Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Artifactory Plugin
*   Azure Container Service Plugin
*   OpenShift Pipeline Plugin
*   Pipeline: AWS Steps Plugin
*   Queue cleanup Plugin
*   RapidDeploy Plugin

**Descriptions****CSRF protection for any URL could be bypassed**

**SECURITY-1774 / CVE-2020-2160**  
**Severity (CVSS):** High  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

**Stored XSS vulnerability in label expression validation**

**SECURITY-1781 / CVE-2020-2161**  
**Severity (CVSS):** Medium  
**Description:**

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels.

Jenkins now correctly escapes node labels that are shown in form validation on job configuration pages.

**Stored XSS vulnerability in file parameters**

**SECURITY-1793 / CVE-2020-2162**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.

The system property hudson.model.DirectoryBrowserSupport.CSP can be set to override the value of Content-Security-Policy headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the Resource Root URL and works the same way for file parameters. See Configuring Content Security Policy to learn more.

Even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to Content-Security-Policy restrictions.

**Stored XSS vulnerability in list view column headers**

**SECURITY-1796 / CVE-2020-2163**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers.

The following plugins are known to allow users to define column headers:

*   Warnings NG
    
*   Maven Info
    
*   Link Column
    

Further plugins may also allow users to define column headers.

Jenkins no longer processes HTML embedded in list view column headers.

**Passwords stored in plain text by Artifactory Plugin**

**SECURITY-1542 (1) / CVE-2020-2164**  
**Severity (CVSS):** Low  
**Description:**

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

**Passwords transmitted in plain text by Artifactory Plugin**

**SECURITY-1542 (2) / CVE-2020-2165**  
**Severity (CVSS):** Low  
**Affected plugin: artifactory**  
**Description:**

Artifactory Plugin stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

**RCE vulnerability in Pipeline: AWS Steps Plugin**

**SECURITY-1741 / CVE-2020-2166**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aws**  
**Description:**

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in OpenShift Pipeline Plugin**

**SECURITY-1739 / CVE-2020-2167**  
**Severity (CVSS):** High  
**Affected plugin: openshift-pipeline**  
**Description:**

OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step.

OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in Azure Container Service Plugin**

**SECURITY-1732 / CVE-2020-2168**  
**Severity (CVSS):** High  
**Affected plugin: azure-acs**  
**Description:**

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

**Reflected XSS vulnerability in Queue cleanup Plugin**

**SECURITY-1724 / CVE-2020-2169**  
**Severity (CVSS):** Medium  
**Affected plugin: queue-cleanup**  
**Description:**

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).

Queue cleanup Plugin 1.4 correctly escapes the query parameter.

**Stored XSS vulnerability in RapidDeploy Plugin**

**SECURITY-1676 / CVE-2020-2170**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

**XXE vulnerability in RapidDeploy Plugin**

**SECURITY-1677 / CVE-2020-2171**  
**Severity (CVSS):** High  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

**Severity**

*   SECURITY-1542 (1): Low
*   SECURITY-1542 (2): Low
*   SECURITY-1676: Medium
*   SECURITY-1677: High
*   SECURITY-1724: Medium
*   SECURITY-1732: High
*   SECURITY-1739: High
*   SECURITY-1741: High
*   SECURITY-1774: High
*   SECURITY-1781: Medium
*   SECURITY-1793: Medium
*   SECURITY-1796: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.227
*   **Jenkins LTS** up to and including 2.204.5
*   **Artifactory Plugin** up to and including 3.6.0
*   **Azure Container Service Plugin** up to and including 1.0.1
*   **OpenShift Pipeline Plugin** up to and including 1.0.56
*   **Pipeline: AWS Steps Plugin** up to and including 1.40
*   **Queue cleanup Plugin** up to and including 1.3
*   **RapidDeploy Plugin** up to and including 4.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.228
*   **Jenkins LTS** should be updated to version 2.204.6 or 2.222.1
*   **Artifactory Plugin** should be updated to version 3.6.1
*   **Azure Container Service Plugin** should be updated to version 1.0.2
*   **OpenShift Pipeline Plugin** should be updated to version 1.0.57
*   **Pipeline: AWS Steps Plugin** should be updated to version 1.41
*   **Queue cleanup Plugin** should be updated to version 1.4
*   **RapidDeploy Plugin** should be updated to version 4.2.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1676, SECURITY-1677
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1732
*   **James Holderness, IB Boost, and independently, ethorsa** for SECURITY-1542 (1)
*   **Nick Collisson from Gemini Trust Company, LLC.** for SECURITY-1774
*   **Phu X. Mai, University of Luxembourg** for SECURITY-1793
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1724, SECURITY-1781

CVE-2020-2170: Jenkins Security Advisory 2020-03-25

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Audit Trail Plugin
*   Backlog Plugin
*   Cobertura Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Git Plugin
*   Literate Plugin
*   Logstash Plugin
*   Mac Plugin
*   OpenShift Deployer Plugin
*   P4 Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Timestamper Plugin
*   Zephyr Enterprise Test Management Plugin
*   Zephyr for JIRA Test Management Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

*   Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
    
*   Crafted method calls on objects that implement GroovyInterceptable
    

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

**Stored XSS vulnerability in Git Plugin**

**SECURITY-1723 / CVE-2020-2136**  
**Severity (CVSS):** Medium  
**Affected plugin: git**  
**Description:**

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

**Stored XSS vulnerability in Timestamper Plugin**

**SECURITY-1784 / CVE-2020-2137**  
**Severity (CVSS):** Medium  
**Affected plugin: timestamper**  
**Description:**

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

**XXE vulnerability in Cobertura Plugin**

**SECURITY-1700 / CVE-2020-2138**  
**Severity (CVSS):** High  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

**Arbitrary file write vulnerability in Cobertura Plugin**

**SECURITY-1668 / CVE-2020-2139**  
**Severity (CVSS):** Medium  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

**XSS vulnerability in Audit Trail Plugin**

**SECURITY-1722 / CVE-2020-2140**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

**CSRF vulnerability and missing permission checks in P4 Plugin**

**SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: p4**  
**Description:**

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

**Credentials transmitted in plain text by Logstash Plugin**

**SECURITY-1516 / CVE-2020-2143**  
**Severity (CVSS):** Low  
**Affected plugin: logstash**  
**Description:**

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

**XXE vulnerability in Rundeck Plugin**

**SECURITY-1702 / CVE-2020-2144**  
**Severity (CVSS):** High  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

**Credentials stored in plain text by Zephyr Enterprise Test Management Plugin**

**SECURITY-1596 / CVE-2020-2145**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-enterprise-test-management**  
**Description:**

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

**Missing SSH host key validation in Mac Plugin**

**SECURITY-1692 / CVE-2020-2146**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

**CSRF vulnerability and missing permission checks in Mac Plugin**

**SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

**Credentials transmitted in plain text by Repository Connector Plugin**

**SECURITY-1520 / CVE-2020-2149**  
**Severity (CVSS):** Low  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Sonar Quality Gates Plugin**

**SECURITY-1523 / CVE-2020-2150**  
**Severity (CVSS):** Low  
**Affected plugin: sonar-quality-gates**  
**Description:**

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Quality Gates Plugin**

**SECURITY-1519 / CVE-2020-2151**  
**Severity (CVSS):** Low  
**Affected plugin: quality-gates**  
**Description:**

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Release Manager Plugin**

**SECURITY-1727 / CVE-2020-2152**  
**Severity (CVSS):** Medium  
**Affected plugin: svn-release-mgr**  
**Description:**

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Backlog Plugin**

**SECURITY-1510 / CVE-2020-2153**  
**Severity (CVSS):** Low  
**Affected plugin: backlog**  
**Description:**

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by Zephyr for JIRA Test Management Plugin**

**SECURITY-1550 / CVE-2020-2154**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-for-jira-test-management**  
**Description:**

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by OpenShift Deployer Plugin**

**SECURITY-1518 / CVE-2020-2155**  
**Severity (CVSS):** Low  
**Affected plugin: openshift-deployer**  
**Description:**

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by DeployHub Plugin**

**SECURITY-1511 / CVE-2020-2156**  
**Severity (CVSS):** Low  
**Affected plugin: deployhub**  
**Description:**

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Skytap Cloud CI Plugin**

**SECURITY-1522 / CVE-2020-2157**  
**Severity (CVSS):** Low  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**RCE vulnerability in Literate Plugin**

**SECURITY-1750 / CVE-2020-2158**  
**Severity (CVSS):** High  
**Affected plugin: literate**  
**Description:**

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

**OS command injection in CryptoMove Plugin**

**SECURITY-1635 / CVE-2020-2159**  
**Severity (CVSS):** High  
**Affected plugin: cryptomove**  
**Description:**

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1510: Low
*   SECURITY-1511: Low
*   SECURITY-1516: Low
*   SECURITY-1518: Low
*   SECURITY-1519: Low
*   SECURITY-1520: Low
*   SECURITY-1522: Low
*   SECURITY-1523: Low
*   SECURITY-1550: Low
*   SECURITY-1596: Low
*   SECURITY-1635: High
*   SECURITY-1668: Medium
*   SECURITY-1692: Medium
*   SECURITY-1700: High
*   SECURITY-1702: High
*   SECURITY-1722: Medium
*   SECURITY-1723: Medium
*   SECURITY-1727: Medium
*   SECURITY-1750: High
*   SECURITY-1754: High
*   SECURITY-1761: Medium
*   SECURITY-1765: Medium
*   SECURITY-1784: Medium

**Affected Versions**

*   **Audit Trail Plugin** up to and including 3.2
*   **Backlog Plugin** up to and including 2.4
*   **Cobertura Plugin** up to and including 1.15
*   **CryptoMove Plugin** up to and including 0.1.33
*   **DeployHub Plugin** up to and including 8.0.14
*   **Git Plugin** up to and including 4.2.0
*   **Literate Plugin** up to and including 1.0
*   **Logstash Plugin** up to and including 2.3.1
*   **Mac Plugin** up to and including 1.1.0
*   **OpenShift Deployer Plugin** up to and including 1.2.0
*   **P4 Plugin** up to and including 1.10.10
*   **Quality Gates Plugin** up to and including 2.5
*   **Repository Connector Plugin** up to and including 1.2.6
*   **Rundeck Plugin** up to and including 3.6.6
*   **Script Security Plugin** up to and including 1.70
*   **Skytap Cloud CI Plugin** up to and including 2.07
*   **Sonar Quality Gates Plugin** up to and including 1.3.1
*   **Subversion Release Manager Plugin** up to and including 1.2
*   **Timestamper Plugin** up to and including 1.11.1
*   **Zephyr Enterprise Test Management Plugin** up to and including 1.9.1
*   **Zephyr for JIRA Test Management Plugin** up to and including 1.5

**Fix**

*   **Audit Trail Plugin** should be updated to version 3.3
*   **Cobertura Plugin** should be updated to version 1.16
*   **Git Plugin** should be updated to version 4.2.1
*   **Logstash Plugin** should be updated to version 2.3.2
*   **Mac Plugin** should be updated to version 1.2.0
*   **P4 Plugin** should be updated to version 1.10.11
*   **Rundeck Plugin** should be updated to version 3.6.7
*   **Script Security Plugin** should be updated to version 1.71
*   **Timestamper Plugin** should be updated to version 1.11.2
*   **Zephyr Enterprise Test Management Plugin** should be updated to version 1.10

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Backlog Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Literate Plugin
*   OpenShift Deployer Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Zephyr for JIRA Test Management Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1702
*   **Federico Pellegrin** for SECURITY-1668, SECURITY-1700
*   **Ian Williams** for SECURITY-1596
*   **James Holderness, IB Boost** for SECURITY-1510, SECURITY-1511, SECURITY-1516, SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523, SECURITY-1550
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1754
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1692
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1722, SECURITY-1723, SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
*   **Wasin Saengow** for SECURITY-1635

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Applatix Plugin
*   Azure AD Plugin
*   BMC Release Package and Deployment Plugin
*   brakeman Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   FitNesse Plugin
*   Git Parameter Plugin
*   Google Kubernetes Engine Plugin
*   Harvest SCM Plugin
*   NUnit Plugin
*   Parasoft Environment Manager Plugin
*   Pipeline GitHub Notify Step Plugin
*   Pipeline: Groovy Plugin
*   RadarGun Plugin
*   S3 publisher Plugin
*   Script Security Plugin
*   Subversion Plugin

**Descriptions****Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin**

**SECURITY-1710 / CVE-2020-2109**

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1713 / CVE-2020-2110**

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

**Stored XSS vulnerability in Subversion Plugin**

**SECURITY-1725 / CVE-2020-2111**

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

**Multiple stored XSS vulnerabilities in Git Parameter Plugin**

**SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)**

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

**Credential transmitted in plain text by S3 publisher Plugin**

**SECURITY-1684 / CVE-2020-2114**

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

**XXE vulnerability in NUnit Plugin**

**SECURITY-1752 / CVE-2020-2115**

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

**CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials**

**SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

**Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin**

**SECURITY-812 (2) / CVE-2020-2118**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

**Client secret transmitted in plain text by Azure AD Plugin**

**SECURITY-1717 / CVE-2020-2119**

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

**XXE vulnerability in FitNesse Plugin**

**SECURITY-1751 / CVE-2020-2120**

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

**RCE vulnerability in Google Kubernetes Engine Plugin**

**SECURITY-1731 / CVE-2020-2121**

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

**Stored XSS vulnerability in brakeman Plugin**

**SECURITY-1644 / CVE-2020-2122**

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

**RCE vulnerability in RadarGun Plugin**

**SECURITY-1733 / CVE-2020-2123**

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

**Password stored in plain text by Dynamic Extended Choice Parameter Plugin**

**SECURITY-1560 / CVE-2020-2124**

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by debian-package-builder Plugin**

**SECURITY-1558 / CVE-2020-2125**

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Token stored in plain text by DigitalOcean Plugin**

**SECURITY-1559 / CVE-2020-2126**

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credential stored in plain text by BMC Release Package and Deployment Plugin**

**SECURITY-1547 / CVE-2020-2127**

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by ECX Copy Data Management Plugin**

**SECURITY-1549 / CVE-2020-2128**

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Eagle Tester Plugin**

**SECURITY-1552 / CVE-2020-2129**

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Harvest SCM Plugin**

**SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)**

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

**Password stored in plain text by Parasoft Environment Manager Plugin**

**SECURITY-1562 / CVE-2020-2132**

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Applatix Plugin**

**SECURITY-1540 / CVE-2020-2133**

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-812 (1): High
*   SECURITY-812 (2): Medium
*   SECURITY-1540: Medium
*   SECURITY-1547: Low
*   SECURITY-1549: Medium
*   SECURITY-1552: Low
*   SECURITY-1553: Medium
*   SECURITY-1558: Low
*   SECURITY-1559: Low
*   SECURITY-1560: Medium
*   SECURITY-1562: Medium
*   SECURITY-1644: Medium
*   SECURITY-1684: Low
*   SECURITY-1709: Medium
*   SECURITY-1710: High
*   SECURITY-1713: High
*   SECURITY-1717: Low
*   SECURITY-1725: Medium
*   SECURITY-1731: High
*   SECURITY-1733: High
*   SECURITY-1751: High
*   SECURITY-1752: High

**Affected Versions**

*   **Applatix Plugin** up to and including 1.1
*   **Azure AD Plugin** up to and including 1.1.2
*   **BMC Release Package and Deployment Plugin** up to and including 1.1
*   **brakeman Plugin** up to and including 0.12
*   **debian-package-builder Plugin** up to and including 1.6.11
*   **DigitalOcean Plugin** up to and including 1.1
*   **Dynamic Extended Choice Parameter Plugin** up to and including 1.0.1
*   **Eagle Tester Plugin** up to and including 1.0.9
*   **ECX Copy Data Management Plugin** up to and including 1.9
*   **FitNesse Plugin** up to and including 1.30
*   **Git Parameter Plugin** up to and including 0.9.11
*   **Google Kubernetes Engine Plugin** up to and including 0.8.0
*   **Harvest SCM Plugin** up to and including 0.5.1
*   **NUnit Plugin** up to and including 0.25
*   **Parasoft Environment Manager Plugin** up to and including 2.14
*   **Pipeline GitHub Notify Step Plugin** up to and including 1.0.4
*   **Pipeline: Groovy Plugin** up to and including 2.78
*   **RadarGun Plugin** up to and including 1.7
*   **S3 publisher Plugin** up to and including 0.11.4
*   **Script Security Plugin** up to and including 1.69
*   **Subversion Plugin** up to and including 2.13.0

**Fix**

*   **Azure AD Plugin** should be updated to version 1.2.0
*   **brakeman Plugin** should be updated to version 0.13
*   **FitNesse Plugin** should be updated to version 1.31
*   **Git Parameter Plugin** should be updated to version 0.9.12
*   **Google Kubernetes Engine Plugin** should be updated to version 0.8.1
*   **NUnit Plugin** should be updated to version 0.26
*   **Pipeline GitHub Notify Step Plugin** should be updated to version 1.0.5
*   **Pipeline: Groovy Plugin** should be updated to version 2.79
*   **RadarGun Plugin** should be updated to version 1.8
*   **S3 publisher Plugin** should be updated to version 0.11.5
*   **Script Security Plugin** should be updated to version 1.70
*   **Subversion Plugin** should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Applatix Plugin
*   BMC Release Package and Deployment Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   Harvest SCM Plugin
*   Parasoft Environment Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar** for SECURITY-1644
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1731, SECURITY-1733
*   **Federico Pellegrin** for SECURITY-1751, SECURITY-1752
*   **James Holderness, IB Boost** for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
*   **Joseph Petersen @jetersen** for SECURITY-1717
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1710, SECURITY-1713
*   **Sven Grossmann (@svennergr)** for SECURITY-1709
*   **Thomas de Grenier de Latour** for SECURITY-812 (1), SECURITY-812 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1684, SECURITY-1725

CVE-2020-2118: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2020-2117: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Health Advisor by CloudBees Plugin 3.0 and earlier allows attackers with Overall/Read permission to send a fixed email to an attacker-specific recipient.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2094: Jenkins Security Advisory 2020-01-15

A missing permission check in Jenkins Amazon EC2 Plugin 1.47 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

CVE-2020-2091: Jenkins Security Advisory 2020-01-15

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**  
**Severity (CVSS):** Low  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**  
**Severity (CVSS):** High  
**Affected plugin: robot**  
**Description:**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-hook**  
**Description:**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: sounds**  
**Description:**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

CVE-2020-2096: Jenkins Security Advisory 2020-01-15

Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   Build Failure Analyzer Plugin
*   buildgraph-view Plugin
*   Gerrit Trigger Plugin
*   Mantis Plugin
*   Maven Release Plug-in Plugin
*   Mission Control Plugin
*   Pipeline Aggregator View Plugin
*   RapidDeploy Plugin
*   Redgate SQL Change Automation Plugin
*   Rundeck Plugin
*   SCTMExecutor Plugin
*   Spira Importer Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

**Descriptions****XXE vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1681 / CVE-2019-16549 (XXE), CVE-2019-16550 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin retrieves XML from Nexus repository manager APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be exploited via man-in-the-middle attacks, especially if it’s not an HTTPS URL.

Additionally, a connection test form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability. Combined, these two vulnerabilities allow attackers to have Jenkins parse crafted XML documents that use external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Maven Release Plug-in Plugin 0.16.2 configures its XML parser to prevent XML external entity (XXE) attacks. It also now requires that requests to the connection test form validation method are done via POST, which protects from cross-site request forgery attacks.

**CSRF vulnerability and missing permission checks in Gerrit Trigger Plugin**

**SECURITY-1527 / CVE-2019-16551 (CSRF), CVE-2019-16552 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: gerrit-trigger**  
**Description:**

Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins controller file system.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Gerrit Trigger Plugin 2.30.2 requires POST requests and Overall/Administer permission for the affected form validation methods.

**CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow ReDoS**

**SECURITY-1651 / CVE-2019-16553 (CSRF), CVE-2019-16554 (missing permission check), CVE-2019-16555 (resource consumption)**  
**Severity (CVSS):** Medium  
**Affected plugin: build-failure-analyzer**  
**Description:**

Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests, resulting in a CSRF vulnerability.

Build Failure Analyzer Plugin 1.24.2 requires POST requests and implements a permission check for the affected form validation methods so that only authorized users are able to submit regular expressions.

Additionally, the regular expression is implemented in an interruptible way, so that unintentionally expensive regular expression processing can be interrupted.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-1593 / CVE-2019-16564**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names.

This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the information shown by Pipeline Aggregator View Plugin.

Pipeline Aggregator View Plugin 1.9 escapes user-controlled information on the view it provides.

**Rundeck Plugin stored credentials in plain text**

**SECURITY-1636 / CVE-2019-16556**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Rundeck Plugin 3.6.6 stores credentials in its configuration encrypted once global and/or job configurations are saved again.

**Redgate SQL Change Automation Plugin stores credentials in plain text**

**SECURITY-1598 / CVE-2019-16557**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins controller as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.4 stores its credentials encrypted once job configurations are saved again.

**SSL/TLS certificate validation globally and unconditionally disabled by Spira Importer Plugin**

**SECURITY-1580 / CVE-2019-16558**  
**Severity (CVSS):** Medium  
**Affected plugin: inflectra-spira-integration**  
**Description:**

Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

Spira Importer Plugin 3.2.4 no longer disables SSL/TLS certificate validation.

**CSRF vulnerability and missing permission checks in WebSphere Deployer Plugin**

**SECURITY-1371 / CVE-2019-16559 (permission check), CVE-2019-16560 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**SSL/TLS certificate validation globally and unconditionally disabled by WebSphere Deployer Plugin**

**SECURITY-1581 / CVE-2019-16561**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in buildgraph-view Plugin**

**SECURITY-1591 / CVE-2019-16562**  
**Severity (CVSS):** Medium  
**Affected plugin: buildgraph-view**  
**Description:**

buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Mission Control Plugin**

**SECURITY-1592 / CVE-2019-16563**  
**Severity (CVSS):** Medium  
**Affected plugin: mission-control-view**  
**Description:**

Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Team Concert Plugin allows capturing credentials**

**SECURITY-1605 (1) / CVE-2019-16565 (CSRF), CVE-2019-16566 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access can enumerate credential IDs in Team Concert Plugin**

**SECURITY-1605 (2) / CVE-2019-16567**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**SCTMExecutor Plugin stores credentials in plain text**

**SECURITY-1521 / CVE-2019-16568**  
**Severity (CVSS):** Low  
**Affected plugin: SCTMExecutor**  
**Description:**

SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files.

While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Mantis Plugin**

**SECURITY-1603 / CVE-2019-16569**  
**Severity (CVSS):** Medium  
**Affected plugin: mantis**  
**Description:**

Mantis Plugin 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in RapidDeploy Plugin allow SSRF**

**SECURITY-1604 / CVE-2019-16570 (CSRF), CVE-2019-16571 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Weibo Plugin stores credentials in plain text**

**SECURITY-1597 / CVE-2019-16572**  
**Severity (CVSS):** Low  
**Affected plugin: weibo**  
**Description:**

Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Alauda DevOps Pipeline Plugin allows capturing credentials**

**SECURITY-1600 / CVE-2019-16573 (CSRF), CVE-2019-16574 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-devops-pipeline**  
**Description:**

Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Alauda Kubernetes Suport Plugin**

**SECURITY-1602 / CVE-2019-16575 (CSRF), CVE-2019-16576 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-kubernetes-support**  
**Description:**

Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1371: Medium
*   SECURITY-1521: Low
*   SECURITY-1527: Medium
*   SECURITY-1580: Medium
*   SECURITY-1581: Medium
*   SECURITY-1591: Medium
*   SECURITY-1592: Medium
*   SECURITY-1593: Medium
*   SECURITY-1597: Low
*   SECURITY-1598: Medium
*   SECURITY-1600: Medium
*   SECURITY-1602: Medium
*   SECURITY-1603: Medium
*   SECURITY-1604: Medium
*   SECURITY-1605 (1): High
*   SECURITY-1605 (2): Medium
*   SECURITY-1636: Medium
*   SECURITY-1651: Medium
*   SECURITY-1681: High

**Affected Versions**

*   **Alauda DevOps Pipeline Plugin** up to and including 2.3.2
*   **Alauda Kubernetes Suport Plugin** up to and including 2.3.0
*   **Build Failure Analyzer Plugin** up to and including 1.24.1
*   **buildgraph-view Plugin** up to and including 1.8
*   **Gerrit Trigger Plugin** up to and including 2.30.1
*   **Mantis Plugin** up to and including 0.26
*   **Maven Release Plug-in Plugin** up to and including 0.16.1
*   **Mission Control Plugin** up to and including 0.9.16
*   **Pipeline Aggregator View Plugin** up to and including 1.8
*   **RapidDeploy Plugin** up to and including 4.1
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.3
*   **Rundeck Plugin** up to and including 3.6.5
*   **SCTMExecutor Plugin** up to and including 2.2
*   **Spira Importer Plugin** up to and including 3.2.3
*   **Team Concert Plugin** up to and including 1.3.0
*   **WebSphere Deployer Plugin** up to and including 1.6.1
*   **Weibo Plugin** up to and including 1.0.1

**Fix**

*   **Build Failure Analyzer Plugin** should be updated to version 1.24.2
*   **Gerrit Trigger Plugin** should be updated to version 2.30.2
*   **Maven Release Plug-in Plugin** should be updated to version 0.16.2
*   **Pipeline Aggregator View Plugin** should be updated to version 1.9
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.4
*   **Rundeck Plugin** should be updated to version 3.6.6
*   **Spira Importer Plugin** should be updated to version 3.2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   buildgraph-view Plugin
*   Mantis Plugin
*   Mission Control Plugin
*   RapidDeploy Plugin
*   SCTMExecutor Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc.** for SECURITY-1527
*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1681
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1371, SECURITY-1580, SECURITY-1581, SECURITY-1651
*   **James Holderness, IB Boost** for SECURITY-1521
*   **Viktor Gazdag NCC Group** for SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1598, SECURITY-1600, SECURITY-1602, SECURITY-1603, SECURITY-1604, SECURITY-1605 (1), SECURITY-1605 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1636

Tag

#ssrf