Bug 1732346 (CVE-2019-1010241)

Summary: CVE-2019-1010241 jenkins-plugin-credentials-binding: storing passwords in recoverable format leading to authenticated users being able to recover credentials
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, erich, gmontero, jburrell, jgoulding, jokerman, mchappel, nstielau, pbhattac, sfowler, sponnaga, vbobade
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-30 06:51:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1732347    

Description Marian Rehak 2019-07-23 08:13:07 UTC 
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.

External References:

https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA
Comment 1 Akram Ben Aissi 2019-07-24 10:32:51 UTC 
This is fixed upstream here: https://issues.jenkins-ci.org/browse/JENKINS-42950


We need to bump to version 1.19 of the Credentials Binding Plugin
Our current version of the plugin is credentials-binding:1.15
Comment 2 Sam Fowler 2019-08-05 01:23:44 UTC 
In reply to comment #1:
> This is fixed upstream here:
> https://issues.jenkins-ci.org/browse/JENKINS-42950

This seems like a different issue to me. Perhaps JENKINS-42950 should have its own CVE assigned, we should contact upstream for clarification.
Comment 13 Gabe Montero 2019-09-20 11:31:12 UTC 
@Eric you can manipulate the permissions that jenkins users have with our login plugin such that they cannot view jenkins credentials,
and you can do this such that those permissions are in place prior to the initial launch of jenkins.

Also remember, OpenShift users can create / start pipeline jobs without having to log into the Jenkins console.

And lastly, rather than a centralized Jenkins server, a cluster admin can provision a Jenkins server for each dev
if they like (at much less memory most likey than a shared, common, Jenkins server).  These Jenkins servers 
could then only contain the credentials the give developer is allowed to look at.

So the KCS article that Akram is working describes these workarounds.
Comment 18 Product Security DevOps Team 2019-10-30 06:51:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1010241