Jenkins Plugins ¶à¸öÇå¾²Îó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2020-02-14

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-2116£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2117£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2109£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2110£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2121£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2123£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2120£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2115£¬£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Applatix Plugin <= 1.1£¬£¬£¬£¬£¬Azure AD Plugin <= 1.1.2£¬£¬£¬£¬£¬BMC Release Package and Deployment Plugin <= 1.1£¬£¬£¬£¬£¬Brakeman Plugin <= 0.12£¬£¬£¬£¬£¬Debian Package Builder Plugin <= 1.6.11£¬£¬£¬£¬£¬DigitalOcean Plugin <= 1.1£¬£¬£¬£¬£¬Dynamic Extended Choice Parameter Plugin <= 1.0.1£¬£¬£¬£¬£¬Eagle Tester Plugin <= 1.0.9£¬£¬£¬£¬£¬ECX Copy Data Management Plugin <= 1.9£¬£¬£¬£¬£¬FitNesse Plugin <= 1.30£¬£¬£¬£¬£¬Git Parameter Plugin <= 0.9.11£¬£¬£¬£¬£¬Google Kubernetes Engine Plugin <= 0.8.0£¬£¬£¬£¬£¬Harvest SCM Plugin <= 0.5.1£¬£¬£¬£¬£¬NUnit Plugin <= 0.25£¬£¬£¬£¬£¬Parasoft Environment Manager Plugin <= 2.14£¬£¬£¬£¬£¬Pipeline GitHub Notify Step Plugin <= 1.0.4£¬£¬£¬£¬£¬Pipeline: Groovy Plugin <= 2.78£¬£¬£¬£¬£¬RadarGun Plugin <= 1.7£¬£¬£¬£¬£¬S3 publisher Plugin <= 0.11.4£¬£¬£¬£¬£¬Script Security Plugin <= 1.69£¬£¬£¬£¬£¬Subversion Plugin <= 2.13.0


Îó²î¸ÅÊö


CloudBees Jenkins£¨Hudson Labs£©ÊÇÃÀ¹úCloudBees¹«Ë¾µÄÒ»Ì×»ùÓÚJava¿ª·¢µÄÒ»Á¬¼¯³É¹¤¾ß¡£¡£ ¡£¡£ ¡£¡£¡£¸Ã²úÆ·Ö÷ÒªÓÃÓÚ¼à¿ØÒ»Á¬µÄÈí¼þ°æ±¾Ðû²¼/²âÊÔÏîÄ¿ºÍһЩ׼ʱִÐеÄʹÃü¡£¡£ ¡£¡£ ¡£¡£¡£


¿ËÈÕ£¬£¬£¬£¬£¬JenkinsÐû²¼¹Ù·½Ç徲ͨ¸æ£¬£¬£¬£¬£¬Jenkins²¿·Ö²å¼þ±£´æ¶à¸öÎó²î£¬£¬£¬£¬£¬Éæ¼°µ½ÈçÏÂÇå¾²ÎÊÌ⣺ɳÏäÈÆ¹ý£¬£¬£¬£¬£¬XSSÎó²î£¬£¬£¬£¬£¬´¿Îı¾ÃûÌô«Ê䣬£¬£¬£¬£¬XXE£¬£¬£¬£¬£¬CSRF£¬£¬£¬£¬£¬È±ÉÙȨÏÞ¼ì²é£¬£¬£¬£¬£¬Ã¶¾Ùƾ֤ID£¬£¬£¬£¬£¬RCE£¬£¬£¬£¬£¬XSS£¬£¬£¬£¬£¬´¿Îı¾ÃûÌô洢ÃÜÂ룬£¬£¬£¬£¬ÆäÖиßΣÎó²î¸ÅÊöÈçÏ£º


Pipeline GitHub Notify Step²å¼þÖеÄCSRFÎó²îºÍȱÉÙȨÏÞ¼ì²éÔÊÐí²¶»ñƾ֤£¬£¬£¬£¬£¬CVE-2020-2116 (CSRF)/CVE-2020-2117(ȱÉÙȨÏÞ¼ì²é)


Pipeline GitHub Notify Step Plugin 1.0.4ºÍ¸üÔç°æ±¾²î³ØÊµÏÖ±íµ¥ÑéÖ¤µÄÒªÁìÖ´ÐÐȨÏÞ¼ì²é¡£¡£ ¡£¡£ ¡£¡£¡£ÕâÔÊÐí¶ÔJenkins¾ßÓÐÖÜÈ«/¶ÁÈ¡»á¼ûȨÏÞµÄÓû§Ê¹ÓÃͨ¹ýÁíÒ»ÖÖÒªÁì»ñµÃµÄ¹¥»÷ÕßÖ¸¶¨µÄƾ֤idÅþÁ¬µ½¹¥»÷ÕßÖ¸¶¨µÄURL£¬£¬£¬£¬£¬´Ó¶ø²¶»ñJenkinsÖд洢µÄƾ֤¡£¡£ ¡£¡£ ¡£¡£¡£


±ðµÄ£¬£¬£¬£¬£¬±íµ¥ÑéÖ¤ÒªÁì²»ÐèÒªPOSTÇëÇ󣬣¬£¬£¬£¬´Ó¶øµ¼ÖÂCSRFÎó²î¡£¡£ ¡£¡£ ¡£¡£¡£


ͨ¹ý¹ÜµÀÖеÄĬÈÏÒªÁì²ÎÊý±í´ïÊ½ÈÆ¹ýɳºÐ£ºGroovy²å¼þ£¬£¬£¬£¬£¬CVE-2020-2109


¹ÜµÀÖеÄɳºÐ±£»£»£»£»£»¤£ºGroovy²å¼þ2.78¼°¸üÔç°æ±¾¿ÉÒÔͨ¹ýCPSת»»ÒªÁìÖеÄĬÈϲÎÊý±í´ïʽÀ´¹æ±Ü¡£¡£ ¡£¡£ ¡£¡£¡£ÕâʹµÃ¹¥»÷ÕßÄܹ»Ö¸¶¨²¢ÔËÐÐɳºÐ¹ÜµÀ£¬£¬£¬£¬£¬ÒÔ±ãÔÚJenkinsÖ÷JVMµÄÉÏÏÂÎÄÖÐÖ´ÐÐí§Òâ´úÂë¡£¡£ ¡£¡£ ¡£¡£¡£


Script Security²å¼þÖеÄɳºÐÈÆ¹ýÎó²î£¬£¬£¬£¬£¬CVE-2020-2110


Script Security²å¼þ1.69¼°¸üÔç°æ±¾ÖеÄɳºÐ±£»£»£»£»£»¤¿ÉÒÔÔھ籾±àÒë½×¶Îͨ¹ý½«ASTת»»×¢ÊÍ£¨Èç@Grab£©Ó¦ÓÃÓÚµ¼Èë»òÔÚÆäËû×¢ÊÍÖÐʹÓÃËüÃÇÀ´¹æ±Ü¡£¡£ ¡£¡£ ¡£¡£¡£Õâ»áÓ°Ïì¾ç±¾Ö´ÐУ¨Í¨³£´ÓÆäËû²å¼þ£¨Èç¹ÜµÀ£©Å²Óã©ÒÔ¼°ÌṩɳºÐ¾ç±¾ÑéÖ¤µÄHTTP¶Ëµã¡£¡£ ¡£¡£ ¡£¡£¡£

¾ßÓÐÈ«¾Ö/¶ÁȡȨÏÞµÄÓû§¿ÉÒÔʹÓôËÎó²îÈÆ¹ýɳºÐ±£»£»£»£»£»¤£¬£¬£¬£¬£¬²¢ÔÚJenkinsÖ÷»úÉÏÖ´ÐÐí§Òâ´úÂë¡£¡£ ¡£¡£ ¡£¡£¡£


Google Kubernetes Engine²å¼þÖеÄRCEÎó²î£¬£¬£¬£¬£¬CVE-2020-2121


Google Kubernetes Engine²å¼þ0.8.0ºÍ¸üÔç°æ±¾Ã»ÓÐÉèÖÃÆäYAMLÆÊÎöÆ÷À´±ÜÃâí§ÒâÀàÐ͵ÄʵÀý»¯¡£¡£ ¡£¡£ ¡£¡£¡£Õâµ¼ÖÂÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÎó²î£¬£¬£¬£¬£¬Óû§¿ÉÒÔʹÓøÃÎó²îÏòGoogle Kubernetes Engine²å¼þµÄ¹¹½¨°ì·¨ÌṩYAMLÊäÈëÎļþ¡£¡£ ¡£¡£ ¡£¡£¡£


RadarGun²å¼þÖеÄRCEÎó²î£¬£¬£¬£¬£¬CVE-2020-2123


RadarGun²å¼þ1.7¼°¸üÔç°æ±¾Ã»ÓÐÉèÖÃÆäYAMLÆÊÎöÆ÷ÒÔ±ÜÃâí§ÒâÀàÐ͵ÄʵÀý»¯¡£¡£ ¡£¡£ ¡£¡£¡£Õâ»áµ¼ÖÂÔ¶³Ì´úÂëÖ´ÐÐÎó²î±»Äܹ»ÉèÖÃRadarGun²å¼þµÄÌìÉú°ì·¨µÄÓû§Ê¹Óᣡ£ ¡£¡£ ¡£¡£¡£


FitNesse²å¼þÖеÄXXEÎó²î£¬£¬£¬£¬£¬CVE-2020-2120


FitNesse²å¼þ1.30¼°¸üÔç°æ±¾Ã»ÓÐÉèÖÃXMLÆÊÎöÆ÷ÒÔ±ÜÃâXMLÍⲿʵÌ壨XXE£©¹¥»÷¡£¡£ ¡£¡£ ¡£¡£¡£


ÕâÔÊÐíÓû§¿ØÖÆØÊºóÆÚÌìÉú°ì·¨µÄÊäÈëÎļþ£¬£¬£¬£¬£¬ÈÃJenkinsÆÊÎöÒ»¸öÈ«ÐÄÌåÀýµÄÎļþ£¬£¬£¬£¬£¬¸ÃÎļþʹÓÃÍⲿʵÌå´ÓJenkinsÖ÷»úÌáÈ¡ÉñÃØ¡¢Ð§ÀÍÆ÷¶ËÇëÇóαÔì»ò¾Ü¾øÐ§À͹¥»÷¡£¡£ ¡£¡£ ¡£¡£¡£


NUnit²å¼þÖеÄXXEÎó²î£¬£¬£¬£¬£¬CVE-2020-2115


NUnit²å¼þ0.25¼°¸üÔç°æ±¾Ã»ÓÐÉèÖÃXMLÆÊÎöÆ÷ÒÔ±ÜÃâXMLÍⲿʵÌ壨XXE£©¹¥»÷¡£¡£ ¡£¡£ ¡£¡£¡£


ÕâÔÊÐíÓû§¿ØÖÆØÊºóÆÚÌìÉú°ì·¨µÄÊäÈëÎļþ£¬£¬£¬£¬£¬ÈÃJenkinsÆÊÎöÒ»¸öÈ«ÐÄÌåÀýµÄÎļþ£¬£¬£¬£¬£¬¸ÃÎļþʹÓÃÍⲿʵÌå´ÓJenkinsÖ÷»úÌáÈ¡ÉñÃØ¡¢Ð§ÀÍÆ÷¶ËÇëÇóαÔì»ò¾Ü¾øÐ§À͹¥»÷¡£¡£ ¡£¡£ ¡£¡£¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC/EXP¡£¡£ ¡£¡£ ¡£¡£¡£


ÐÞ¸´½¨Òé


ÏÖÔÚ²¿·Ö²å¼þÒѸüУ¬£¬£¬£¬£¬»ñÈ¡Á´½Ó£ºhttps://jenkins.io/security/advisory/2020-02-12/¡£¡£ ¡£¡£ ¡£¡£¡£Çëʵʱ¸üвå¼þµ½Èçϰ汾£º


Azure AD Plugin ¸üÐÂÖÁ 1.2.0

Brakeman Plugin ¸üÐÂÖÁ 0.13

FitNesse Plugin ¸üÐÂÖÁ 1.31

Git Parameter Plugin ¸üÐÂÖÁ 0.9.12

Google Kubernetes Engine Plugin ¸üÐÂÖÁ 0.8.1

NUnit Plugin ¸üÐÂÖÁ 0.26

Pipeline GitHub Notify Step Plugin ¸üÐÂÖÁ 1.0.5

Pipeline: Groovy Plugin ¸üÐÂÖÁ 2.79

RadarGun Plugin ¸üÐÂÖÁ 1.8

S3 publisher Plugin ¸üÐÂÖÁ 0.11.5

Script Security Plugin ¸üÐÂÖÁ 1.70

Subversion Plugin ¸üÐÂÖÁ 2.13.1


ÒÔϲå¼þÔÝδÐÞ¸´£º


Applatix Plugin

BMC Release Package and Deployment Plugin

Debian Package Builder Plugin

DigitalOcean Plugin

Dynamic Extended Choice Parameter Plugin

Eagle Tester Plugin

ECX Copy Data Management Plugin

Harvest SCM Plugin

Parasoft Environment Manager Plugin


²Î¿¼Á´½Ó


https://jenkins.io/security/advisory/2020-02-12/