Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 16 Aug 2023 09:23:33 -0400
From: Demi Marie Obenour <demi@...isiblethingslab.com>
To: oss-security@...ts.openwall.com
Subject: Re: Multiple vulnerabilities in Jenkins plugins

On Wed, Aug 16, 2023 at 03:11:18PM +0200, Daniel Beck wrote:
> Jenkins is an open source automation server which enables developers around
> the world to reliably build, test, and deploy their software.
> 
> The following releases contain fixes for security vulnerabilities:
> 
> * Blue Ocean Plugin 1.27.5.1
> * Config File Provider Plugin 953.v0432a_802e4d2
> * Delphix Plugin 3.0.3
> * Flaky Test Handler Plugin 1.2.3
> * Folders Plugin 6.848.ve3b_fd7839a_81
> * Fortify Plugin 22.2.39
> * NodeJS Plugin 1.6.0.1
> * Shortcut Job Plugin 0.5
> * Tuleap Authentication Plugin 1.1.21
> 
> Additionally, we announce unresolved security issues in the following
> plugins:
> 
> * Docker Swarm Plugin
> * Favorite View Plugin
> * Gogs Plugin
> * Maven Artifact ChoiceListProvider (Nexus) Plugin
> 
> Summaries of the vulnerabilities are below. More details, severity, and
> attribution can be found here:
> https://www.jenkins.io/security/advisory/2023-08-16/
> 
> We provide advance notification for security updates on this mailing list:
> https://groups.google.com/d/forum/jenkinsci-advisories
> 
> If you discover security vulnerabilities in Jenkins, please report them as
> described here:
> https://www.jenkins.io/security/#reporting-vulnerabilities
> 
> ---
> 
> SECURITY-3106 / CVE-2023-40336
> Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
> 
> This vulnerability allows attackers to copy an item, which could
> potentially automatically approve unsandboxed scripts and allow the
> execution of unsafe scripts.
> 
> 
> SECURITY-3105 / CVE-2023-40337
> Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
> 
> This vulnerability allows attackers to copy a view inside a folder.
> 
> 
> SECURITY-3109 / CVE-2023-40338
> Folders Plugin displays an error message when attempting to access the Scan
> Organization Folder Log if no logs are available.
> 
> In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message
> includes the absolute path of a log file, exposing information about the
> Jenkins controller file system.
> 
> 
> SECURITY-3090 / CVE-2023-40339
> Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask
> (i.e., replace with asterisks) credentials specified in configuration files
> when they're written to the build log.
> 
> 
> SECURITY-3196 / CVE-2023-40340
> NodeJS Plugin integrates with Config File Provider Plugin to specify custom
> NPM settings, including credentials for authentication, in a Npm config
> file.
> 
> NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with
> asterisks) credentials specified in the Npm config file in Pipeline build
> logs.
> 
> 
> SECURITY-3116 / CVE-2023-40341
> Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an
> HTTP endpoint, resulting in a cross-site request forgery (CSRF)
> vulnerability.
> 
> This vulnerability allows attackers to connect to an attacker-specified
> URL, capturing GitHub credentials associated with an attacker-specified
> job.
> 
> 
> SECURITY-3115 / CVE-2023-4301 (CSRF) & CVE-2023-4302 (missing permission check)
> Fortify Plugin 22.1.38 and earlier does not perform permission checks in
> several HTTP endpoints.
> 
> This allows attackers with Overall/Read permission to connect to an
> attacker-specified URL using attacker-specified credentials IDs obtained
> through another method, capturing credentials stored in Jenkins.
> 
> Additionally, these HTTP endpoints do not require POST requests, resulting
> in a cross-site request forgery (CSRF) vulnerability.
> 
> 
> SECURITY-3140 / CVE-2023-4303
> Fortify Plugin 22.1.38 and earlier does not escape the error message for a
> form validation method. This results in an HTML injection vulnerability.
> 
> NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form
> validation responses prevents JavaScript execution, so no scripts can be
> injected.
> 
> 
> SECURITY-3223 / CVE-2023-40342
> Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test
> contents when showing them on the Jenkins UI.
> 
> This results in a stored cross-site scripting (XSS) vulnerability
> exploitable by attackers able to control JUnit report file contents.
> 
> 
> SECURITY-3229 / CVE-2023-40343
> Tuleap Authentication Plugin 1.1.20 and earlier does not use a
> constant-time comparison when checking whether two authentication tokens
> are equal.
> 
> This could potentially allow attackers to use statistical methods to obtain
> a valid authentication token.
> 
> 
> SECURITY-3214 (1) / CVE-2023-40344
> Delphix Plugin 3.0.2 and earlier does not perform a permission check in an
> HTTP endpoint.
> 
> This allows attackers with Overall/Read permission to enumerate credentials
> IDs of credentials stored in Jenkins. Those can be used as part of an
> attack to capture the credentials using another vulnerability.
> 
> 
> SECURITY-3214 (2) / CVE-2023-40345
> Delphix Plugin 3.0.2 and earlier does not set the appropriate context for
> credentials lookup, allowing the use of System-scoped credentials otherwise
> reserved for the global configuration.
> 
> This allows attackers with Overall/Read permission to access and capture
> credentials they are not entitled to.
> 
> 
> SECURITY-3071 / CVE-2023-40346
> Shortcut Job Plugin 0.4 and earlier does not escape the shortcut
> redirection URL.
> 
> This results in a stored cross-site scripting (XSS) vulnerability
> exploitable by attackers able to configure shortcut jobs.
> 
> 
> SECURITY-3153 / CVE-2023-40347
> Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not
> set the appropriate context for credentials lookup, allowing the use of
> System-scoped credentials otherwise reserved for the global configuration.
> 
> This allows attackers with Item/Configure permission to access and capture
> credentials they are not entitled to.
> 
> As of publication of this advisory, there is no fix.
> 
> 
> SECURITY-2894 / CVE-2023-40348 (information disclosure) & CVE-2023-40349 (insecure default)
> Gogs Plugin provides a webhook endpoint at `/gogs-webhook` that can be used
> to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to
> specify a Gogs secret for this webhook is provided, but not enabled by
> default.
> 
> This allows unauthenticated attackers to trigger builds of jobs
> corresponding to the attacker-specified job name.
> 
> Additionally, the output of the webhook endpoint includes whether a job
> corresponding to the attacker-specified job name exists, even if the
> attacker has no permission to access it.
> 
> As of publication of this advisory, there is no fix.
> 
> 
> SECURITY-2811 / CVE-2023-40350
> Docker Swarm Plugin processes Docker responses to generate the Docker Swarm
> Dashboard view.
> 
> Docker Swarm Plugin 1.11 and earlier does not escape values returned from
> Docker before inserting them into the Docker Swarm Dashboard view. This
> results in a stored cross-site scripting (XSS) vulnerability exploitable by
> attackers able to control responses from Docker.
> 
> As of publication of this advisory, there is no fix.
> 
> 
> SECURITY-3201 / CVE-2023-40351
> Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
> 
> This vulnerability allows attackers to add or remove views from another
> user's favorite views tab bar.
> 
> As of publication of this advisory, there is no fix.

I strongly recommend that Jenkins add the following:

- Documentation recommending that Jenkins _not_ be exposed to the public
  Internet, due to its very large attack surface.

- A configuration option to disable all plugins with known
  vulnerabilities.

- A process for removing plugins whose maintainers do not resolve
  security vulnerabilities reasonably quickly.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.