This advisory announces vulnerabilities in the following Jenkins deliverables:
git
Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and the Overall/Administer permission.
github
A form validation method in GitHub Plugin did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a POST request to a specified URL.
If that request’s HTTP response code indicates success, the form validation is returning a generic success message, otherwise the HTTP status code is returned.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
The form validation method now requires POST requests and the Overall/Administer permission.
github
GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and appropriate user permissions.
github-branch-source
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and the Overall/Administer permission.
ghprb
GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
kubernetes
Kubernetes Plugin printed sensitive build variables, like passwords, to the build log and controller log, when using pipeline steps like withDockerRegistry.
The plugin now applies masking of sensitive build variables to these pipeline steps.
cas-plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and the Overall/Administer permission.
absint-astree
AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller.
Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method no longer implements the validation that required a program to be invoked.
blackduck-hub
Black Duck Hub Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
blackduck-detect
Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins, and to cause Jenkins to submit HTTP requests to attacker-specified URLs.
Additionally, these form validation methods did not require POST requests, resulting in a CSRF vulnerability.
These form validation methods now require POST requests and Overall/Administer permissions.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: