Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 15 Feb 2022 15:33:38 +0100
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Agent Server Parameter Plugin 1.1
* autonomiq Plugin 1.16
* Conjur Secrets Plugin 1.0.12
* Custom Checkbox Parameter Plugin 1.2
* Fortify Plugin 20.2.35
* Generic Webhook Trigger Plugin 1.82
* HashiCorp Vault Plugin 336.v182c0fbaaeb7
* Pipeline: Build Step Plugin 2.15.1
* Pipeline: Groovy Plugin 2656.vf7a_e7b_75a_457
* Pipeline: Multibranch Plugin 707.v71c3f0a_6ccdb_
* Pipeline: Shared Groovy Libraries Plugin 561.va_ce0de3c2d69
* Snow Commander Plugin 2.0
* Support Core Plugin 2.79.1

Additionally, we announce unresolved security issues in the following
plugins:

* Checkmarx Plugin
* Chef Sinatra Plugin
* Convertigo Mobile Platform Plugin
* dbCharts Plugin
* Doktor Plugin
* GitLab Authentication Plugin
* HashiCorp Vault Plugin
* Promoted Builds (Simple) Plugin
* SCP publisher Plugin
* SWAMP Plugin
* Team Views Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-02-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2463 / CVE-2022-25173 (Pipeline: Groovy Plugin) & CVE-2022-25174
(Pipeline: Shared Groovy Libraries) & CVE-2022-25175 (Pipeline: Multibranch)
Multiple Pipeline-related plugins that perform on-controller SCM checkouts
reuse the same workspace directory for checkouts of distinct SCMs in some
contexts.

- Pipeline: Groovy Plugin 2648.va9433432b33c and
earlier uses the same checkout directories for distinct SCMs when reading
the script file (typically `Jenkinsfile`) for Pipelines.
- Pipeline: Shared Groovy Libraries
552.vd9cc05b8a2e1 and earlier uses the same checkout directories for
distinct SCMs for Pipeline libraries.
- Pipeline: Multibranch 706.vd43c65dec013 and
earlier uses the same checkout directories for distinct SCMs for the
`readTrusted` step.

This allows attackers with Item/Configure permission to invoke arbitrary OS
commands on the controller through crafted SCM contents.


SECURITY-2613 / CVE-2022-25176 (Pipeline: Groovy Plugin) & CVE-2022-25177
(Pipeline: Shared Groovy Libraries) & CVE-2022-25178 (Pipeline: Shared
Groovy Libraries) & CVE-2022-25179 (Pipeline: Multibranch)
Multiple Pipeline-related plugins follow symbolic links or do not limit
path names, resulting in arbitrary file read vulnerabilities:

- Pipeline: Groovy Plugin 2648.va9433432b33c and
earlier follows symbolic links to locations outside of the checkout
directory for the configured SCM when reading the script file (typically
`Jenkinsfile`) for Pipelines (originally reported as SECURITY-2595).
- Pipeline: Shared Groovy Libraries
552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside
of the expected Pipeline library when reading files using the
`libraryResource` step (originally reported as SECURITY-2479).
- Pipeline: Shared Groovy Libraries
552.vd9cc05b8a2e1 and earlier does not restrict the names of resources
passed to the `libraryResource` step (originally reported as
SECURITY-2476).
- Pipeline: Multibranch 706.vd43c65dec013 and earlier follows symbolic
links to locations outside
of the checkout directory for the configured SCM when reading files using
the `readTrusted` step (originally reported as SECURITY-2491).

This allows attackers able to configure Pipelines to read arbitrary files
on the Jenkins controller file system.


SECURITY-2443 / CVE-2022-25180
Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password
parameters from the original build in replayed builds.

This allows attackers with Run/Replay permission to obtain the values of
password parameters passed to previous builds of a Pipeline.


SECURITY-2441 / CVE-2022-25181
Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses
the same workspace directory for all checkouts of Pipeline libraries with
the same name regardless of the SCM being used and the source of the
library configuration.

This allows attackers with Item/Configure permission to execute arbitrary
code in the context of the Jenkins controller JVM through crafted SCM
contents, if a global Pipeline library already exists.


SECURITY-2422 / CVE-2022-25182
Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses
the names of Pipeline libraries to create directories without
canonicalization or sanitization.

This allows attackers with Item/Configure permission to execute arbitrary
code in the context of the Jenkins controller JVM using specially crafted
library names if a global Pipeline library is already configured.


SECURITY-2586 / CVE-2022-25183
Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses
the names of Pipeline libraries to create cache directories without any
sanitization.

This allows attackers with Item/Configure permission to execute arbitrary
code in the context of the Jenkins controller JVM using specially crafted
library names if a global Pipeline library configured to use caching
already exists.


SECURITY-2519 / CVE-2022-25184
Pipeline: Build Step Plugin 2.15 and earlier reveals password parameter
default values when generating a pipeline script using the Pipeline Snippet
Generator.

This allows attackers with Item/Read permission to retrieve the default
password parameter value from jobs.


SECURITY-2592 / CVE-2022-25185
Generic Webhook Trigger Plugin 1.81 and earlier does not escape the build
cause for the webhook.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to trigger builds using the webhook.


SECURITY-2429 / CVE-2022-25186
HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that
allows agent processes to retrieve any Vault secrets for use on the agent.

This allows attackers able to control agent processes to obtain Vault
secrets for an attacker-specified path and key.


SECURITY-2186 / CVE-2022-25187
Support Core Plugin has a feature to redact potentially sensitive
information in the support bundle.

Support Core Plugin 2.79 and earlier does not redact some sensitive
information in the support bundle.

This sensitive information can be viewed by anyone with access to the
bundle.


SECURITY-2214 / CVE-2022-25188
Fortify Plugin 20.2.34 and earlier does not sanitize the `appName` and
`appVersion` parameters of its Pipeline steps, which are used to write to
files inside build directories.

This allows attackers with Item/Configure permission to write or overwrite
`.xml` files on the Jenkins controller file system with content not
controllable by the attacker.


SECURITY-2266 / CVE-2022-25189
Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter
names of custom checkbox parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2350 / CVE-2022-25190
Conjur Secrets Plugin 1.0.11 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2268 / CVE-2022-25191
Agent Server Parameter Plugin 1.0 and earlier does not escape parameter
names of agent server parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2536 / CVE-2022-25192 (CSRF) & CVE-2022-25193 (missing permission
check)
Snow Commander Plugin 2.0 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified webserver using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2545 / CVE-2022-25194 (CSRF) & CVE-2022-25195 (missing permission
check)
autonomiq Plugin 1.15 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1833 / CVE-2022-25196
GitLab Authentication Plugin 1.13 and earlier records the HTTP `Referer`
header as part of the URL query parameters when the authentication process
starts and redirects users to that URL when the user has finished logging
in.

This allows attackers with access to Jenkins to craft a URL that will
redirect users to an attacker-specified URL after logging in.

NOTE: This issue is caused by an incomplete fix of SECURITY-796.

As of publication of this advisory, there is no fix.


SECURITY-2521 / CVE-2022-25197
HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements
functionality that allows agent processes to read arbitrary files on the
Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary
files on the Jenkins controller file system.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.

As of publication of this advisory, there is no fix.


SECURITY-2323 / CVE-2022-25198 (CSRF) & CVE-2022-25199 (missing permission
check)
SCP publisher Plugin 1.8 and earlier does not perform a permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified SSH server using attacker-specified username and
password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1017 / CVE-2022-25200 (CSRF) & CVE-2022-25201 (missing permission
check)
Checkmarx Plugin 2022.1.2 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified webserver using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2334 / CVE-2022-25202
Promoted Builds (Simple) Plugin 1.9 and earlier does not escape the name of
custom promotion levels.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.


SECURITY-2324 / CVE-2022-25203
Team Views Plugin 0.9.0 and earlier does not escape team names.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Read permission.

As of publication of this advisory, there is no fix.


SECURITY-2548 / CVE-2022-25204
Doktor Plugin 0.4.1 and earlier implements functionality that allows agent
processes to render files on the controller as Markdown or Asciidoc.

Additionally, error messages allow attackers able to control agent
processes to determine whether a file with a given name exists.

As of publication of this advisory, there is no fix.


SECURITY-2177 / CVE-2022-25205 (CSRF) & CVE-2022-25206 (missing permission
check)
dbCharts Plugin 0.5.2 and earlier does not perform a permission check in a
method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified database via JDBC using attacker-specified credentials.

Additionally, this method allows attackers to determine whether a class is
available on the Jenkins controller's class path through error messages.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1377 / CVE-2022-25207 (CSRF) & CVE-2022-25208 (missing permission
check) & CVE-2022-25209 (XXE)
Chef Sinatra Plugin 1.20 and earlier does not perform a permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to have Jenkins send an
HTTP request to an attacker-controlled URL and have it parse the response
as XML.

As the plugin does not configure its XML parser to prevent XML external
entity (XXE) attacks, attackers can have Jenkins parse a crafted XML
response that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2280 / CVE-2022-25210
Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to
store job configuration information.

This allows attackers with Item/Configure permission to capture passwords
of the jobs that will be configured.

As of publication of this advisory, there is no fix.


SECURITY-1988 / CVE-2022-25211 (missing permission check) & CVE-2022-25212
(CSRF)
SWAMP Plugin 1.2.6 and earlier does not perform a permission check in a
method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.