Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AWSEB Deployment Plugin
*   Code Coverage Plugin
*   FitNesse Plugin
*   Gatling Plugin
*   useMango Runner Plugin

**Descriptions****XXE vulnerability in Code Coverage Plugin**

**SECURITY-1699 / CVE-2020-2172**  
**Severity (CVSS):** High  
**Affected plugin: code-coverage-api**  
**Description:**

Code Coverage Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Code Coverage Plugin 1.1.5 disables external entity resolution for its XML parser.

**XSS vulnerability in Gatling Plugin**

**SECURITY-1633 / CVE-2020-2173**  
**Severity (CVSS):** Medium  
**Affected plugin: gatling**  
**Description:**

Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.

**Reflected XSS vulnerability in AWSEB Deployment Plugin**

**SECURITY-1769 / CVE-2020-2174**  
**Severity (CVSS):** Medium  
**Affected plugin: awseb-deployment-plugin**  
**Description:**

AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output.

This results in a reflected cross-site scripting (XSS) vulnerability.

AWSEB Deployment Plugin 0.3.20 escapes the values printed as part of the affected form validation endpoints.

**Stored XSS vulnerability in FitNesse Plugin**

**SECURITY-1801 / CVE-2020-2175**  
**Severity (CVSS):** Medium  
**Affected plugin: fitnesse**  
**Description:**

FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

FitNesse Plugin 1.33 escapes content from XML input files before rendering it on the Jenkins UI.

**XSS vulnerability in useMango Runner Plugin**

**SECURITY-1780 / CVE-2020-2176**  
**Severity (CVSS):** Medium  
**Affected plugin: usemango-runner**  
**Description:**

Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

useMango Runner Plugin 1.5 escapes all values received from the useMango service in form validation messages.

**Severity**

*   SECURITY-1633: Medium
*   SECURITY-1699: High
*   SECURITY-1769: Medium
*   SECURITY-1780: Medium
*   SECURITY-1801: Medium

**Affected Versions**

*   **AWSEB Deployment Plugin** up to and including 0.3.19
*   **Code Coverage Plugin** up to and including 1.1.4
*   **FitNesse Plugin** up to and including 1.31
*   **Gatling Plugin** up to and including 1.2.7
*   **useMango Runner Plugin** up to and including 1.4

**Fix**

*   **AWSEB Deployment Plugin** should be updated to version 0.3.20
*   **Code Coverage Plugin** should be updated to version 1.1.5
*   **FitNesse Plugin** should be updated to version 1.33
*   **Gatling Plugin** should be updated to version 1.3.0
*   **useMango Runner Plugin** should be updated to version 1.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1633
*   **Federico Pellegrin** for SECURITY-1699, SECURITY-1801
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1769, SECURITY-1780

CVE-2020-2173: Jenkins Security Advisory 2020-04-07

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Artifactory Plugin
*   Azure Container Service Plugin
*   OpenShift Pipeline Plugin
*   Pipeline: AWS Steps Plugin
*   Queue cleanup Plugin
*   RapidDeploy Plugin

**Descriptions****CSRF protection for any URL could be bypassed**

**SECURITY-1774 / CVE-2020-2160**  
**Severity (CVSS):** High  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

**Stored XSS vulnerability in label expression validation**

**SECURITY-1781 / CVE-2020-2161**  
**Severity (CVSS):** Medium  
**Description:**

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels.

Jenkins now correctly escapes node labels that are shown in form validation on job configuration pages.

**Stored XSS vulnerability in file parameters**

**SECURITY-1793 / CVE-2020-2162**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.

The system property hudson.model.DirectoryBrowserSupport.CSP can be set to override the value of Content-Security-Policy headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the Resource Root URL and works the same way for file parameters. See Configuring Content Security Policy to learn more.

Even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to Content-Security-Policy restrictions.

**Stored XSS vulnerability in list view column headers**

**SECURITY-1796 / CVE-2020-2163**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers.

The following plugins are known to allow users to define column headers:

*   Warnings NG
    
*   Maven Info
    
*   Link Column
    

Further plugins may also allow users to define column headers.

Jenkins no longer processes HTML embedded in list view column headers.

**Passwords stored in plain text by Artifactory Plugin**

**SECURITY-1542 (1) / CVE-2020-2164**  
**Severity (CVSS):** Low  
**Description:**

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

**Passwords transmitted in plain text by Artifactory Plugin**

**SECURITY-1542 (2) / CVE-2020-2165**  
**Severity (CVSS):** Low  
**Affected plugin: artifactory**  
**Description:**

Artifactory Plugin stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

**RCE vulnerability in Pipeline: AWS Steps Plugin**

**SECURITY-1741 / CVE-2020-2166**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aws**  
**Description:**

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in OpenShift Pipeline Plugin**

**SECURITY-1739 / CVE-2020-2167**  
**Severity (CVSS):** High  
**Affected plugin: openshift-pipeline**  
**Description:**

OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step.

OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in Azure Container Service Plugin**

**SECURITY-1732 / CVE-2020-2168**  
**Severity (CVSS):** High  
**Affected plugin: azure-acs**  
**Description:**

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

**Reflected XSS vulnerability in Queue cleanup Plugin**

**SECURITY-1724 / CVE-2020-2169**  
**Severity (CVSS):** Medium  
**Affected plugin: queue-cleanup**  
**Description:**

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).

Queue cleanup Plugin 1.4 correctly escapes the query parameter.

**Stored XSS vulnerability in RapidDeploy Plugin**

**SECURITY-1676 / CVE-2020-2170**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

**XXE vulnerability in RapidDeploy Plugin**

**SECURITY-1677 / CVE-2020-2171**  
**Severity (CVSS):** High  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

**Severity**

*   SECURITY-1542 (1): Low
*   SECURITY-1542 (2): Low
*   SECURITY-1676: Medium
*   SECURITY-1677: High
*   SECURITY-1724: Medium
*   SECURITY-1732: High
*   SECURITY-1739: High
*   SECURITY-1741: High
*   SECURITY-1774: High
*   SECURITY-1781: Medium
*   SECURITY-1793: Medium
*   SECURITY-1796: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.227
*   **Jenkins LTS** up to and including 2.204.5
*   **Artifactory Plugin** up to and including 3.6.0
*   **Azure Container Service Plugin** up to and including 1.0.1
*   **OpenShift Pipeline Plugin** up to and including 1.0.56
*   **Pipeline: AWS Steps Plugin** up to and including 1.40
*   **Queue cleanup Plugin** up to and including 1.3
*   **RapidDeploy Plugin** up to and including 4.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.228
*   **Jenkins LTS** should be updated to version 2.204.6 or 2.222.1
*   **Artifactory Plugin** should be updated to version 3.6.1
*   **Azure Container Service Plugin** should be updated to version 1.0.2
*   **OpenShift Pipeline Plugin** should be updated to version 1.0.57
*   **Pipeline: AWS Steps Plugin** should be updated to version 1.41
*   **Queue cleanup Plugin** should be updated to version 1.4
*   **RapidDeploy Plugin** should be updated to version 4.2.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1676, SECURITY-1677
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1732
*   **James Holderness, IB Boost, and independently, ethorsa** for SECURITY-1542 (1)
*   **Nick Collisson from Gemini Trust Company, LLC.** for SECURITY-1774
*   **Phu X. Mai, University of Luxembourg** for SECURITY-1793
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1724, SECURITY-1781

CVE-2020-2163: Jenkins Security Advisory 2020-03-25

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

CVE-2020-2169: Jenkins Security Advisory 2020-03-25

Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

CVE-2020-2170: Jenkins Security Advisory 2020-03-25

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Audit Trail Plugin
*   Backlog Plugin
*   Cobertura Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Git Plugin
*   Literate Plugin
*   Logstash Plugin
*   Mac Plugin
*   OpenShift Deployer Plugin
*   P4 Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Timestamper Plugin
*   Zephyr Enterprise Test Management Plugin
*   Zephyr for JIRA Test Management Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

*   Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
    
*   Crafted method calls on objects that implement GroovyInterceptable
    

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

**Stored XSS vulnerability in Git Plugin**

**SECURITY-1723 / CVE-2020-2136**  
**Severity (CVSS):** Medium  
**Affected plugin: git**  
**Description:**

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

**Stored XSS vulnerability in Timestamper Plugin**

**SECURITY-1784 / CVE-2020-2137**  
**Severity (CVSS):** Medium  
**Affected plugin: timestamper**  
**Description:**

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

**XXE vulnerability in Cobertura Plugin**

**SECURITY-1700 / CVE-2020-2138**  
**Severity (CVSS):** High  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

**Arbitrary file write vulnerability in Cobertura Plugin**

**SECURITY-1668 / CVE-2020-2139**  
**Severity (CVSS):** Medium  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

**XSS vulnerability in Audit Trail Plugin**

**SECURITY-1722 / CVE-2020-2140**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

**CSRF vulnerability and missing permission checks in P4 Plugin**

**SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: p4**  
**Description:**

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

**Credentials transmitted in plain text by Logstash Plugin**

**SECURITY-1516 / CVE-2020-2143**  
**Severity (CVSS):** Low  
**Affected plugin: logstash**  
**Description:**

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

**XXE vulnerability in Rundeck Plugin**

**SECURITY-1702 / CVE-2020-2144**  
**Severity (CVSS):** High  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

**Credentials stored in plain text by Zephyr Enterprise Test Management Plugin**

**SECURITY-1596 / CVE-2020-2145**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-enterprise-test-management**  
**Description:**

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

**Missing SSH host key validation in Mac Plugin**

**SECURITY-1692 / CVE-2020-2146**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

**CSRF vulnerability and missing permission checks in Mac Plugin**

**SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

**Credentials transmitted in plain text by Repository Connector Plugin**

**SECURITY-1520 / CVE-2020-2149**  
**Severity (CVSS):** Low  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Sonar Quality Gates Plugin**

**SECURITY-1523 / CVE-2020-2150**  
**Severity (CVSS):** Low  
**Affected plugin: sonar-quality-gates**  
**Description:**

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Quality Gates Plugin**

**SECURITY-1519 / CVE-2020-2151**  
**Severity (CVSS):** Low  
**Affected plugin: quality-gates**  
**Description:**

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Release Manager Plugin**

**SECURITY-1727 / CVE-2020-2152**  
**Severity (CVSS):** Medium  
**Affected plugin: svn-release-mgr**  
**Description:**

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Backlog Plugin**

**SECURITY-1510 / CVE-2020-2153**  
**Severity (CVSS):** Low  
**Affected plugin: backlog**  
**Description:**

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by Zephyr for JIRA Test Management Plugin**

**SECURITY-1550 / CVE-2020-2154**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-for-jira-test-management**  
**Description:**

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by OpenShift Deployer Plugin**

**SECURITY-1518 / CVE-2020-2155**  
**Severity (CVSS):** Low  
**Affected plugin: openshift-deployer**  
**Description:**

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by DeployHub Plugin**

**SECURITY-1511 / CVE-2020-2156**  
**Severity (CVSS):** Low  
**Affected plugin: deployhub**  
**Description:**

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Skytap Cloud CI Plugin**

**SECURITY-1522 / CVE-2020-2157**  
**Severity (CVSS):** Low  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**RCE vulnerability in Literate Plugin**

**SECURITY-1750 / CVE-2020-2158**  
**Severity (CVSS):** High  
**Affected plugin: literate**  
**Description:**

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

**OS command injection in CryptoMove Plugin**

**SECURITY-1635 / CVE-2020-2159**  
**Severity (CVSS):** High  
**Affected plugin: cryptomove**  
**Description:**

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1510: Low
*   SECURITY-1511: Low
*   SECURITY-1516: Low
*   SECURITY-1518: Low
*   SECURITY-1519: Low
*   SECURITY-1520: Low
*   SECURITY-1522: Low
*   SECURITY-1523: Low
*   SECURITY-1550: Low
*   SECURITY-1596: Low
*   SECURITY-1635: High
*   SECURITY-1668: Medium
*   SECURITY-1692: Medium
*   SECURITY-1700: High
*   SECURITY-1702: High
*   SECURITY-1722: Medium
*   SECURITY-1723: Medium
*   SECURITY-1727: Medium
*   SECURITY-1750: High
*   SECURITY-1754: High
*   SECURITY-1761: Medium
*   SECURITY-1765: Medium
*   SECURITY-1784: Medium

**Affected Versions**

*   **Audit Trail Plugin** up to and including 3.2
*   **Backlog Plugin** up to and including 2.4
*   **Cobertura Plugin** up to and including 1.15
*   **CryptoMove Plugin** up to and including 0.1.33
*   **DeployHub Plugin** up to and including 8.0.14
*   **Git Plugin** up to and including 4.2.0
*   **Literate Plugin** up to and including 1.0
*   **Logstash Plugin** up to and including 2.3.1
*   **Mac Plugin** up to and including 1.1.0
*   **OpenShift Deployer Plugin** up to and including 1.2.0
*   **P4 Plugin** up to and including 1.10.10
*   **Quality Gates Plugin** up to and including 2.5
*   **Repository Connector Plugin** up to and including 1.2.6
*   **Rundeck Plugin** up to and including 3.6.6
*   **Script Security Plugin** up to and including 1.70
*   **Skytap Cloud CI Plugin** up to and including 2.07
*   **Sonar Quality Gates Plugin** up to and including 1.3.1
*   **Subversion Release Manager Plugin** up to and including 1.2
*   **Timestamper Plugin** up to and including 1.11.1
*   **Zephyr Enterprise Test Management Plugin** up to and including 1.9.1
*   **Zephyr for JIRA Test Management Plugin** up to and including 1.5

**Fix**

*   **Audit Trail Plugin** should be updated to version 3.3
*   **Cobertura Plugin** should be updated to version 1.16
*   **Git Plugin** should be updated to version 4.2.1
*   **Logstash Plugin** should be updated to version 2.3.2
*   **Mac Plugin** should be updated to version 1.2.0
*   **P4 Plugin** should be updated to version 1.10.11
*   **Rundeck Plugin** should be updated to version 3.6.7
*   **Script Security Plugin** should be updated to version 1.71
*   **Timestamper Plugin** should be updated to version 1.11.2
*   **Zephyr Enterprise Test Management Plugin** should be updated to version 1.10

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Backlog Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Literate Plugin
*   OpenShift Deployer Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Zephyr for JIRA Test Management Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1702
*   **Federico Pellegrin** for SECURITY-1668, SECURITY-1700
*   **Ian Williams** for SECURITY-1596
*   **James Holderness, IB Boost** for SECURITY-1510, SECURITY-1511, SECURITY-1516, SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523, SECURITY-1550
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1754
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1692
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1722, SECURITY-1723, SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
*   **Wasin Saengow** for SECURITY-1635

CVE-2020-2137: Jenkins Security Advisory 2020-03-09

Jenkins CryptoMove Plugin 0.1.33 and earlier allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins.

CVE-2020-2159: Jenkins Security Advisory 2020-03-09

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Applatix Plugin
*   Azure AD Plugin
*   BMC Release Package and Deployment Plugin
*   brakeman Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   FitNesse Plugin
*   Git Parameter Plugin
*   Google Kubernetes Engine Plugin
*   Harvest SCM Plugin
*   NUnit Plugin
*   Parasoft Environment Manager Plugin
*   Pipeline GitHub Notify Step Plugin
*   Pipeline: Groovy Plugin
*   RadarGun Plugin
*   S3 publisher Plugin
*   Script Security Plugin
*   Subversion Plugin

**Descriptions****Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin**

**SECURITY-1710 / CVE-2020-2109**

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1713 / CVE-2020-2110**

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

**Stored XSS vulnerability in Subversion Plugin**

**SECURITY-1725 / CVE-2020-2111**

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

**Multiple stored XSS vulnerabilities in Git Parameter Plugin**

**SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)**

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

**Credential transmitted in plain text by S3 publisher Plugin**

**SECURITY-1684 / CVE-2020-2114**

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

**XXE vulnerability in NUnit Plugin**

**SECURITY-1752 / CVE-2020-2115**

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

**CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials**

**SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

**Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin**

**SECURITY-812 (2) / CVE-2020-2118**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

**Client secret transmitted in plain text by Azure AD Plugin**

**SECURITY-1717 / CVE-2020-2119**

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

**XXE vulnerability in FitNesse Plugin**

**SECURITY-1751 / CVE-2020-2120**

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

**RCE vulnerability in Google Kubernetes Engine Plugin**

**SECURITY-1731 / CVE-2020-2121**

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

**Stored XSS vulnerability in brakeman Plugin**

**SECURITY-1644 / CVE-2020-2122**

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

**RCE vulnerability in RadarGun Plugin**

**SECURITY-1733 / CVE-2020-2123**

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

**Password stored in plain text by Dynamic Extended Choice Parameter Plugin**

**SECURITY-1560 / CVE-2020-2124**

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by debian-package-builder Plugin**

**SECURITY-1558 / CVE-2020-2125**

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Token stored in plain text by DigitalOcean Plugin**

**SECURITY-1559 / CVE-2020-2126**

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credential stored in plain text by BMC Release Package and Deployment Plugin**

**SECURITY-1547 / CVE-2020-2127**

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by ECX Copy Data Management Plugin**

**SECURITY-1549 / CVE-2020-2128**

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Eagle Tester Plugin**

**SECURITY-1552 / CVE-2020-2129**

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Harvest SCM Plugin**

**SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)**

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

**Password stored in plain text by Parasoft Environment Manager Plugin**

**SECURITY-1562 / CVE-2020-2132**

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Applatix Plugin**

**SECURITY-1540 / CVE-2020-2133**

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-812 (1): High
*   SECURITY-812 (2): Medium
*   SECURITY-1540: Medium
*   SECURITY-1547: Low
*   SECURITY-1549: Medium
*   SECURITY-1552: Low
*   SECURITY-1553: Medium
*   SECURITY-1558: Low
*   SECURITY-1559: Low
*   SECURITY-1560: Medium
*   SECURITY-1562: Medium
*   SECURITY-1644: Medium
*   SECURITY-1684: Low
*   SECURITY-1709: Medium
*   SECURITY-1710: High
*   SECURITY-1713: High
*   SECURITY-1717: Low
*   SECURITY-1725: Medium
*   SECURITY-1731: High
*   SECURITY-1733: High
*   SECURITY-1751: High
*   SECURITY-1752: High

**Affected Versions**

*   **Applatix Plugin** up to and including 1.1
*   **Azure AD Plugin** up to and including 1.1.2
*   **BMC Release Package and Deployment Plugin** up to and including 1.1
*   **brakeman Plugin** up to and including 0.12
*   **debian-package-builder Plugin** up to and including 1.6.11
*   **DigitalOcean Plugin** up to and including 1.1
*   **Dynamic Extended Choice Parameter Plugin** up to and including 1.0.1
*   **Eagle Tester Plugin** up to and including 1.0.9
*   **ECX Copy Data Management Plugin** up to and including 1.9
*   **FitNesse Plugin** up to and including 1.30
*   **Git Parameter Plugin** up to and including 0.9.11
*   **Google Kubernetes Engine Plugin** up to and including 0.8.0
*   **Harvest SCM Plugin** up to and including 0.5.1
*   **NUnit Plugin** up to and including 0.25
*   **Parasoft Environment Manager Plugin** up to and including 2.14
*   **Pipeline GitHub Notify Step Plugin** up to and including 1.0.4
*   **Pipeline: Groovy Plugin** up to and including 2.78
*   **RadarGun Plugin** up to and including 1.7
*   **S3 publisher Plugin** up to and including 0.11.4
*   **Script Security Plugin** up to and including 1.69
*   **Subversion Plugin** up to and including 2.13.0

**Fix**

*   **Azure AD Plugin** should be updated to version 1.2.0
*   **brakeman Plugin** should be updated to version 0.13
*   **FitNesse Plugin** should be updated to version 1.31
*   **Git Parameter Plugin** should be updated to version 0.9.12
*   **Google Kubernetes Engine Plugin** should be updated to version 0.8.1
*   **NUnit Plugin** should be updated to version 0.26
*   **Pipeline GitHub Notify Step Plugin** should be updated to version 1.0.5
*   **Pipeline: Groovy Plugin** should be updated to version 2.79
*   **RadarGun Plugin** should be updated to version 1.8
*   **S3 publisher Plugin** should be updated to version 0.11.5
*   **Script Security Plugin** should be updated to version 1.70
*   **Subversion Plugin** should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Applatix Plugin
*   BMC Release Package and Deployment Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   Harvest SCM Plugin
*   Parasoft Environment Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar** for SECURITY-1644
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1731, SECURITY-1733
*   **Federico Pellegrin** for SECURITY-1751, SECURITY-1752
*   **James Holderness, IB Boost** for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
*   **Joseph Petersen @jetersen** for SECURITY-1717
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1710, SECURITY-1713
*   **Sven Grossmann (@svennergr)** for SECURITY-1709
*   **Thomas de Grenier de Latour** for SECURITY-812 (1), SECURITY-812 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1684, SECURITY-1725

CVE-2020-2118: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2020-2117: Jenkins Security Advisory 2020-02-12

Jenkins Gitlab Hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint, resulting in a reflected XSS vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Amazon EC2 Plugin
*   gitlab-hook Plugin
*   Health Advisor by CloudBees Plugin
*   Redgate SQL Change Automation Plugin
*   Robot Framework Plugin
*   Sounds Plugin

**Descriptions****CSRF vulnerability and missing permission checks in Amazon EC2 Plugin**

**SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check)**  
**Severity (CVSS):** Low  
**Affected plugin: ec2**  
**Description:**

Amazon EC2 Plugin 1.47 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method.

This vulnerability might also allow attackers to capture credentials stored in Jenkins. We have not been able to confirm that this is possible.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Amazon EC2 Plugin 1.48 requires POST requests and Overall/Administer permission for the affected form validation methods.

**XXE vulnerability in Robot Framework Plugin**

**SECURITY-1698 / CVE-2020-2092**  
**Severity (CVSS):** High  
**Affected plugin: robot**  
**Description:**

Robot Framework Plugin 2.0.0 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Robot Framework' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Robot Framework Plugin 2.0.1 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin**

**SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.0 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to send an email with fixed content to an attacker-specified recipient.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Health Advisor by CloudBees Plugin 3.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

**Redgate SQL Change Automation Plugin stored credentials in plain text**

**SECURITY-1696 / CVE-2020-2095**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

**Reflected XSS vulnerability in gitlab-hook Plugin**

**SECURITY-1683 / CVE-2020-2096**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-hook**  
**Description:**

gitlab-hook Plugin 1.4.2 and earlier does not escape project names in the build_now endpoint. This results in a reflected cross-site scripting vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution**

**SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: sounds**  
**Description:**

Sounds Plugin 0.5 and earlier does not perform permission checks in URLs performing form validation. This allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins.

Additionally, these form validation URLs do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-814: High
*   SECURITY-1004: Low
*   SECURITY-1683: Medium
*   SECURITY-1696: Medium
*   SECURITY-1698: High
*   SECURITY-1708: Medium

**Affected Versions**

*   **Amazon EC2 Plugin** up to and including 1.47
*   **gitlab-hook Plugin** up to and including 1.4.2
*   **Health Advisor by CloudBees Plugin** up to and including 3.0
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.4
*   **Robot Framework Plugin** up to and including 2.0.0
*   **Sounds Plugin** up to and including 0.5

**Fix**

*   **Amazon EC2 Plugin** should be updated to version 1.48
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.0.1
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.5
*   **Robot Framework Plugin** should be updated to version 2.0.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   gitlab-hook Plugin
*   Sounds Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Ai Ho (@j3ssiejjj)** for SECURITY-1683
*   **Federico Pellegrin** for SECURITY-1698
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1004
*   **Thomas de Grenier de Latour** for SECURITY-814
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1696

Tag

#ssrf