Jenkins Security Home

For Administrators For Reporters For Maintainers Jenkins Security Team

Jenkins Security Advisory 2019-04-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

IRC Plugin stores credentials in plain text

SECURITY-829 / CVE-2019-1003051
Severity (CVSS): Low
Affected plugin: ircbot
Description:

IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text

SECURITY-831 / CVE-2019-1003052
Severity (CVSS): Low
Affected plugin: aws-beanstalk-publisher-plugin
Description:

AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

HockeyApp Plugin stores credentials in plain text

SECURITY-839 / CVE-2019-1003053
Severity (CVSS): Medium
Affected plugin: hockeyapp
Description:

HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Jira Issue Updater Plugin stores credentials in plain text

SECURITY-837 / CVE-2019-1003054
Severity (CVSS): Medium
Affected plugin: jenkins-jira-issue-updater
Description:

Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

FTP publisher Plugin stores credentials in plain text

SECURITY-954 / CVE-2019-1003055
Severity (CVSS): Low
Affected plugin: ftppublisher
Description:

FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

WebSphere Deployer Plugin stores credentials in plain text

SECURITY-956 / CVE-2019-1003056
Severity (CVSS): Medium
Affected plugin: websphere-deployer
Description:

WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Bitbucket Approve Plugin stores credentials in plain text

SECURITY-965 / CVE-2019-1003057
Severity (CVSS): Low
Affected plugin: bitbucket-approve
Description:

Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in FTP publisher Plugin allow connecting to arbitrary FTP servers

SECURITY-974 / CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)
Severity (CVSS): Medium
Affected plugin: ftppublisher
Description:

A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Official OWASP ZAP Plugin stores credentials in plain text

SECURITY-1041 / CVE-2019-1003060
Severity (CVSS): Low
Affected plugin: zap
Description:

Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CloudFormation Plugin stores credentials in plain text

SECURITY-1042 / CVE-2019-1003061
Severity (CVSS): Medium
Affected plugin: jenkins-cloudformation-plugin
Description:

CloudFormation Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

SECURITY-830 / CVE-2019-1003062
Severity (CVSS): Low
Affected plugin: aws-cloudwatch-logs-publisher
Description:

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Amazon SNS Build Notifier Plugin stores credentials in plain text

SECURITY-832 / CVE-2019-1003063
Severity (CVSS): Low
Affected plugin: snsnotify
Description:

Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

aws-device-farm Plugin stores credentials in plain text

SECURITY-835 / CVE-2019-1003064
Severity (CVSS): Low
Affected plugin: aws-device-farm
Description:

aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CloudShare Docker-Machine Plugin stores credentials in plain text

SECURITY-838 / CVE-2019-1003065
Severity (CVSS): Low
Affected plugin: cloudshare-docker
Description:

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Bugzilla Plugin stores credentials in plain text

SECURITY-841 / CVE-2019-1003066
Severity (CVSS): Medium
Affected plugin: bugzilla
Description:

Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Trac Publisher Plugin stores credentials in plain text

SECURITY-842 / CVE-2019-1003067
Severity (CVSS): Medium
Affected plugin: trac-publisher-plugin
Description:

Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

VMware vRealize Automation Plugin stores credentials in plain text

SECURITY-945 / CVE-2019-1003068
Severity (CVSS): Medium
Affected plugin: vmware-vrealize-automation-plugin
Description:

VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Aqua Security Scanner Plugin stores credentials in plain text

SECURITY-949 / CVE-2019-1003069
Severity (CVSS): Low
Affected plugin: aqua-security-scanner
Description:

Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

veracode-scanner Plugin stores credentials in plain text

SECURITY-952 / CVE-2019-1003070
Severity (CVSS): Low
Affected plugin: veracode-scanner
Description:

veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Octopus Deploy Plugin stores credentials in plain text

SECURITY-957 / CVE-2019-1003071
Severity (CVSS): Low
Affected plugin: octopusdeploy
Description:

Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

WildFly Deployer Plugin stores credentials in plain text

SECURITY-961 / CVE-2019-1003072
Severity (CVSS): Medium
Affected plugin: wildfly-deployer
Description:

WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

VS Team Services Continuous Deployment Plugin stores credentials in plain text

SECURITY-962 / CVE-2019-1003073
Severity (CVSS): Medium
Affected plugin: vsts-cd
Description:

VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Hyper.sh Commons Plugin stores credentials in plain text

SECURITY-964 / CVE-2019-1003074
Severity (CVSS): Low
Affected plugin: hyper-commons
Description:

Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Audit to Database Plugin stores credentials in plain text

SECURITY-966 / CVE-2019-1003075
Severity (CVSS): Low
Affected plugin: audit2db
Description:

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in Audit to Database Plugin allow connecting to arbitrary databases

SECURITY-977 / CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)
Severity (CVSS): Medium
Affected plugin: audit2db
Description:

A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in VMware Lab Manager Slaves Plugin

SECURITY-979 / CVE-2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)
Severity (CVSS): Medium
Affected plugin: labmanager
Description:

A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in OpenShift Deployer Plugin

SECURITY-981 / CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)
Severity (CVSS): Medium
Affected plugin: openshift-deployer
Description:

A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Gearman Plugin

SECURITY-991 / CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)
Severity (CVSS): Medium
Affected plugin: gearman-plugin
Description:

A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Zephyr Enterprise Test Management Plugin allow SSRF

SECURITY-993 / CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)
Severity (CVSS): Medium
Affected plugin: zephyr-enterprise-test-management
Description:

A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in sinatra-chef-builder Plugin allow SSRF

SECURITY-1037 / CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)
Severity (CVSS): Medium
Affected plugin: sinatra-chef-builder
Description:

A missing permission check in a form validation method in sinatra-chef-builder Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

fabric-beta-publisher Plugin stores credentials in plain text

SECURITY-1043 / CVE-2019-1003088
Severity (CVSS): Medium
Affected plugin: fabric-beta-publisher
Description:

fabric-beta-publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Upload to pgyer Plugin stores credentials in plain text

SECURITY-1044 / CVE-2019-1003089
Severity (CVSS): Medium
Affected plugin: upload-pgyer
Description:

Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin allow SSRF

SECURITY-1054 / CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)
Severity (CVSS): Medium
Affected plugin: cloudtest
Description:

A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF

SECURITY-1058 / CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)
Severity (CVSS): Medium
Affected plugin: nomad
Description:

A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Open STF Plugin stores credentials in plain text

SECURITY-1059 / CVE-2019-1003094
Severity (CVSS): Low
Affected plugin: open-stf
Description:

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Perfecto Mobile Plugin stores credentials in plain text

SECURITY-1061 / CVE-2019-1003095
Severity (CVSS): Low
Affected plugin: perfectomobile
Description:

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

TestFairy Plugin stores credentials in plain text

SECURITY-1062 / CVE-2019-1003096
Severity (CVSS): Medium
Affected plugin: TestFairy
Description:

TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Crowd Integration Plugin stores credentials in plain text

SECURITY-1069 / CVE-2019-1003097
Severity (CVSS): Low
Affected plugin: crowd
Description:

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in OpenID Plugin allow SSRF

SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)
Severity (CVSS): Medium
Affected plugin: openid
Description:

A missing permission check in a form validation method in OpenID Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

starteam Plugin stores credentials in plain text

SECURITY-1085 / CVE-2019-10277
Severity (CVSS): Medium
Affected plugin: starteam
Description:

starteam Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin allow SSRF

SECURITY-1091 / CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)
Severity (CVSS): Medium
Affected plugin: jenkins-reviewbot
Description:

A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Assembla Auth Plugin stores credentials in plain text

SECURITY-1093 / CVE-2019-10280
Severity (CVSS): Low
Affected plugin: assembla-auth
Description:

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Relution Enterprise Appstore Publisher Plugin stores credentials in plain text

SECURITY-828 / CVE-2019-10281
Severity (CVSS): Low
Affected plugin: relution-publisher
Description:

Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Klaros-Testmanagement Plugin stores credentials in plain text

SECURITY-843 / CVE-2019-10282
Severity (CVSS): Medium
Affected plugin: klaros-testmanagement
Description:

Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

mabl Plugin stores credentials in plain text

SECURITY-946 / CVE-2019-10283
Severity (CVSS): Medium
Affected plugin: mabl-integration
Description:

mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Diawi Upload Plugin stores credentials in plain text

SECURITY-947 / CVE-2019-10284
Severity (CVSS): Medium
Affected plugin: diawi-upload
Description:

Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Minio Storage Plugin stores credentials in plain text

SECURITY-955 / CVE-2019-10285
Severity (CVSS): Low
Affected plugin: minio-storage
Description:

Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

DeployHub Plugin stores credentials in plain text

SECURITY-959 / CVE-2019-10286
Severity (CVSS): Medium
Affected plugin: deployhub
Description:

DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

youtrack-plugin Plugin stored credentials in plain text

SECURITY-963 / CVE-2019-10287
Severity (CVSS): Low
Affected plugin: youtrack-plugin
Description:

youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

youtrack-plugin Plugin now stores credentials encrypted.

Jabber Server Plugin stores credentials in plain text

SECURITY-1031 / CVE-2019-10288
Severity (CVSS): Low
Affected plugin: jabber-server-plugin
Description:

Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in Netsparker Enterprise Scan Plugin allowed SSRF

SECURITY-1032 / CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)
Severity (CVSS): Medium
Affected plugin: netsparker-cloud-scan
Description:

A missing permission check in a form validation method in Netsparker Enterprise Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.

Netsparker Enterprise Scan Plugin stored credentials in plain text

SECURITY-1040 / CVE-2019-10291
Severity (CVSS): Low
Affected plugin: netsparker-cloud-scan
Description:

Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system.

Netsparker Enterprise Scan Plugin now stores API tokens encrypted.

CSRF vulnerability and missing permission check in kmap-jenkins Plugin allow SSRF

SECURITY-1055 / CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)
Severity (CVSS): Medium
Affected plugin: kmap-jenkins
Description:

A missing permission check in a form validation method in kmap-jenkins Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

kmap-jenkins Plugin stores credentials in plain text

SECURITY-1056 / CVE-2019-10294
Severity (CVSS): Medium
Affected plugin: kmap-jenkins
Description:

kmap-jenkins Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

crittercism-dsym Plugin stores API key in plain text

SECURITY-1063 / CVE-2019-10295
Severity (CVSS): Medium
Affected plugin: crittercism-dsym
Description:

crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Serena SRA Deploy Plugin stores credentials in plain text

SECURITY-1066 / CVE-2019-10296
Severity (CVSS): Low
Affected plugin: sra-deploy
Description:

Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Sametime Plugin stores credentials in plain text

SECURITY-1090 / CVE-2019-10297
Severity (CVSS): Low
Affected plugin: sametime
Description:

Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Koji Plugin stores credentials in plain text

SECURITY-1092 / CVE-2019-10298
Severity (CVSS): Low
Affected plugin: koji
Description:

Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CloudCoreo DeployTime Plugin stores credentials in plain text

SECURITY-960 / CVE-2019-10299
Severity (CVSS): Low
Affected plugin: cloudcoreo-deploytime
Description:

CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Severity

Affected Versions

  • Amazon SNS Build Notifier Plugin up to and including 1.13
  • Aqua Security Scanner Plugin up to and including 3.0.15
  • Assembla Auth Plugin up to and including 1.11
  • Audit to Database Plugin up to and including 0.5
  • AWS CloudWatch Logs Publisher Plugin up to and including 1.2.0
  • AWS Elastic Beanstalk Publisher Plugin up to and including 1.7.4
  • aws-device-farm Plugin up to and including 1.25
  • Bitbucket Approve Plugin up to and including 1.0.3
  • Bugzilla Plugin up to and including 1.5
  • CloudCoreo DeployTime Plugin up to and including 0.2.3
  • CloudFormation Plugin up to and including 1.2
  • CloudShare Docker-Machine Plugin up to and including 1.1.0
  • crittercism-dsym Plugin up to and including 1.1
  • Crowd Integration Plugin up to and including 1.2
  • DeployHub Plugin up to and including 8.0.13
  • Diawi Upload Plugin up to and including 1.4
  • fabric-beta-publisher Plugin up to and including 2.1
  • FTP publisher Plugin up to and including 1.2
  • Gearman Plugin up to and including 0.2.0
  • HockeyApp Plugin up to and including 1.4.0
  • Hyper.sh Commons Plugin up to and including 0.1.5
  • IRC Plugin up to and including 2.3
  • Jabber Server Plugin up to and including 1.9
  • jenkins-reviewbot Plugin up to and including 2.4.6
  • Jira Issue Updater Plugin up to and including 1.18
  • Klaros-Testmanagement Plugin up to and including 2.0.0
  • kmap-jenkins Plugin up to and including 1.6
  • Koji Plugin up to and including 0.3
  • mabl Plugin up to and including 0.0.12
  • Minio Storage Plugin up to and including 0.0.3
  • Netsparker Enterprise Scan Plugin up to and including 1.1.5
  • Nomad Plugin up to and including 0.4
  • Octopus Deploy Plugin up to and including 1.9.0
  • Official OWASP ZAP Plugin up to and including 1.1.0
  • Open STF Plugin up to and including 1.0.9
  • OpenID Plugin up to and including 2.3
  • OpenShift Deployer Plugin up to and including 1.2.0
  • perfectomobile Plugin up to and including 2.62.0.3
  • Relution Enterprise Appstore Publisher Plugin up to and including 1.24
  • Sametime Plugin up to and including 0.4
  • Serena SRA Deploy Plugin up to and including 1.4.2.4
  • sinatra-chef-builder Plugin up to and including 1.2
  • SOASTA CloudTest Plugin up to and including 2.25
  • starteam Plugin up to and including 0.6.13
  • TestFairy Plugin up to and including 4.16
  • Trac Publisher Plugin up to and including 1.3
  • Upload to pgyer Plugin up to and including 1.31
  • veracode-scanner Plugin up to and including 1.6
  • VMware Lab Manager Slaves Plugin up to and including 0.2.8
  • VMware vRealize Automation Plugin up to and including 1.2.3
  • VS Team Services Continuous Deployment Plugin up to and including 1.3
  • WebSphere Deployer Plugin up to and including 1.6.1
  • WildFly Deployer Plugin up to and including 1.0.2
  • youtrack-plugin Plugin up to and including 0.7.1
  • Zephyr Enterprise Test Management Plugin up to and including 1.6

Fix

  • Netsparker Enterprise Scan Plugin should be updated to version 1.1.6
  • youtrack-plugin Plugin should be updated to version 0.7.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Amazon SNS Build Notifier Plugin
  • Aqua Security Scanner Plugin
  • Assembla Auth Plugin
  • Audit to Database Plugin
  • AWS CloudWatch Logs Publisher Plugin
  • AWS Elastic Beanstalk Publisher Plugin
  • aws-device-farm Plugin
  • Bitbucket Approve Plugin
  • Bugzilla Plugin
  • CloudCoreo DeployTime Plugin
  • CloudFormation Plugin
  • CloudShare Docker-Machine Plugin
  • crittercism-dsym Plugin
  • Crowd Integration Plugin
  • DeployHub Plugin
  • Diawi Upload Plugin
  • fabric-beta-publisher Plugin
  • FTP publisher Plugin
  • Gearman Plugin
  • HockeyApp Plugin
  • Hyper.sh Commons Plugin
  • IRC Plugin
  • Jabber Server Plugin
  • jenkins-reviewbot Plugin
  • Jira Issue Updater Plugin
  • Klaros-Testmanagement Plugin
  • kmap-jenkins Plugin
  • Koji Plugin
  • mabl Plugin
  • Minio Storage Plugin
  • Nomad Plugin
  • Octopus Deploy Plugin
  • Official OWASP ZAP Plugin
  • Open STF Plugin
  • OpenID Plugin
  • OpenShift Deployer Plugin
  • perfectomobile Plugin
  • Relution Enterprise Appstore Publisher Plugin
  • Sametime Plugin
  • Serena SRA Deploy Plugin
  • sinatra-chef-builder Plugin
  • SOASTA CloudTest Plugin
  • starteam Plugin
  • TestFairy Plugin
  • Trac Publisher Plugin
  • Upload to pgyer Plugin
  • veracode-scanner Plugin
  • VMware Lab Manager Slaves Plugin
  • VMware vRealize Automation Plugin
  • VS Team Services Continuous Deployment Plugin
  • WebSphere Deployer Plugin
  • WildFly Deployer Plugin
  • Zephyr Enterprise Test Management Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Viktor Gazdag for SECURITY-828, SECURITY-829, SECURITY-830, SECURITY-831, SECURITY-832, SECURITY-835, SECURITY-837, SECURITY-838, SECURITY-839, SECURITY-841, SECURITY-842, SECURITY-843, SECURITY-945, SECURITY-946, SECURITY-947, SECURITY-949, SECURITY-952, SECURITY-954, SECURITY-955, SECURITY-956, SECURITY-957, SECURITY-959, SECURITY-960, SECURITY-961, SECURITY-962, SECURITY-963, SECURITY-964, SECURITY-965, SECURITY-966, SECURITY-974, SECURITY-977, SECURITY-979, SECURITY-981, SECURITY-991, SECURITY-993, SECURITY-1031, SECURITY-1032, SECURITY-1037, SECURITY-1040, SECURITY-1041, SECURITY-1042, SECURITY-1043, SECURITY-1044, SECURITY-1054, SECURITY-1055, SECURITY-1056, SECURITY-1058, SECURITY-1059, SECURITY-1061, SECURITY-1062, SECURITY-1063, SECURITY-1066, SECURITY-1069, SECURITY-1084, SECURITY-1085, SECURITY-1090, SECURITY-1091, SECURITY-1092, SECURITY-1093

Other Resources