Peter Adkins of Cisco Umbrella discovered these vulnerabilities.

Executive summary

Jenkins is an open-source automation server written in Java. There are several plugins that exist to integrate Jenkins with other pieces of software, such as GitLab. Today, Cisco Talos is disclosing vulnerabilities in three of these plugins: Swarm, Ansible and GitLab. All three of these are information disclosure vulnerabilities that could allow an attacker to trick the plugin into disclosing credentials from the Jenkins credential database to a server that they control.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Jenkins and the associated companies to ensure that these issues are resolved and that updates are available for affected customers.

Vulnerability details

UPDATE (June 4, 2019): Jenkins Artifactory Plugin fillCredentialsIdItems information disclosure vulnerability (TALOS-2018-0846/CVE-2019-10323)

Talos is disclosing another vulnerability in the Artifactory plugin for Jenkins. An exploitable information disclosure vulnerability exists in the fillCredentialsIdItems endpoint of the Jenkins Artifactory Plugin 3.2.0 and 3.2.1. As a result of this vulnerability a crafted HTTP request from a user with Overall/Read permissions — such as an anonymous user, if enabled — can cause affected versions of this plugin to disclose credential identifiers from the Jenkins credentials database.

Read the complete vulnerability advisory here for additional information.

Original post:

Jenkins Swarm Plugin XML external entities information disclosure vulnerability  (TALOS-2018-0783/CVE-2019-5022)

The Jenkins Self-Organizing Swarm Modules Plugin, version 3.14, contains a trivial XXE (XML External Entities) vulnerability inside of the `getCandidateFromDatagramResponses()` method. As a result of this issue, it is possible for an attacker on the same network as a Swarm client to read arbitrary files from the system by responding to the UDP discovery requests with a specially crafted response.

Read the complete vulnerability advisory here for additional information.

Jenkins Ansible Tower Plugin information disclosure vulnerability (TALOS-2018-0786/CVE-2019-5025)

An exploitable information disclosure vulnerability exists in the `testTowerConnection` function of the Jenkins Ansible Tower Plugin 0.9.1. A specially crafted HTTP request from a user with Overall/Read permissions - such as an anonymous user, if enabled - can cause affected versions of this plugin to disclose credentials from the Jenkins credentials database to an attacker-controlled server. As this vulnerability is exploitable through HTTP GET request, this vulnerability may also be exploited via Cross-Site Request Forgery (CSRF). In addition to the above, if the responding server does not return properly formatted JSON document, the response will be reflected to the user as part of the reported error resulting in an HTTP GET only Server Side Request Forgery (SSRF).

This vulnerability is also present in the `fillTowerCredentialsIdItems` endpoint exposed by this plugin, which allows for the enumeration of credentials identifiers required for this attack to be successful.

Read the complete vulnerability advisory here for additional information.

Jenkins GitLab plugin information disclosure vulnerability (TALOS-2018-0788/CVE-2019-5027)

An exploitable information disclosure vulnerability exists in the `testConnection` function of the Jenkins GitLab Plugin 1.5.11. A specially crafted HTTP request from a user with Overall/Read permissions - such as an anonymous user, if enabled - can cause affected versions of this plugin to disclose credentials from the Jenkins credentials database to an attacker-controlled server. As this vulnerability is exploitable through HTTP GET request, this vulnerability may also be exploited via Cross-Site Request Forgery (CSRF).

In order for this attack to be successful, the attacker will need to know the credential ID of the credentials to disclose. This can be found through a number of ways, such as exposed build logs (read), access to the credential manager in the Jenkins UI (read), or through another vulnerable plugin which provides a `fillCredentialsIdItems` style endpoint.

Read the complete vulnerability advisory here for additional information.

Versions tested

Jenkins Ansible Tower Plugin, version 0.9.1, is affected by CVE-2019-5025. Jenkins Artifactory Plugin, versions 3.2.1 and 3.2.0 are affected by CVE-2019-5026. Jenkins GitLab Plugin, version 1.5.11, is affected by CVE-5027. Swarm-Client, version 3.14, is affected by CVE-2019-5022.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49362, 49363, 49370 and 49373