Arch Linux Security Advisory ASA-201807-14

Severity: High
Date : 2018-07-21
CVE-ID : CVE-2018-1999001 CVE-2018-1999002 CVE-2018-1999003 CVE-2018-1999004
CVE-2018-1999005 CVE-2018-1999006 CVE-2018-1999007
Package : jenkins
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-738

Summary

The package jenkins before version 2.133-1 is vulnerable to multiple
issues including access restriction bypass, arbitrary filesystem
access, cross-site scripting and information disclosure.

Resolution

Upgrade to 2.133-1.

pacman -Syu “jenkins>=2.133-1”

The problems have been fixed upstream in version 2.133.

Workaround

None.

Description

• CVE-2018-1999001 (access restriction bypass)

Unauthenticated users could provide maliciously crafted login
credentials that cause Jenkins before 2.133 to move the config.xml file
from the Jenkins home directory. This configuration file contains basic
configuration of Jenkins, including the selected security realm and
authorization strategy. If Jenkins is started without this file
present, it will revert to the legacy defaults of granting
administrator access to anonymous users. This issue was caused by the
fix for SECURITY-499 in the 2017-11-08 security advisory.

• CVE-2018-1999002 (arbitrary filesystem access)

An arbitrary file read vulnerability in the Stapler web framework used
by Jenkins before 2.133 allowed unauthenticated users to send crafted
HTTP requests returning the contents of any file on the Jenkins master
file system that the Jenkins master process has access to.

• CVE-2018-1999003 (access restriction bypass)

The URLs handling cancellation of queued builds in Jenkins before 2.133
did not perform a permission check, allowing users with Overall/Read
permission to cancel queued builds.

• CVE-2018-1999004 (access restriction bypass)

The URL that initiates agent launches on the Jenkins master before
2.133 did not perform a permission check, allowing users with
Overall/Read permission to initiate agent launches.
Doing so canceled all ongoing launches for the specified agent, so this
allowed attackers to prevent an agent from launching indefinitely.

• CVE-2018-1999005 (cross-site scripting)

The build timeline widget shown on URLs like /view/…/builds in Jenkins
before 2.133 did not properly escape display names of items. This
resulted in a cross-site scripting vulnerability exploitable by users
able to control item display names

• CVE-2018-1999006 (information disclosure)

Files indicating when a plugin JPI file was last extracted into a
subdirectory of plugins/ in the Jenkins home directory were accessible
via HTTP by users with Overall/Read permission before Jenkins 2.133.
This allowed unauthorized users to determine the likely install date of
a given plugin.

• CVE-2018-1999007 (cross-site scripting)

Stapler is the web framework used by Jenkins to route HTTP requests.
When its debug mode is enabled, HTTP 404 error pages display diagnostic
information. Those error pages did not escape parts of URLs they
displayed before Jenkins 2.133, in rare cases resulting in a cross-site
scripting vulnerability.

Impact

A remote attacker is able to bypass access restrictions to gain
administrative privileges, access arbitrary files, disclose information
or perform cross-site scripting.

References

https://jenkins.io/security/advisory/2018-07-18/
https://security.archlinux.org/CVE-2018-1999001
https://security.archlinux.org/CVE-2018-1999002
https://security.archlinux.org/CVE-2018-1999003
https://security.archlinux.org/CVE-2018-1999004
https://security.archlinux.org/CVE-2018-1999005
https://security.archlinux.org/CVE-2018-1999006
https://security.archlinux.org/CVE-2018-1999007