Jenkins Security Advisory: Auth Bypass, XXE, XSS, DDoS (CVE-2020-2099 to 2108)

Key Information Advisory ID: Jenkins Security Advisory 2020-01-29 Affected Jenkins Versions: Jenkins (core), Code Coverage Plugin, Fortify Plugin, WebSphere Deployer Plugin Vulnerability Descriptions 1. Inbound TCP Agent Protocol/3 Authentication Bypass - CVE ID: CVE-2020-2099 - Severity: High - Impact & Description: Jenkins versions 2.213 and earlier support the deprecated Inbound TCP Agent Protocol/3, which can allow unauthorized remote attackers to connect to the Jenkins controller using a connection key. 2. Jenkins Vulnerable to UDP Amplification Reflection Attacks - CVE ID: CVE-2020-2100 - Severity: Medium - Impact & Description: Jenkins versions 2.218 and earlier support two network discovery services (UDP multicast/broadcast and DNS multicast), which can be exploited for DDoS attacks or to cause denial-of-service. 3. Non-Constant-Time Comparison for Inbound TCP Agent Connection Keys - CVE ID: CVE-2020-2101 - Severity: Medium - Impact & Description: Jenkins versions 2.218 and earlier do not use constant-time comparison to validate connection keys when initiating inbound TCP agent connections. 4. Non-Constant-Time HMAC Comparison - CVE ID: CVE-2020-2102 - Severity: Medium - Impact & Description: Jenkins versions 2.218 and earlier do not use constant-time comparison to check if two HMACs are equal. 5. Diagnostic Page Exposes Session Cookie - CVE ID: CVE-2020-2103 - Severity: Medium - Impact & Description: The Cookie header on Jenkins’ /whoAmI page includes the HTTP session ID. 6. Memory Usage Chart Visible to Any User with Overall/Read Permission - CVE ID: CVE-2020-2104 - Severity: Medium - Impact & Description: Jenkins versions 2.218 and earlier allow non-admin users to view the memory usage chart. 7. Jenkins REST API Vulnerable to Clickjacking - CVE ID: CVE-2020-2105 - Severity: Low - Impact & Description: Jenkins versions 2.218 and earlier do not include the header in REST API responses, making them vulnerable to clickjacking attacks. 8. Code Coverage Plugin Stores XSS Vulnerability - CVE ID: CVE-2020-2106 - Severity: Medium - Impact & Description: Code Coverage Plugin versions 1.1.2 and earlier do not escape coverage report filenames used in the plugin, leading to stored XSS. 9. Fortify Plugin Stores Credentials in Plaintext - CVE ID: CVE-2020-2107 - Severity: Medium - Impact & Description: Fortify Plugin versions 19.1.29 and earlier store proxy server passwords in plaintext. 10. WebSphere Deployer Plugin XXE Vulnerability - CVE ID: CVE-2020-2108 - Severity: High - Impact & Description: WebSphere Deployer Plugin versions 1.6.1 and earlier do not configure the XML parser to prevent XML External Entity (XXE) attacks. Affected Versions Jenkins weekly: up to and including 2.218 Jenkins LTS: up to and including 2.204.1 Code Coverage Plugin: up to and including 1.1.2 Fortify Plugin: up to and including 19.1.29 WebSphere Deployer Plugin: up to and including 1.6.1 Remediation Recommendations Jenkins weekly: upgrade to version 2.219 Jenkins LTS: upgrade to version 2.204.2 Code Coverage Plugin: upgrade to version 1.1.3 Fortify Plugin: upgrade to version 19.2.30 No fix is currently available for the WebSphere Deployer Plugin.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Auth Bypass, XXE, XSS, DDoS (CVE-2020-2099 to 2108)