Jenkins allows Remote Users to Obtain Sensitive Information from a Plugin Code
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
1.566 → fixed in 1.5830 → fixed in 1.565.3
Details
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.
The fix
[FIXED SECURITY-155] Do not allow plugin code to be
core/src/main/java/hudson/Plugin.java+5 −0
@@ -42,6 +42,7 @@import com.thoughtworks.xstream.XStream;import java.net.URI;import java.net.URISyntaxException;+import org.kohsuke.stapler.HttpResponses;/*** Base class of Hudson plugin.@@ -200,6 +201,10 @@ public void configure(StaplerRequest req, JSONObject formData) throws IOExceptiopublic void doDynamic(StaplerRequest req, StaplerResponse rsp) throws IOException, ServletException {String path = req.getRestOfPath();+if (path.startsWith("/META-INF/") || path.startsWith("/WEB-INF/")) {+throw HttpResponses.notFound();+}+if(path.length()==0)path = "/";
test/src/test/java/hudson/PluginTest.java+3 −0
@@ -42,6 +42,9 @@ public class PluginTest {r.createWebClient().assertFails("plugin/credentials/images/%2E%2E/images/24x24/credentials.png", HttpServletResponse.SC_INTERNAL_SERVER_ERROR); // IAE from TokenList.<init>r.createWebClient().assertFails("plugin/credentials/images/%252E%252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // SECURITY-131r.createWebClient().assertFails("plugin/credentials/images/%25252E%25252E/images/24x24/credentials.png", HttpServletResponse.SC_NOT_FOUND); // just checking+// SECURITY-155:+r.createWebClient().assertFails("plugin/credentials/WEB-INF/licenses.xml", HttpServletResponse.SC_NOT_FOUND);+r.createWebClient().assertFails("plugin/credentials/META-INF/MANIFEST.MF", HttpServletResponse.SC_NOT_FOUND);}}
References
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-3667
- WEBhttps://github.com/jenkinsci/jenkins/commit/f0a29b562e14d837912c6b35fa4e81478563813a
- WEBhttps://access.redhat.com/errata/RHBA-2014:1630
- WEBhttps://access.redhat.com/errata/RHSA-2016:0070
- WEBhttps://access.redhat.com/security/cve/CVE-2014-3667
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1147770
- PACKAGEhttps://github.com/jenkinsci/jenkins
- WEBhttps://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01