This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins provides the secretTextarea form field for multi-line secrets.
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.
This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.
| This issue is similar to SECURITY-765 in the 2018-10-10 security advisory. |
Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.
Jenkins provides APIs for fine-grained control of item creation:
Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2).
Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).
If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.
This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.
If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.
credentials
Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.
This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.
This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the Secret type used for inline secrets and some credentials types.
|
Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.
This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer.
While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.
|
oic-auth
OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.
This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.
oic-auth
OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).
This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.
| When using the "Manual entry" configuration mode, the new "Issuer" field must be populated after updating to protect from this issue. When using "Discovery via well-known endpoint", the Issuer will be set automatically. |
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: