Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 15 Nov 2022 18:40:52 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1
* JUnit Plugin 1160.vf1f01a_a_ea_b_7f
* Naginator Plugin 1.18.2
* NS-ND Integration Performance Publisher Plugin 4.8.0.146
* Pipeline Utility Steps Plugin 2.13.1 and 2.13.2
* Reverse Proxy Auth Plugin 1.7.4
* Script Security Plugin 1190.v65867a_a_47126
* Support Core Plugin 1206.1208.v9b_7a_1d48db_0f

Additionally, we announce unresolved security issues in the following
plugins:

* Associated Files Plugin
* BART Plugin
* CCCC Plugin
* Cluster Statistics Plugin
* Config Rotator Plugin
* Delete log Plugin
* JAPEX Plugin
* loader.io Plugin
* NS-ND Integration Performance Publisher Plugin
* OSF Builder Suite :: XML Linter Plugin
* SourceMonitor Plugin
* Violations Plugin
* XP-Dev Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-11-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2564 / CVE-2022-45379
Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores
whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no
longer meets the security standards for producing a cryptographically
secure message digest.


SECURITY-2888 / CVE-2022-45380
JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site
scripting (XSS) vulnerability exploitable by attackers with Item/Configure
permission.


SECURITY-2948 / CVE-2022-33980
Pipeline Utility Steps Plugin implements a `readProperties` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library with
the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2949 / CVE-2022-45381
Pipeline Utility Steps Plugin implements a `readProperties` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library that
enable the `file:` prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files
from the Jenkins controller file system.


SECURITY-2946 / CVE-2022-45382
Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to edit build display names.


SECURITY-2804 / CVE-2022-45383
Support Core Plugin defines the permission Support/DownloadBundle that
allows users without Overall/Administer permission to create and download
support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa_b_d860 and earlier does not correctly
perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users
with Overall/Administer permission.


SECURITY-2094 / CVE-2022-45384
Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager
password unencrypted in the global `config.xml` file on the Jenkins
controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins
controller file system.


SECURITY-2843 / CVE-2022-45385
CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a
job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier,
these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository.


SECURITY-766 / CVE-2022-45386
Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report
Violations' post-build step to have agent processes parse a crafted file
that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2802 / CVE-2022-45387
BART Plugin 1.0.3 and earlier does not escape the parsed content of build
logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2842 / CVE-2022-45388
Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with `.xml`
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2853 / CVE-2022-45389
XP-Dev Plugin provides a webhook endpoint at `/xpdev-webhook` that can be
used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix.


SECURITY-2857 / CVE-2022-45390
loader.io Plugin 1.0.1 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2910 (1) / CVE-2022-45391
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier
globally and unconditionally disables SSL/TLS certificate and hostname
validation for the entire Jenkins controller JVM.


SECURITY-2910 (2) / CVE-2022-38666
NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix.


SECURITY-2912 / CVE-2022-45392
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job `config.xml` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read
permission or access to the Jenkins controller file system.


SECURITY-2920 / CVE-2022-45393 (CSRF) & CVE-2022-45394 (missing permission check)
Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2921 / CVE-2022-45395
CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for
the 'Publish CCCC Report' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2927 / CVE-2022-45396
SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2937 / CVE-2022-45397
OSF Builder Suite :: XML Linter 1.0.2 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the
'OSF Builder Suite :: XML Linter' build step to have agent processes parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2938 / CVE-2022-45398 (CSRF) & CVE-2022-45399 (missing permission check)
Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded
Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2941 / CVE-2022-45400
JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2947 / CVE-2022-45401
Associated Files Plugin 0.2.1 and earlier does not escape names of
associated files.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.