[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb ! net>
Date: 2019-02-23 10:59:26
Message-ID: 305B88DB-999B-46B2-8842-7101CA1D91F4 () beckweb ! net
[Download RAW message or body]
> On 19. Feb 2019, at 19:33, Daniel Beck <ml@beckweb.net> wrote:
>
> SECURITY-1320
> The previously implemented Script Security Plugin sandbox protections
> prohibiting the use of unsafe AST transforming annotations such as @Grab
> could be circumvented through use of various Groovy language features:
>
> * Using Groovy's AnnotationCollector
> * Import aliasing
> * Referencing annotation types using their full class name
>
> This allowed users with Overall/Read permission, or the ability to control
> Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to
> bypass the sandbox protection and execute arbitrary code on the Jenkins
> master.
>
> Using AnnotationCollector is now newly prohibited in sandboxed scripts
> such as Pipelines. Importing any of the annotations considered unsafe will
> now result in an error. During the compilation phase, both simple and
> full class names of prohibited annotations are rejected for element
> annotations.
CVE-2019-1003024
> SECURITY-876
> Cloud Foundry Plugin did not perform permission checks on a method
> implementing form validation. This allowed users with Overall/Read access
> to Jenkins to connect to an attacker-specified URL using attacker-
> specified credentials IDs obtained through another method, capturing
> credentials stored in Jenkins.
>
> Additionally, this form validation method did not require POST requests,
> resulting in a cross-site request forgery vulnerability.
CVE-2019-1003025
> SECURITY-985
> A missing permission check in a form validation method in Mattermost
> Notification Plugin allowed users with Overall/Read permission to
> initiate a connection test, connecting to an attacker-specified
> Mattermost server and room and posting a message.
>
> Additionally, this form validation method did not require POST requests,
> resulting in a CSRF vulnerability.
CVE-2019-1003026
> SECURITY-817
> A missing permission check in a form validation method in OctopusDeploy
> Plugin allowed users with Overall/Read permission to initiate a
> connection test, sending an HTTP HEAD request to an attacker-specified
> URL, returning HTTP response code if successful, or exception error
> message otherwise.
>
> Additionally, this form validation method did not require POST requests,
> resulting in a CSRF vulnerability.
CVE-2019-1003027
> SECURITY-1033
> A missing permission check in a form validation method in JMS Messaging
> Plugin allowed users with Overall/Read permission to initiate a
> connection test, sending an HTTP request to an attacker-specified URL.
>
> Additionally, this form validation method did not require POST requests,
> resulting in a CSRF vulnerability.
CVE-2019-1003028
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic