Subject: [ASA-201807-14] jenkins: multiple issues Arch Linux Security Advisory ASA-201807-14 ========================================== Severity: High Date : 2018-07-21 CVE-ID : CVE-2018-1999001 CVE-2018-1999002 CVE-2018-1999003 CVE-2018-1999004 CVE-2018-1999005 CVE-2018-1999006 CVE-2018-1999007 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-738 Summary ======= The package jenkins before version 2.133-1 is vulnerable to multiple issues including access restriction bypass, arbitrary filesystem access, cross-site scripting and information disclosure. Resolution ========== Upgrade to 2.133-1. # pacman -Syu "jenkins>=2.133-1" The problems have been fixed upstream in version 2.133. Workaround ========== None. Description =========== - CVE-2018-1999001 (access restriction bypass) Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins before 2.133 to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins is started without this file present, it will revert to the legacy defaults of granting administrator access to anonymous users. This issue was caused by the fix for SECURITY-499 in the 2017-11-08 security advisory. - CVE-2018-1999002 (arbitrary filesystem access) An arbitrary file read vulnerability in the Stapler web framework used by Jenkins before 2.133 allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master process has access to. - CVE-2018-1999003 (access restriction bypass) The URLs handling cancellation of queued builds in Jenkins before 2.133 did not perform a permission check, allowing users with Overall/Read permission to cancel queued builds. - CVE-2018-1999004 (access restriction bypass) The URL that initiates agent launches on the Jenkins master before 2.133 did not perform a permission check, allowing users with Overall/Read permission to initiate agent launches. Doing so canceled all ongoing launches for the specified agent, so this allowed attackers to prevent an agent from launching indefinitely. - CVE-2018-1999005 (cross-site scripting) The build timeline widget shown on URLs like /view/…/builds in Jenkins before 2.133 did not properly escape display names of items. This resulted in a cross-site scripting vulnerability exploitable by users able to control item display names - CVE-2018-1999006 (information disclosure) Files indicating when a plugin JPI file was last extracted into a subdirectory of plugins/ in the Jenkins home directory were accessible via HTTP by users with Overall/Read permission before Jenkins 2.133. This allowed unauthorized users to determine the likely install date of a given plugin. - CVE-2018-1999007 (cross-site scripting) Stapler is the web framework used by Jenkins to route HTTP requests. When its debug mode is enabled, HTTP 404 error pages display diagnostic information. Those error pages did not escape parts of URLs they displayed before Jenkins 2.133, in rare cases resulting in a cross-site scripting vulnerability. Impact ====== A remote attacker is able to bypass access restrictions to gain administrative privileges, access arbitrary files, disclose information or perform cross-site scripting. References ========== https://jenkins.io/security/advisory/2018-07-18/ https://security.archlinux.org/CVE-2018-1999001 https://security.archlinux.org/CVE-2018-1999002 https://security.archlinux.org/CVE-2018-1999003 https://security.archlinux.org/CVE-2018-1999004 https://security.archlinux.org/CVE-2018-1999005 https://security.archlinux.org/CVE-2018-1999006 https://security.archlinux.org/CVE-2018-1999007