Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 12 Apr 2022 14:41:22 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins 

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Credentials Plugin 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4,
  1074.1076.v39c30cecb_0e2, and 2.6.1.1
* CVS Plugin 2.19.1
* Gerrit Trigger Plugin 2.35.3
* Git Parameter Plugin 0.9.16
* Google Compute Engine Plugin 4.3.9
* Jira Plugin 3.7.1 and 3.6.1
* Mask Passwords Plugin 3.1
* Node and Label parameter Plugin 1.10.3.1
* Pipeline: Shared Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3
* promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1
* Publish Over FTP Plugin 1.17
* Subversion Plugin 2.15.4

Additionally, we announce unresolved security issues in the following
plugins:

* Extended Choice Parameter Plugin
* Job Generator Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-04-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2617 / CVE-2022-29036 through CVE-2022-29046
Multiple plugins do not escape the name and description of the parameter
types they provide:

* Credentials Plugin 1111.v35a_307992395 and earlier (SECURITY-2690 /
  CVE-2022-29036)
* CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)
* Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier
  (SECURITY-2704 / CVE-2022-29038)
* Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)
* Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)
* Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)
* Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)
* Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)
* Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 /
  CVE-2022-29044)
* promoted builds Plugin 873.v6149db_d64130 and earlier (SECURITY-2692 /
  CVE-2022-29045)
* Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)

This results in stored cross-site scripting (XSS) vulnerabilities
exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed
on another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, the following plugins have been updated to
list parameters in a way that prevents exploitation by default.

* promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 (SECURITY-2670)
* Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)
* Pipeline: Input Step Plugin 447.v95e5a_6e3502a_ and 2.12.1 (SECURITY-2674)
* Rebuilder Plugin 1.33.1 (SECURITY-2671)
* Maven Release Plugin 0.16.3 (SECURITY-2669)
* Release Plugin 2.14 (SECURITY-2672)

Older releases of these plugins allow exploitation of the vulnerabilities
listed above.

As of publication of this advisory, the following plugins have not yet been
updated to list parameters in a way that prevents exploitation of these
vulnerabilities:

* Show Build Parameters Plugin (SECURITY-2325)
* Coordinator Plugin (SECURITY-2668)
* Unleash Maven Plugin (SECURITY-2673)

These are not vulnerabilities in these plugins. Only plugins defining
parameter types can be considered to be vulnerable to this issue.

NOTE: Some plugins both define parameter types and implement a page listing
parameters, so they can appear in multiple lists and may have both a
security fix and a security hardening applied.

As of publication of this advisory, there is no fix available for the
following plugins:

* Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)
* Job Generator (SECURITY-2263 / CVE-2022-29042)


SECURITY-1951 / CVE-2022-29047
Multibranch Pipelines by default limit who can change the Pipeline
definition from the Jenkinsfile. This is useful for SCMs like GitHub:
Jenkins can build content from users without commit access, but who can
submit pull requests, without granting them the ability to modify the
Pipeline definition. In that case, Jenkins will just use the Pipeline
definition in the pull request's destination branch instead.

In Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and
earlier the same protection does not apply to uses of the `library` step
with a `retriever` argument pointing to a library in the current build's
repository and branch (e.g., `library(…, retriever: legacySCM(scm))`). This
allows attackers able to submit pull requests (or equivalent), but not able
to commit directly to the configured SCM, to effectively change the
Pipeline behavior by changing the library behavior in their pull request,
even if the Pipeline is configured to not trust them.


SECURITY-2075 / CVE-2022-29048
Subversion Plugin 2.15.3 and earlier does not require POST requests for
several form validation methods, resulting in cross-site request forgery
(CSRF) vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified
URL.


SECURITY-2655 / CVE-2022-29049
promoted builds Plugin provides dedicated support for defining promotions
using Job DSL Plugin.

promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the
names of promotions defined in Job DSL. This allows attackers with
Job/Configure permission to create a promotion with an unsafe name. As a
result, the promotion name could be used for cross-site scripting (XSS) or
to replace other `config.xml` files.


SECURITY-2321 / CVE-2022-29050 (CSRF) & CVE-2022-29051 (missing permission check)
Publish Over FTP Plugin 1.16 and earlier does not perform permission checks
in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP
server using attacker-specified credentials.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2045 / CVE-2022-29052
Google Compute Engine Plugin 4.3.8 and earlier stores private keys
unencrypted in cloud agent `config.xml` files on the Jenkins controller as
part of its configuration.

These private keys can be viewed by users with Agent/Extended Read
permission or access to the Jenkins controller file system.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.