Jenkins Security Advisory: RCE/XSS/CSRF Vulnerabilities in Core and Plugins (CVE-2020-2160 to 2167)

Jenkins Security Advisory 2020-03-25 Vulnerabilities Announced Jenkins (core) Artifactory Plugin Azure Container Service Plugin OpenShift Pipeline Plugin Pipeline: AWS Steps Plugin Queue cleanup Plugin RapidDeploy Plugin --- Key Vulnerabilities 1. CSRF Protection Bypass CVE: [CVE-2020-2160] Severity: High Description: An extension point in Jenkins allowed attackers to bypass CSRF protection for any target URL in Jenkins 2.227 and earlier. 2. Stored XSS in Label Expressions CVE: [CVE-2020-2161] Severity: Medium Description: Form validation for label expressions did not properly escape label names in Jenkins 2.227 and earlier. 3. Stored XSS in File Parameters CVE: [CVE-2020-2162] Severity: Medium Description: Jenkins 2.227 and earlier served files uploaded as file parameters without proper Content-Security-Policy headers. 4. Stored XSS in List View Columns CVE: [CVE-2020-2163] Severity: Medium Description: Jenkins 2.227 and earlier processed HTML embedded in list view column headers without escaping. 5. Plain Text Password Storage in Artifactory Plugin CVE: [CVE-2020-2164] Severity: Low Description: Artifactory Plugin 3.5.0 and earlier stored Artifactory server password in plain text. 6. Plain Text Password Transmission in Artifactory Plugin CVE: [CVE-2020-2165] Severity: Low Description: Artifactory Plugin transmitted passwords in plain text during configuration. 7. RCE in Pipeline: AWS Steps Plugin CVE: [CVE-2020-2166] Severity: High Description: Pipeline: AWS Steps Plugin did not properly configure its YAML parser, leading to arbitrary type instantiation. 8. RCE in OpenShift Pipeline Plugin CVE: [CVE-2020-2167] Severity: High Description: OpenShift Pipeline Plugin did not properly configure its YAML parser, leading to arbitrary type instantiation. 9. RCE in Azure Container Service Plugin CVE: [CVE-2020-2168] Severity: High Description: Azure Container Service Plugin did not properly configure its YAML parser, leading to arbitrary type instantiation. 10. Reflected XSS in Queue Cleanup Plugin CVE: [CVE-2020-2169] Severity: Medium Description: Queue cleanup Plugin did not escape query parameters in error messages. --- Fixed Versions Jenkins weekly: 2.228 Jenkins LTS: 2.204.6 or 2.222.1 Artifactory Plugin: 3.6.1 Azure Container Service Plugin: 1.0.2 OpenShift Pipeline Plugin: 1.0.57 Pipeline: AWS Steps Plugin: 1.41 Queue cleanup Plugin: 1.4 RapidDeploy Plugin: 4.2.1 --- Credits Daniel Beck, CloudBees, Inc. Daniel Kalinowski of ISEC.pl Research Team James Holderness, IB Boost, and ethorsa Nick Colisson from Gemini Trust Company, LLC. Phu X. Mai, University of Luxembourg Wadick Follonier, CloudBees, Inc.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: RCE/XSS/CSRF Vulnerabilities in Core and Plugins (CVE-2020-2160 to 2167)