Multiple vulnerabilities have been discovered in Jenkins plugins that could lead to information disclosure. The three affected plugins are Swarm, Ansible and GitLab.
Jenkins is an open source automation server written in Java and helps automate the software development process and better enable continuous integration. The Jenkins plugins allow Jenkins to integrate with other software such as GitLab, which is used as a web-based DevOps lifecycle tool.
According to Cisco’s Talos security team, each of the three information disclosure vulnerabilities could allow an attacker to “trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.”
The three vulnerabilities are described below (along with link to security advisory and description summary).
Jenkins Swarm Plugin XML external entities information disclosure vulnerability (CVE-2019-10309):
“The Jenkins Self-Organizing Swarm Modules Plugin, version 3.14, contains a trivial XXE (XML External Entities) vulnerability inside of the getCandidateFromDatagramResponses() method. As a result of this issue, it is possible for an attacker on the same network as a Swarm client to read arbitrary files from the system by responding to the UDP discovery requests with a specially crafted response.”
The Swarm plugin bug CVSS score is rated 6.1 or Medium severity.
Jenkins Ansible Tower Plugin information disclosure vulnerability (CVE-2019-10310):
“An exploitable information disclosure vulnerability exists in the testTowerConnection function of the Jenkins Ansible Tower Plugin 0.9.1. A specially crafted HTTP request from a user with Overall/Read permissions – such as an anonymous user, if enabled – can cause affected versions of this plugin to disclose credentials from the Jenkins credentials database to an attacker-controlled server. As this vulnerability is exploitable through HTTP GET request, this vulnerability may also be exploited via Cross Site Request Forgery (CSRF). In addition to the above, if the responding server does not return properly formatted JSON document, the response will be reflected to the user as part of the reported error resulting in an HTTP GET only Server Side Request Forgery (SSRF).
“This vulnerability is also present in the fillTowerCredentialsIdItems endpoint exposed by this plugin, which allows for the enumeration of credentials identifiers required for this attack to be successful.”
The Ansible plugin bug CVSS score is rated 7.7 or High severity.
Jenkins GitLab Plugin Information Disclosure Vulnerability (CVE-2019-10300):
“An exploitable information disclosure vulnerability exists in the testConnection functionality of the Jenkins GitLab Plugin 1.5.11. A specially crafted HTTP request from a user with Overall/Read permissions – such as an anonymous user, if enabled – can cause affected versions of this plugin to disclose credentials from the Jenkins credentials database to an attacker controlled server. As this vulnerability is exploitable through HTTP GET request this vulnerability may also be exploited via Cross Site Request Forgery (CSRF).
“In order for this attack to be successful, the attacker will need to know the credentials id of the credentials to disclose. This can be found through a number of ways, such as exposed build logs (read), access to the credential manager in the Jenkins UI (read), or through another vulnerable plugin which provides a fillCredentialsIdItems style endpoint.”
The GitLab plugin bug CVSS score is rated 7.7 or High severity.
To read more about the threat, read the full Talos blog post.