I. Overview

Jenkins has recently released fixes to nine vulnerabilities in five plug-ins. Attackers can exploit these vulnerabilities to remotely execute code, forge cross-site requests, and leak credentials.

Remote code execution (RCE) vulnerability (CVE-2020-2189) in SCM Filter Jervis Plugin: SCM Filter Jervis does not configure its YAML parser. This results in an RCE vulnerability exploitable by users able to configure jobs with the filter, or control the contents of a previously configured job's SCM repository. The risk severity is high.

Secrets leak vulnerabilities in Credentials Binding plug-in (CVE-2020-2181 and CVE-2020-2182);

Improper permission check vulnerability in Copy Artifact plug-in (CVE-2020-2183);

Cross-site request forgery vulnerability in CVS plug-in (CVE-2020-2184);

Vulnerabilities in Amazon EC2 plug-in (CVE-2020-2185, CVE-2020-2186, CVE-2020-2187, and CVE-2020-2188).

If you are a Jenkins user, check your plug-in versions and implement timely security hardening.

Reference link:

https://www.jenkins.io/security/advisory/2020-05-06/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected Versions:

SCM Filter Jervis Plugin 0.2.1 and earlier

Credentials Binding Plugin 1.22 and earlier

Copy Artifact Plugin 1.43.1 and earlier

CVS Plugin 2.15 and earlier

Amazon EC2 Plugin 1.50.1 and earlier

Secure Versions:

SCM Filter Jervis Plugin 0.3

Credentials Binding Plugin 1.23

Copy Artifact Plugin 1.44

CVS Plugin 2.16

Amazon EC2 Plugin 1.50.2

IV. Vulnerability Handling

Jenkins has released versions including fixes to these vulnerabilities. Upgrade the affected versions to secure versions. The upgrade procedure is as follows:

1.Log in to the Jenkins dashboard. Click Manage Jenkins to access the admin panel, and then click Manage Plugins.

2.Select the plug-in to be upgraded and click Download now and install after restart to upgrade the plug-in.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.