Allele Security Alert
ASA-2019-00598
Identifier(s)
ASA-2019-00598, CVE-2019-10459, SECURITY-1628
Title
Stored webhook endpoint token in plain text
Vendor(s)
Jo Vandeginste
Eirik Wang
Product(s)
Jenkins Mattermost Notification Plugin
Affected version(s)
Jenkins Mattermost Notification Plugin versions before 2.7.1
Fixed version(s)
Jenkins Mattermost Notification Plugin version 2.7.1
Proof of concept
Unknown
Description
Mattermost allows the definition of incoming (from the perspective of the service) webhook URLs. These contain what is effectively a secret token as part of the URL.
Mattermost Notification Plugin stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and job config.xml files on the Jenkins master. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.
Technical details
Unknown
Credits
Wasin Saengow
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1628
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
Jenkins Plugins
https://plugins.jenkins.io/mattermost
Change type of endpoint to Secret
https://github.com/jenkinsci/mattermost-plugin/commit/c6e509307812d93ba295a35dea95016f007de158
CVE-2019-10459
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10459
CVE-2019-10459
https://nvd.nist.gov/vuln/detail/CVE-2019-10459
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 4, 2019