[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple vulnerabilities in Jenkins plugins
From:       Daniel Beck <ml () beckweb ! net>
Date:       2020-04-16 13:28:36
Message-ID: D2F192EF-F7B6-4FF4-8FC5-8EDD4DFC83F0 () beckweb ! net
[Download RAW message or body]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* AWS SAM Plugin 1.2.3
* Copr Plugin 0.6.1
* Parasoft Findings Plugin 10.4.4
* Yaml Axis Plugin 0.2.1


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2020-04-16/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1556 / CVE-2020-2177
Copr Plugin 0.3 and earlier stores credentials unencrypted in job
`config.xml` files as part of its configuration. These credentials can be
viewed by users with Extended Read permission or access to the master file
system.


SECURITY-1753 / CVE-2020-2178
Parasoft Findings Plugin 10.4.3 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks. This allows a user
able to control the input files for the Parasoft Findings parser to have
Jenkins parse a crafted file that uses external entities for extraction of
secrets from the Jenkins master or server-side request forgery.


SECURITY-1825 / CVE-2020-2179
Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to
prevent the instantiation of arbitrary types. This results in a remote code
execution (RCE) vulnerability exploitable by users able to configure a
multi-configuration (Matrix) job, or control the contents of a previously
configured job's SCM repository.


SECURITY-1736 / CVE-2020-2180
AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to
prevent the instantiation of arbitrary types. This results in a remote code
execution (RCE) vulnerability exploitable by users able to configure a job
or control the contents of a previously configured "AWS SAM deploy
application" build step's YAML SAM template file (`template.yaml` or
equivalent) file.

[prev in list] [next in list] [prev in thread] [next in thread]