Multiple vulnerabilities in Jenkins

Published: 2018-12-18
Severity High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2018-1000864
CVE-2018-1000862
CVE-2018-1000863
CVE-2018-1000861
CWE ID CWE-20
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerable software Jenkins Subscribe
Vendor Jenkins

Security Advisory

1) Improper input validation

Severity: Low

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-1000864

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to improper form validation for cron expressions. A remote attacker can send a specially crafted request that submits malicious input and block request handling threads, resulting in a DoS condition.

Mitigation

The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.

Vulnerable software versions

Jenkins: 2.19.2, 2.19.3, 2.31, 2.32, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.151, 2.152, 2.153

CPE External links

https://jenkins.io/security/advisory/2018-12-05/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000862

CWE-ID: CWE-200 - Information Exposure

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to the DirectoryBrowserSupport.java code of the affected software allows access to the filesystem outside the workspace to extend beyond the execution of a build on an affected agent. A remote attacker with the ability to control build output to browse the filesystem on agents running builds beyond the duration of the build using the workspace browser can access sensitive file information. 

Mitigation

The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.

Vulnerable software versions

Jenkins: 2.19.2, 2.19.3, 2.31, 2.32, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.151, 2.152, 2.153

CPE External links

https://jenkins.io/security/advisory/2018-12-05/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

Severity: Low

CVSSv3: 6.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-1000863

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition.

The vulnerability exists in the User.java and IdStrategy.java codes of Jenkins due to insufficient validation of user names by the affected software. A remote attacker can attempt to log in to the affected application with a user name that submits malicious input, improperly force the migration of user records, which could result in a DoS condition by preventing other users of the application from logging in. 

Mitigation

The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.

Vulnerable software versions

Jenkins: 2.19.2, 2.19.3, 2.31, 2.32, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.151, 2.152, 2.153

CPE External links

https://jenkins.io/security/advisory/2018-12-05/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Improper input validation

Severity: High

CVSSv3: 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2018-1000861

CWE-ID: CWE-20 - Improper Input Validation

Description

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The vulnerability exists due to due to improper handling of HTTP requests by the stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java code of the Stapler web framework used by the affected software. A remote attacker can trick the victim into accessing a specially crafted link that submits malicious input, invoke certain methods that are not intended to be invoked, which the attacker can use to execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

The vulnerability has been fixed in the versions 2.154, 2.138.4, and 2.150.1.

Vulnerable software versions

Jenkins: 2.19.2, 2.19.3, 2.31, 2.32, 2.33, 2.34, 2.35, 2.36, 2.37, 2.38, 2.39, 2.41, 2.42, 2.43, 2.44, 2.45, 2.46, 2.47, 2.48, 2.49, 2.50, 2.51, 2.52, 2.53, 2.54, 2.55, 2.56, 2.93, 2.94, 2.95, 2.96, 2.97, 2.98, 2.99, 2.100, 2.101, 2.102, 2.103, 2.104, 2.105, 2.106, 2.107, 2.108, 2.109, 2.110, 2.111, 2.112, 2.113, 2.114, 2.115, 2.116, 2.117, 2.118, 2.119, 2.120, 2.121, 2.121.1, 2.121.2, 2.121.3, 2.122, 2.123, 2.124, 2.125, 2.126, 2.127, 2.128, 2.129, 2.130, 2.131, 2.132, 2.133, 2.134, 2.135, 2.136, 2.137, 2.138, 2.139, 2.140, 2.141, 2.142, 2.143, 2.144, 2.145, 2.146, 2.147, 2.148, 2.149, 2.150, 2.151, 2.152, 2.153

CPE External links

https://jenkins.io/security/advisory/2018-12-05/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.