SB2018041106 - Multiple vulnerabilities in Jenkins Jenkins
Published: April 11, 2018 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-2609)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
jenkins before versions 2.44, 2.32.2 is vulnerable to an information disclosure vulnerability in search suggestions (SECURITY-385). The autocomplete feature on the search box discloses the names of the views in its suggestions, including the ones for which the current user does not have access to.
2) Cross-site request forgery (CVE-ID: CVE-2017-2613)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
3) Information disclosure (CVE-ID: CVE-2017-2603)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak in disconnected agents' config.xml API. This could leak sensitive data such as API tokens (SECURITY-362).
4) Improper Authentication (CVE-ID: CVE-2017-2604)
The vulnerability allows a remote authenticated user to manipulate data.
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to act on administrative monitors due to them not being consistently protected by permission checks (SECURITY-371).
5) Cross-site scripting (CVE-ID: CVE-2017-2610)
The vulnerability allows a remote authenticated user to read and manipulate data.
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in search suggestions due to improperly escaping users with less-than and greater-than characters in their names (SECURITY-388).
6) Incorrect permission assignment for critical resource (CVE-ID: CVE-2017-2612)
The vulnerability allows a remote authenticated user to manipulate or delete data.
In Jenkins before versions 2.44, 2.32.2 low privilege users were able to override JDK download credentials (SECURITY-392), resulting in future builds possibly failing to download a JDK.
7) Cross-site scripting (CVE-ID: CVE-2017-2601)
The vulnerability allows a remote authenticated user to read and manipulate data.
Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting in parameter names and descriptions (SECURITY-353). Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions.
8) Information disclosure (CVE-ID: CVE-2017-2606)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Jenkins before versions 2.44, 2.32.2 is vulnerable to an information exposure in the internal API that allows access to item names that should not be visible (SECURITY-380). This only affects anonymous users (other users legitimately have access) that were able to get a list of items via an UnprotectedRootAction.
9) Improper Privilege Management (CVE-ID: CVE-2017-2599)
The vulnerability allows a remote authenticated user to read and manipulate data.
Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficient permission check. This allows users with permissions to create new items (e.g. jobs) to overwrite existing items they don't have access to (SECURITY-321).
Remediation
Install update from vendor's website.
References
- http://www.securityfocus.com/bid/95964
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2609
- https://github.com/jenkinsci/jenkins/commit/13905d8224899ba7332fe9af4e330ea96a2ae319
- http://www.securityfocus.com/bid/95967
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2613
- https://github.com/jenkinsci/jenkins/commit/b88b20ec473200db35d0a0d29dcf192069106601
- https://jenkins.io/security/advisory/2017-02-01/
- http://www.securityfocus.com/bid/95955
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2603
- https://github.com/jenkinsci/jenkins/commit/3cd946cbef82c6da5ccccf3890d0ae4e091c4265
- http://www.securityfocus.com/bid/95959
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2604
- https://github.com/jenkinsci/jenkins/commit/6efcf6c2ac39bc5c59ac7251822be8ddf67ceaf8
- http://www.securityfocus.com/bid/95951
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2610
- https://github.com/jenkinsci/jenkins/commit/307ed31caba68a46426b8c73a787a05add2c7489
- http://www.securityfocus.com/bid/95957
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2612
- https://github.com/jenkinsci/jenkins/commit/a814154695e23dc37542af7d40cacc129cf70722
- http://www.securityfocus.com/bid/95960
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2601
- https://github.com/jenkinsci/jenkins/commit/fd2e081b947124c90bcd97bfc55e1a7f2ef41a74
- http://www.securityfocus.com/bid/95962
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2606
- https://github.com/jenkinsci/jenkins/commit/09cfbc9cd5c9df7c763bc976b7f5c51266b63719
- http://www.securityfocus.com/bid/95949
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2599
- https://github.com/jenkinsci/jenkins/commit/4ed5c850b6855ab064a66d02fb338f366853ce89