Jenkins Plugins ¶à¸ö°²È«·ì϶·çÏÕ¹«¸æ

°ä²¼¹¦·ò 2020-01-17

·ì϶±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-2095£¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2094£¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2097£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2096£¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2091£¬Î£ÏÕ¼¶±ð£ºµÍΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2090£¬Î£ÏÕ¼¶±ð£ºµÍΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2093£¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2092£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2098£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Amazon EC2 Plugin < 1.48

Robot Framework Plugin < 2.0.1

CloudBees Plugin < 3.0.1

Redgate SQL Change Automation Plugin < 2.0.5

Gitlab Hook Plugin <= 1.4.2

Sounds Plugin <= 0.5  


·ì϶¸ÅÊö


JenkinsÊÇÒ»¸ö¿ªÔ´Èí¼þÏîÄ¿£¬ÊÇ»ùÓÚJava¿ª·¢µÄÒ»ÖÖ³ÖÐø¼¯³É¹¤¾ß£¬ÓÃÓÚ¼à¿Ø³ÖÐø³Á¸´µÄ¹¤×÷£¬Ö¼ÔÚÌṩһ¸öÊ¢¿ªÒ×ÓõÄÈí¼þƽ̨£¬Ê¹Èí¼þµÄ³ÖÐø¼¯³ÉÔì³É¿ÉÄÜ¡£


Jenkins¹Ù·½°ä²¼ÁËÆä6¸ö²å¼þµÄ9¸öCVEÓйذ²È«²¼¸æ£¬ÏêÇéÈçÏ£º


Amazon EC2 Plugin ÖдæÔÚCSRF·ì϶£¨CVE-2020-2090£©ºÍ¶ÌȱȨÏ޲鳭·ì϶£¨CVE-2020-2091£©


Amazon EC2²å¼þ1.47ºÍ¸üÔç°æ±¾²»»áÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄ²½ÖèÖÐÖ´ÐÐȨÏ޲鳭¡£´Ë±í£¬ÕâЩ±íµ¥ÑéÖ¤²½Öè²»±ØÒªPOSTÒªÇ󣬴Ӷøµ¼ÖÂCSRF·ì϶¡£


Robot Framework Plugin ÖдæÔÚXXE·ì϶£¨CVE-2020-2092)


Robot Framework Plugin 2.0.0¼°¸üÔç°æ±¾Ã»ÓÐÅäÖÃXML½âÎöÆ÷À´Ô¤·ÀXML±í²¿ÊµÌ壨XXE£©¹¥»÷¡£


CloudBees Plugin µÄ Health Advisor ÖдæÔÚCSRF·ì϶£¨CVE-2020-2093£©ºÍ¶ÌȱȨÏ޲鳭·ì϶£¨CVE-2020-2094£©


CloudBees Plugin 3.0 ºÍ¸üÔç°æ±¾ÖÐµÄ Health Advisor ÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄ²½ÖèÖв»Ö´ÐÐȨÏ޲鳭¡£´Ë±í£¬ÕâЩ±íµ¥ÑéÖ¤²½Öè²»±ØÒªPOSTÒªÇ󣬴Ӷøµ¼ÖÂCSRF·ì϶¡£


Redgate SQL Change Automation Plugin Ã÷ÎĴ洢ʹ´¦£¨CVE-2020-2095£©


Redgate SQL Change Automation Plugin 2.0.4¼°¸üÔç°æ±¾½«Î´¼ÓÃܵÄNuGet APIÃÜÔ¿´æ´¢ÔÚjob config.xmlÎļþÖУ¬×÷ΪÆäÅäÖõÄÒ»²¿ÃÅ¡£


Gitlab Hook Plugin ´æÔÚ·´ÉäÐÍXSS£¨CVE-2020-2096£©


Gitlab Hook Plugin 1.4.2 ºÍ¸üÔç°æ±¾Ã»ÓÐתÒå build_now ÖÕ½áµãÖеÄÏîÄ¿Ãû³Æ¡£


Sounds Plugin ´æÔÚCSRF·ì϶£¨CVE-2020-2098£©ºÍ¶ÌȱȨÏ޲鳭ÔÊÐí²Ù×÷ϵͳºÅÁîÖ´ÐУ¨CVE-2020-2097£©


Sounds Plugin 0.5 ¼°¸üÔç°æ±¾²»ÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄURLÖÐÖ´ÐÐȨÏ޲鳭¡£´Ë±í£¬ÕâЩ±íµ¥ÑéÖ¤URL²»±ØÒªPOSTÒªÇ󣬴Ӷøµ¼ÖÂCSRF·ì϶¡£


·ì϶ÑéÖ¤


ÔÝÎÞPOC/EXP¡£


½¨¸´½¨Òé


Ä¿Ç°³§ÉÌÒÑ°ä²¼Éý¼¶²¹¶¡ÒÔ½¨¸´·ì϶£¬²¹¶¡»ñÈ¡Á´½Ó£ºhttps://jenkins.io/security/advisory/2020-01-15/#descriptions¡£

»º½â´ëÊ©£ºÎª»º½â´æÔÚ·ì϶ÉÐÎÞ½¨¸´·¨Ê½µÄ²å¼þ£¬Çë²»Òª¶Ô±íÊ¢¿ªJenkins£¬×öºÃJenkinsÓû§Õ˺ÅÖÎÀí£¬Èô·Ç±ØÒª£¬Çë½ûÓÃÊÜÓ°ÏìµÄ²å¼þ¡£


²Î¿¼Á´½Ó


https://jenkins.io/security/advisory/2020-01-15/#descriptions