Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:
- Credentials 2.1.19
- PAM Authentication 1.5.1
Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-05-21/
We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories
If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities
SECURITY-1316 / CVE-2019-10319
A missing permission check in PAM Authentication Plugin allowed users with
Overall/Read permission to invoke a form validation method to obtain
limited information about the file /etc/shadow on systems with that file
present, as well as the system user the Jenkins process is running as.
SECURITY-1322 / CVE-2019-10320
Credentials Plugin allowed the creation of Certificate credentials from a
PKCS#12 file on the Jenkins master. Users with permission to create or
update credentials could use the associated form validation to confirm the
existence of files with an attacker-specified path.
Additionally, they could create credentials from any valid PKCS#12 file on
the Jenkins master. With the ability to configure jobs to access these
credentials, they could obtain the certificate content.