Mai, University of Luxembourg** for SECURITY-1793
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1724, SECURITY-1781

CVE-2020-2170: Jenkins Security Advisory 2020-03-25

The default configuration of broker.conf in Red Hat OpenShift Enterprise 2.x before 2.1 has a password of "mooo" for a Mongo account, which allows remote attackers to hijack the broker by providing this password, related to the openshift.sh script in Openshift Extras before 20130920. NOTE: this may overlap CVE-2013-4253 and CVE-2013-4281.

CVE-2014-0234: Red Hat Customer Portal - Access to 24x7 support and knowledge

Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   Build Failure Analyzer Plugin
*   buildgraph-view Plugin
*   Gerrit Trigger Plugin
*   Mantis Plugin
*   Maven Release Plug-in Plugin
*   Mission Control Plugin
*   Pipeline Aggregator View Plugin
*   RapidDeploy Plugin
*   Redgate SQL Change Automation Plugin
*   Rundeck Plugin
*   SCTMExecutor Plugin
*   Spira Importer Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

**Descriptions****XXE vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1681 / CVE-2019-16549 (XXE), CVE-2019-16550 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin retrieves XML from Nexus repository manager APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be exploited via man-in-the-middle attacks, especially if it’s not an HTTPS URL.

Additionally, a connection test form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability. Combined, these two vulnerabilities allow attackers to have Jenkins parse crafted XML documents that use external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Maven Release Plug-in Plugin 0.16.2 configures its XML parser to prevent XML external entity (XXE) attacks. It also now requires that requests to the connection test form validation method are done via POST, which protects from cross-site request forgery attacks.

**CSRF vulnerability and missing permission checks in Gerrit Trigger Plugin**

**SECURITY-1527 / CVE-2019-16551 (CSRF), CVE-2019-16552 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: gerrit-trigger**  
**Description:**

Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins controller file system.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Gerrit Trigger Plugin 2.30.2 requires POST requests and Overall/Administer permission for the affected form validation methods.

**CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow ReDoS**

**SECURITY-1651 / CVE-2019-16553 (CSRF), CVE-2019-16554 (missing permission check), CVE-2019-16555 (resource consumption)**  
**Severity (CVSS):** Medium  
**Affected plugin: build-failure-analyzer**  
**Description:**

Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests, resulting in a CSRF vulnerability.

Build Failure Analyzer Plugin 1.24.2 requires POST requests and implements a permission check for the affected form validation methods so that only authorized users are able to submit regular expressions.

Additionally, the regular expression is implemented in an interruptible way, so that unintentionally expensive regular expression processing can be interrupted.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-1593 / CVE-2019-16564**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names.

This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the information shown by Pipeline Aggregator View Plugin.

Pipeline Aggregator View Plugin 1.9 escapes user-controlled information on the view it provides.

**Rundeck Plugin stored credentials in plain text**

**SECURITY-1636 / CVE-2019-16556**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Rundeck Plugin 3.6.6 stores credentials in its configuration encrypted once global and/or job configurations are saved again.

**Redgate SQL Change Automation Plugin stores credentials in plain text**

**SECURITY-1598 / CVE-2019-16557**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins controller as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.4 stores its credentials encrypted once job configurations are saved again.

**SSL/TLS certificate validation globally and unconditionally disabled by Spira Importer Plugin**

**SECURITY-1580 / CVE-2019-16558**  
**Severity (CVSS):** Medium  
**Affected plugin: inflectra-spira-integration**  
**Description:**

Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

Spira Importer Plugin 3.2.4 no longer disables SSL/TLS certificate validation.

**CSRF vulnerability and missing permission checks in WebSphere Deployer Plugin**

**SECURITY-1371 / CVE-2019-16559 (permission check), CVE-2019-16560 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**SSL/TLS certificate validation globally and unconditionally disabled by WebSphere Deployer Plugin**

**SECURITY-1581 / CVE-2019-16561**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in buildgraph-view Plugin**

**SECURITY-1591 / CVE-2019-16562**  
**Severity (CVSS):** Medium  
**Affected plugin: buildgraph-view**  
**Description:**

buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Mission Control Plugin**

**SECURITY-1592 / CVE-2019-16563**  
**Severity (CVSS):** Medium  
**Affected plugin: mission-control-view**  
**Description:**

Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Team Concert Plugin allows capturing credentials**

**SECURITY-1605 (1) / CVE-2019-16565 (CSRF), CVE-2019-16566 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access can enumerate credential IDs in Team Concert Plugin**

**SECURITY-1605 (2) / CVE-2019-16567**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**SCTMExecutor Plugin stores credentials in plain text**

**SECURITY-1521 / CVE-2019-16568**  
**Severity (CVSS):** Low  
**Affected plugin: SCTMExecutor**  
**Description:**

SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files.

While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Mantis Plugin**

**SECURITY-1603 / CVE-2019-16569**  
**Severity (CVSS):** Medium  
**Affected plugin: mantis**  
**Description:**

Mantis Plugin 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in RapidDeploy Plugin allow SSRF**

**SECURITY-1604 / CVE-2019-16570 (CSRF), CVE-2019-16571 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Weibo Plugin stores credentials in plain text**

**SECURITY-1597 / CVE-2019-16572**  
**Severity (CVSS):** Low  
**Affected plugin: weibo**  
**Description:**

Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Alauda DevOps Pipeline Plugin allows capturing credentials**

**SECURITY-1600 / CVE-2019-16573 (CSRF), CVE-2019-16574 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-devops-pipeline**  
**Description:**

Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Alauda Kubernetes Suport Plugin**

**SECURITY-1602 / CVE-2019-16575 (CSRF), CVE-2019-16576 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-kubernetes-support**  
**Description:**

Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1371: Medium
*   SECURITY-1521: Low
*   SECURITY-1527: Medium
*   SECURITY-1580: Medium
*   SECURITY-1581: Medium
*   SECURITY-1591: Medium
*   SECURITY-1592: Medium
*   SECURITY-1593: Medium
*   SECURITY-1597: Low
*   SECURITY-1598: Medium
*   SECURITY-1600: Medium
*   SECURITY-1602: Medium
*   SECURITY-1603: Medium
*   SECURITY-1604: Medium
*   SECURITY-1605 (1): High
*   SECURITY-1605 (2): Medium
*   SECURITY-1636: Medium
*   SECURITY-1651: Medium
*   SECURITY-1681: High

**Affected Versions**

*   **Alauda DevOps Pipeline Plugin** up to and including 2.3.2
*   **Alauda Kubernetes Suport Plugin** up to and including 2.3.0
*   **Build Failure Analyzer Plugin** up to and including 1.24.1
*   **buildgraph-view Plugin** up to and including 1.8
*   **Gerrit Trigger Plugin** up to and including 2.30.1
*   **Mantis Plugin** up to and including 0.26
*   **Maven Release Plug-in Plugin** up to and including 0.16.1
*   **Mission Control Plugin** up to and including 0.9.16
*   **Pipeline Aggregator View Plugin** up to and including 1.8
*   **RapidDeploy Plugin** up to and including 4.1
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.3
*   **Rundeck Plugin** up to and including 3.6.5
*   **SCTMExecutor Plugin** up to and including 2.2
*   **Spira Importer Plugin** up to and including 3.2.3
*   **Team Concert Plugin** up to and including 1.3.0
*   **WebSphere Deployer Plugin** up to and including 1.6.1
*   **Weibo Plugin** up to and including 1.0.1

**Fix**

*   **Build Failure Analyzer Plugin** should be updated to version 1.24.2
*   **Gerrit Trigger Plugin** should be updated to version 2.30.2
*   **Maven Release Plug-in Plugin** should be updated to version 0.16.2
*   **Pipeline Aggregator View Plugin** should be updated to version 1.9
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.4
*   **Rundeck Plugin** should be updated to version 3.6.6
*   **Spira Importer Plugin** should be updated to version 3.2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   buildgraph-view Plugin
*   Mantis Plugin
*   Mission Control Plugin
*   RapidDeploy Plugin
*   SCTMExecutor Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc.** for SECURITY-1527
*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1681
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1371, SECURITY-1580, SECURITY-1581, SECURITY-1651
*   **James Holderness, IB Boost** for SECURITY-1521
*   **Viktor Gazdag NCC Group** for SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1598, SECURITY-1600, SECURITY-1602, SECURITY-1603, SECURITY-1604, SECURITY-1605 (1), SECURITY-1605 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1636

CVE-2019-16563: Jenkins Security Advisory 2019-12-17

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.

CVE-2019-16562: Jenkins Security Advisory 2019-12-17

Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.

CVE-2019-16564: Jenkins Security Advisory 2019-12-17

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

  
**Latest Java Releases****Release 1.72 is now available for download.**

This is release is primarily a feature release, the post-quantum algorithm set has been further expanded and now includes NIST finalists Kyber, Dilithium, Falcon, as well as the Round 3/4 candidates BIKE, HQC, NTRU, NTRU Prime, and Picnic in the BCPQC provider. The finalist SPHINCS+ has also been updated to its latest submission and Haraka support has been added. An implementation of SIKE is also included (for research purposes only). Other changes include the addition of Argon2 support for OpenPGP, performance improvements for OpenPGP CRC24 calculator, support for TLS raw public keys (RFC 7250) and an algorithm/keysize constraints framework has been added via the CryptoServicesRegistrar object. Bug fixes include an issue with the construction of multi-document evidence records and an occasional error in GCMSIV tag calculation. The BCJSSE also now has TLS 1.3 enabled by default. The latest version of the Grain128AEAD has also been added to the lightweight API and the CMP support classes have been updated to reflect the latest version of the draft RFC "Lightweight Certificate Management Protocol (CMP) Profile."

Further details on other additions and bug fixes can be found in the release notes file accompanying the release.

**Java Version Details** With the arrival of Java 15. jdk15 is not quite as unambiguous as it was. The **jdk18on** jars are compiled to work with **anything** from Java 1.8 up. They are also multi-release jars so do support some features that were introduced in Java 9, Java 11, and Java 15. If you have issues with multi-release jars see the jdk15to18 release jars below.

**Packaging Change (users of 1.70 or earlier):** BC 1.71 changed the jdk15on jars to jdk18on so the base has now moved to Java 8. For earlier JVMs, or containers/applications that cannot cope with multi-release jars, you should now use the jdk15to18 jars.

**Packaging Change (users of 1.68 or earlier):** BC 1.69 introduced a **new** jar, bcutil-\*.jar, which is a collection of classes which do not need to be in the JCE provider jar, but are used by the other APIs. You will find you will need to add the bcutil jar to the class path if you are using the other BC APIs.

**Change Warning (users of 1.68 or earlier):** The BKS-V1 KeyStore format is now disabled by default. See releasenotes for 1.69 for details to turn it on if required.

**Change Warning (users of 1.52 or earlier):** The PEM Parser now returns an X509TrustedCertificate block when parsing an openssl trusted certificate, the new object was required to allow the proper return of the trusted certificate's attribute block. Please also see the porting guide for advice on porting to this release from much earlier ones (release 1.45 or earlier).

**Further Note (users of Oracle JVM 1.7 or earlier, users of "pre-Java 9" toolkits):** As of 1.63 we have started including signed jars for "jdk15to18", if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular "jdk18on" jar files try the "jdk15to18" jars instead. **Please also note the JCE certificate in the public access versions of Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expired on the 20th April 2021.** We still counter sign the jdk15to18 jars with this certificate for compatibility reasons, but Oracle does distribute JVMs for Java 6 and Java 7 with a newer, and stronger, certificate to holders of Java Support Contracts.

Others have contributed to this release, both with code and/or financially and you can find them listed in the contributors file. We would like to thank holders of Crypto Workshop support contracts for additional time that was contributed back to this release through left over consulting time provided as part of their support agreements. Thank you, one and all!

If you're interested in grabbing the lot in one hit (includes JCE, JCE provider, light weight API, J2ME, range of JDK compatibility classes, signed jars, fries, and king prawns...) download crypto-172.tar.gz or crypto-172.zip, otherwise if you are only interested in one version in particular, see below. **Early access to our FIPS hardened version of the Java APIs is now available for both BC-FJA 1.0.3 and BC-FJA 2.0.0** as well, contact us at office@bouncycastle.org for further information.

**Get the most out of your Bouncy Castle experience!**

Get a support contract through Crypto Workshop. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real **cost saver** as it does not lead to us receiving emails starting with "Our development team has spent (some number of) weeks trying to work out..." It is much cheaper to have a support contract!

**Signed JAR files**

From release 1.40 some implementations of encryption algorithms were removed from the regular jar files at the request of a number of users. Jars with names of the form **\*-ext-\*** still include these (at the moment the list is: NTRU).

 

Provider

Clean room JCE  
and provider

ASN.1 Utility Classes

PKIX/CMS/EAC/PKCS  
OCSP/TSP/OPENSSL

SMIME

Jakarta SMIME

OpenPGP/BCPG

DTLS/TLS API/JSSE Provider

Test Classes

JDK 1.8 and later

bcprov-jdk18on-172.jar  
bcprov-ext-jdk18on-172.jar

 

bcutil-jdk18on-172.jar

bcpkix-jdk18on-172.jar

bcmail-jdk18on-172.jar

bcjmail-jdk18on-172.jar

bcpg-jdk18on-172.jar

bctls-jdk18on-172.jar

bctest-jdk18on-172.jar

JDK 1.5 - JDK 1.8

bcprov-jdk15to18-172.jar  
bcprov-ext-jdk15to18-172.jar

 

bcutil-jdk15to18-172.jar

bcpkix-jdk15to18-172.jar

bcmail-jdk15to18-172.jar

bcjmail-jdk15to18-172.jar

bcpg-jdk15to18-172.jar

bctls-jdk15to18-172.jar

bctest-jdk15to18-172.jar

JDK 1.4

bcprov-jdk14-172.jar  
bcprov-ext-jdk14-172.jar

 

bcutil-jdk14-172.jar

bcpkix-jdk14-172.jar

bcmail-jdk14-172.jar

 

bcpg-jdk14-172.jar

bctls-jdk14-172.jar (low-level only)

bctest-jdk14-172.jar

JDK 1.3

bcprov-jdk13-172.jar  
bcprov-ext-jdk13-172.jar

jce-jdk13-172.jar  
jce-ext-jdk13-172.jar

bcutil-jdk13-172.jar

bcpkix-jdk13-172.jar

bcmail-jdk13-172.jar

 

bcpg-jdk13-172.jar

 

bctest-jdk13-172.jar

JDK 1.2

bcprov-jdk12-172.jar  
bcprov-ext-jdk12-172.jar

jce-jdk12-172.jar  
jce-ext-jdk12-172.jar

 

bcpkix-jdk12-172.jar

 

 

bcpg-jdk12-172.jar

 

bctest-jdk12-172.jar

The following signed provider jars are provided so that you can make use of the debug information in them. In the case of the non-provider jars (bcpkix, bcpg, and bcmail), the jar files do not need to be signed to work. You can rebuild them with debug turned on, or operate directly from the source, if you need.

 

Providers with debug

JDK 1.8 and later

bcprov-debug-jdk18on-172.jar

bcprov-ext-debug-jdk18on-172.jar

JDK 1.5 - JDK 1.8

bcprov-debug-jdk15to18-172.jar

bcprov-ext-debug-jdk15to18-172.jar

JDK 1.4

bcprov-debug-jdk14-172.jar

bcprov-ext-debug-jdk14-172.jar

**Sources and JavaDoc**

 

DTLS/TLS API/JSSE Provider

JDK 1.8 and later

bctls-jdk18on-172.tar.gz

bctls-jdk18on-172.zip

JDK 1.4 (low-level only)

bctls-jdk14-172.tar.gz

bctls-jdk14-172.zip

 

ASN.1 and Utility Classes

JDK 1.8 and later

bcutil-jdk18on-172.tar.gz

bcutil-jdk18on-172.zip

JDK 1.4

bcutil-jdk14-172.tar.gz

bcutil-jdk14-172.zip

JDK 1.3

bcutil-jdk13-172.tar.gz

bcutil-jdk13-172.zip

 

PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL

JDK 1.8 and later

bcpkix-jdk18on-172.tar.gz

bcpkix-jdk18on-172.zip

JDK 1.4

bcpkix-jdk14-172.tar.gz

bcpkix-jdk14-172.zip

JDK 1.3

bcpkix-jdk13-172.tar.gz

bcpkix-jdk13-172.zip

JDK 1.2

bcpkix-jdk12-172.tar.gz

bcpkix-jdk12-172.zip

JDK 1.1

bcpkix-jdk11-172.tar.gz

bcpkix-jdk11-172.zip

 

OpenPGP/BCPG

JDK 1.8 and later

bcpg-jdk18on-172.tar.gz

bcpg-jdk18on-172.zip

JDK 1.4

bcpg-jdk14-172.tar.gz

bcpg-jdk14-172.zip

JDK 1.3

bcpg-jdk13-172.tar.gz

bcpg-jdk13-172.zip

JDK 1.2

bcpg-jdk12-172.tar.gz

bcpg-jdk12-172.zip

JDK 1.1

bcpg-jdk11-172.tar.gz

bcpg-jdk11-172.zip

 

SMIME

JDK 1.8 and later

bcmail-jdk18on-172.tar.gz

bcmail-jdk18on-172.zip

JDK 1.4

bcmail-jdk14-172.tar.gz

bcmail-jdk14-172.zip

JDK 1.3

bcmail-jdk13-172.tar.gz

bcmail-jdk13-172.zip

 

JCE with provider and lightweight API

Lightweight API

 

JDK 1.8 and later

bcprov-jdk18on-172.tar.gz

bcprov-jdk18on-172.zip

lcrypto-jdk18on-172.tar.gz

lcrypto-jdk18on-172.zip

JDK 1.4

bcprov-jdk14-172.tar.gz

bcprov-jdk14-172.zip

lcrypto-jdk14-172.tar.gz

lcrypto-jdk14-172.zip

JDK 1.3

jce-jdk13-172.tar.gz

jce-jdk13-172.zip

lcrypto-jdk13-172.tar.gz

lcrypto-jdk13-172.zip

JDK 1.2

jce-jdk12-172.tar.gz

jce-jdk12-172.zip

lcrypto-jdk12-172.tar.gz

lcrypto-jdk12-172.zip

JDK 1.1

jce-jdk11-172.tar.gz

jce-jdk11-172.zip

lcrypto-jdk11-172.tar.gz

lcrypto-jdk11-172.zip

J2ME

 

 

lcrypto-j2me-172.tar.gz

lcrypto-j2me-172.zip

 

Releases no longer maintained

JDK 1.0

lcrypto-jdk10-133.tar.gz

lcrypto-jdk10-133.zip

_**NOTE:**_

1.  _The tar archives were created using GNU tar (some versions of Solaris tar will have problems extracting them)_
_*   The J2ME source distribution includes zips for the class files_

You can find the release notes, documentation, and specifications here.

You can find checksums for confirming the integrity of the distributions here

_**Mirrors**_  
Too slow? You can also find the latest versions on one of our mirrors:

*   polydistortion.net

_**Beta Access**_  
The current working betas, when available, for the next release for JDK 1.8 and later can be found at https://www.bouncycastle.org/betas. If you need a beta to be made available for another version of Java please ask by emailing feedback-crypto@bouncycastle.org.

_**Maven Access**_  
The BC jars are now mirrored on the Maven central repository. You can find them at https://repo1.maven.org/maven2/org/bouncycastle.

_**GIT Access**_  
Just want to look at the source? The source code repository is now mirrored on GitHub and accessible from here. The repository can be cloned using either  
https:

git clone https://github.com/bcgit/bc-java.git

or git protocol

git clone git://github.com/bcgit/bc-java.git

_**CVS Access**_  
Just want to look at the source? The source code repository is accessible via ViewVC from here

_**FTP Access**_  
Previous releases, as well as the latest ones, can be downloaded from our ftp server ftp.bouncycastle.org. Please note the FTP server does not support passive mode.

CVE-2019-17359: bouncycastle.org

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

This issue is to discuss CVE-2019-15052 and answer any questions that people may have.

Our official advisory can be found here: GHSA-4cwg-f7qc-6r95

**CVSSv3 Score**

We believe that this vulnerability will receive the same CVSSv3 score as the cURL vulnerability listed below.

As such, we have provided the following _estimated_ scoring:

**CVSS v3.0 Severity and Metrics:**

**Base Score:** 9.8 CRITICAL  
**Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Impact Score:** 5.9  
**Exploitability Score:** 3.9

**Additional context**

cURL had this same vulnerability which was fixed in cURL v7.58.0  
Their disclosure can be found here:  
https://curl.haxx.se/docs/CVE-2018-1000007.html

**Original Report**

Below is the contents of the original vulnerability disclosure reported by @uriahcarpenter.

**Expected Behavior**

If basic authentication is configured for a Maven repository credentials are _only_ sent to the hostname configured.

**Current Behavior**

If the Maven repository responds with an HTTP redirection response (e.g. 302/304/307) to a different hostname Gradle _includes_ the basic authorization header. Some may consider this an information disclosure security issue.

**Context**

Some Maven repositories may perform HTTP redirects to serve large-binaries from via a CDN; an example of this is Artifactory's Direct Cloud Storage Download feature. This Artifactory feature ultimately uses a S3 signed URL as a HTTP redirect. However the S3 request fails because there is authorization in the URL _and_ Gradle sends the _unrelated_ basic authentication header.

**Steps to Reproduce**

I have created a full working example of this issue:

*   Clone https://github.com/Widen/gradle-s3
*   Execute ./gradlew classes --no-daemon --refresh-dependencies
*   Build will fail with a 400 response error

The underlaying cause of the 400 error is slightly difficult to diagnose because Gradle does not output the text of the response, so I'm including screen shots of the request and responses using a local HTTP proxy.

Request and response to my _fake_ Maven repository:

Request and response to S3 URL. Note the actual _bug_ is that the header Authorization = Basic Zm9vOmJheg== is being sent to the server gradle-s3-auth-issue.s3.amazonaws.com.

**Environment**

Sample project is configured to use the latest Gradle release; 5.5.1.

Please feel free to leave any questions you may have below.

Please report any new security vulnerabilities to security@gradle.com.

CVE-2019-15052: [DISCUSSION] CVE-2019-15052: Repository authentication sent to server of HTTP redirection response · Issue #10278 · gradle/gradle

Jenkins Configuration as Code Plugin 1.24 and earlier did not properly apply masking to values expected to be hidden when logging the configuration being applied.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   Configuration as Code Plugin
*   Google Kubernetes Engine Plugin
*   Maven Integration Plugin
*   Maven Release Plug-in Plugin
*   Pipeline: Deprecated Groovy Libraries Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin

**Descriptions****Sandbox bypass through type casts in Script Security Plugin**

**SECURITY-1465 (1) / CVE-2019-10355**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren’t approved.

Additionally, this could be used to read arbitrary files on the Jenkins controller.

Casting collections to other types as an alternative syntax for constructor invocation is now only allowed when the collection type is defined in java.util, and prohibited otherwise. Casting files and enums to arrays is now intercepted by the sandbox and treated as the invocation of an equivalent method.

**Sandbox bypass through method pointer expressions in Script Security Plugin**

**SECURITY-1465 (2) / CVE-2019-10356**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin could be circumvented through crafted subexpressions used as arguments to method pointer expressions. This allowed attackers able to specify sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Method pointer subexpressions are now subject to sandbox protection.

**Missing permission check in Pipeline: Deprecated Groovy Libraries Plugin**

**SECURITY-1422 / CVE-2019-10357**  
**Severity (CVSS):** Medium  
**Affected plugin: workflow-cps-global-lib**  
**Description:**

Pipeline: Deprecated Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.

Pipeline: Deprecated Groovy Libraries Plugin now performs the appropriate permission check.

**Maven Integration Plugin did not mask sensitive values in module build logs**

**SECURITY-713 / CVE-2019-10358**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-plugin**  
**Description:**

Maven Integration Plugin did not apply build log decorators from the Build Environment configuration to module builds. This could prevent sensitive content in module build logs from being masked.

Maven Integration Plugin now applies build log decorators from the Build Environment configuration to module builds.

**CSRF vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1098 / CVE-2019-10359**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not require that requests sent to the endpoint used to initiate the release process use POST. This resulted in a cross-site request forgery vulnerability that allows attackers to perform releases.

Maven Release Plug-in Plugin now requires that these requests be sent via POST.

**Stored XSS vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1184 / CVE-2019-10360**  
**Severity (CVSS):** Medium  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability.

Variables on affected views are now escaped.

**Maven Release Plug-in Plugin stored credentials in plain text**

**SECURITY-1435 / CVE-2019-10361**  
**Severity (CVSS):** Low  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Maven Release Plug-in Plugin now stores credentials encrypted.

**Configuration as Code Plugin failed to mask secrets in system log messages**

**SECURITY-1279 / CVE-2019-10343**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin logs the changes it applies to the Jenkins system log. Secrets such as passwords should be masked (i.e. replaced with asterisks) in that log to prevent accidental disclosure.

Between Configuration as Code Plugin 0.8-alpha and 1.0, log messages contained values if the values were specified using properties in the YAML file (SECURITY-929).

Since Configuration as Code Plugin 1.1, log messages in Configuration as Code Plugin instead mask values of type Secret, which is used in Jenkins to store the values encrypted on disk. This did not work in many instances, as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of log message masking.

As a workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages. See the logging documentation for details.

**Configuration as Code Plugin allowed users without Overall/Administer permission to access documentation**

**SECURITY-1290 / CVE-2019-10344**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This included detailed information about installed plugins that may not be available otherwise.

Access to these URLs is now restricted to users with Overall/Administer permission.

**Configuration as Code Plugin did not mask proxy credentials**

**SECURITY-1303 / CVE-2019-10345**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin provides a custom configurator for the Jenkins proxy configuration.

This feature did not mask the password for logging or encrypt it in the export.

Configuration as Code Plugin 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export.

**Configuration as Code Plugin evaluated variable references when importing a previously exported configuration**

**SECURITY-1446 / CVE-2019-10362**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows exporting the live Jenkins configuration, as well as importing and applying a configuration provided in the same format. One of the features of the import is that it allows specifying variable references (e.g. ${VARIABLE_NAME}) in the configuration YAML file. These will be replaced by the value of the corresponding environment variable (or other source of secrets) during import (interpolation). If such a value should not be interpolated, the escape character ^ can be used before (e.g. ^${VARIABLE_NAME}).

Exporting did not add ^ escape characters to exported strings, such as various entity descriptions. This allowed attackers with permission to configure certain entities, such as credentials or agents, to specify crafted descriptions containing variable references. These would be replaced by the corresponding environment variable’s value during a subsequent import.

The export now adds ^ escape characters to exported strings as needed to prevent them from being interpolated during import. Previously exported configurations may require manual cleanup by Jenkins admins before being imported.

**Configuration as Code Plugin exported secret values in plain text**

**SECURITY-1458 / CVE-2019-10363**  
**Severity (CVSS):** Medium  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure.

Configuration as Code Plugin did not reliably detect which values in the exported YAML file need to be considered sensitive (e.g. credentials and other secrets), as plugins could use the Secret type to store credentials encrypted on disk while not having the Secret type appear in their Java API. This resulted in credentials being exported in plain text in some cases.

Configuration as Code Plugin now inspects the type and looks for a field, getter, or constructor argument corresponding to the property, making the secret detection much more robust for the purpose of exporting encrypted secrets.

**Amazon EC2 Plugin leaked beginning of private key in system log**

**SECURITY-673 / CVE-2019-10364**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin printed a log message that contained the beginning of the private key to the Jenkins system log.

The log message no longer includes the beginning of the private key.

**Google Kubernetes Engine Plugin stored temporary secret in a user accessible location**

**SECURITY-1345 / CVE-2019-10365**  
**Severity (CVSS):** Medium  
**Affected plugin: google-kubernetes-engine**  
**Description:**

Google Kubernetes Engine Plugin created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token.

This temporary file is now created outside the regular project workspace.

**Skytap Cloud CI Plugin stored credentials in plain text**

**SECURITY-1429 / CVE-2019-10366**  
**Severity (CVSS):** Medium  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Skytap Cloud CI Plugin now stores credentials encrypted.

**Severity**

*   SECURITY-673: Medium
*   SECURITY-713: Medium
*   SECURITY-1098: Medium
*   SECURITY-1184: Medium
*   SECURITY-1279: Medium
*   SECURITY-1290: Medium
*   SECURITY-1303: Low
*   SECURITY-1345: Medium
*   SECURITY-1422: Medium
*   SECURITY-1429: Medium
*   SECURITY-1435: Low
*   SECURITY-1446: Medium
*   SECURITY-1458: Medium
*   SECURITY-1465 (1): High
*   SECURITY-1465 (2): High

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.43
*   **Configuration as Code Plugin** up to and including 1.24
*   **Google Kubernetes Engine Plugin** up to and including 0.6.2
*   **Maven Integration Plugin** up to and including 3.3
*   **Maven Release Plug-in Plugin** up to and including 0.14.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** up to and including 2.14
*   **Script Security Plugin** up to and including 1.61
*   **Skytap Cloud CI Plugin** up to and including 2.06

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.44
*   **Configuration as Code Plugin** should be updated to version 1.25
*   **Google Kubernetes Engine Plugin** should be updated to version 0.6.3
*   **Maven Integration Plugin** should be updated to version 3.4
*   **Maven Release Plug-in Plugin** should be updated to version 0.15.0
*   **Pipeline: Deprecated Groovy Libraries Plugin** should be updated to version 2.15
*   **Script Security Plugin** should be updated to version 1.62
*   **Skytap Cloud CI Plugin** should be updated to version 2.07

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-1422
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1184
*   **David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative** for SECURITY-1429, SECURITY-1435
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-713, SECURITY-1345
*   **Mikaël Barbero (Eclipse Foundation)** for SECURITY-1290
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1098
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1446

CVE-2019-10343: Jenkins Security Advisory 2019-07-31

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

CVE-2019-10359: Jenkins Security Advisory 2019-07-31

A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins.

Tag

#maven