Security context
MediumGHSA-5xm3-48v5-6h7v CVE-2014-3667CWE-200Published May 17, 2022

Jenkins allows Remote Users to Obtain Sensitive Information from a Plugin Code

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

1.566 → fixed in 1.5830 → fixed in 1.565.3

Details

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.

The fix

[FIXED SECURITY-155] Do not allow plugin code to be

Jesse Glick· Aug 22, 2014, 08:41 PM+80f0a29b562e
core/src/main/java/hudson/Plugin.java+5 0
@@ -42,6 +42,7 @@
import com.thoughtworks.xstream.XStream;
import java.net.URI;
import java.net.URISyntaxException;
+import org.kohsuke.stapler.HttpResponses;
/**
* Base class of Hudson plugin.
@@ -200,6 +201,10 @@ public void configure(StaplerRequest req, JSONObject formData) throws IOExceptio
public void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {
String path = req.getRestOfPath();
+ if (path.startsWith("/META-INF/") || path.startsWith("/WEB-INF/")) {
+ throw HttpResponses.notFound();
+ }
+
if(path.length()==0)
path = "/";
test/src/test/java/hudson/PluginTest.java+3 0
@@ -42,6 +42,9 @@ public class PluginTest {
r.createWebClient().assertFails("plugin/credentials/images/%2E%2E/images/24x24/credentials.png", HttpServletResponse.SC_INTERNAL_SERVER_ERROR); // IAE from TokenList.<init>
r.createWebClient().assertFails("plugin/credentials/images/%252E%252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // SECURITY-131
r.createWebClient().assertFails("plugin/credentials/images/%25252E%25252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // just checking
+ // SECURITY-155:
+ r.createWebClient().assertFails("plugin/credentials/WEB-INF/licenses.xml", HttpServletResponse.SC_NOT_FOUND);
+ r.createWebClient().assertFails("plugin/credentials/META-INF/MANIFEST.MF", HttpServletResponse.SC_NOT_FOUND);
}
}

References