SB2020031222 - Cleartext storage of sensitive information in Jenkins Zephyr for JIRA Test Management Plugin

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: CVE-2020-2154)

The vulnerability allows a local user to view the password on the target system.

The vulnerability exists due to the affected software stores Jira credentials unencrypted in its global configuration file "com.thed.zephyr.jenkins.reporter.ZfjReporter.xml" on the Jenkins master. A local user with access to the master file system can obtain this credential.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-2216)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to the affected plugin does not perform a permission check in a method implementing form validation. A remote user with Overall/Read access can connect to an attacker-specified host using attacker-specified username and password.

3) Cross-site request forgery (CVE-ID: CVE-2020-2215)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to the affected plugin does not require POST requests. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://www.openwall.com/lists/oss-security/2020/03/09/1
• https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1550
• http://www.openwall.com/lists/oss-security/2020/07/02/7
• https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1762