Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Sep 2022 16:55:11 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.370
* Anchore Container Image Scanner Plugin 1.0.25
* Compuware Common Configuration Plugin 1.0.15
* NS-ND Integration Performance Publisher Plugin 4.8.0.130

Additionally, we announce unresolved security issues in the following
plugins:

* Apprenda Plugin
* BigPanda Notifier Plugin
* Build-Publisher Plugin
* CONS3RT Plugin
* DotCi Plugin
* extreme-feedback Plugin
* NS-ND Integration Performance Publisher Plugin
* RQM Plugin
* Rundeck Plugin
* SCM HttpClient Plugin
* Security Inspector Plugin
* SmallTest Plugin
* View26 Test-Reporting Plugin
* Walti Plugin
* WildFly Deployer Plugin
* Worksoft Execution Manager Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-09-21/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2886 / CVE-2022-41224
Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of
the `l:helpIcon` UI component used for some help icons on the Jenkins web
UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control tooltips for this component.

NOTE: As of publication, the Jenkins security team is unaware of any
exploitable help icon/tooltip in Jenkins core or plugins published by the
Jenkins project. The vast majority of help icons use the `l:help` component
instead of `l:helpIcon`. The few known instances of `l:helpIcon` do not
have user-controllable contents.


SECURITY-2821 / CVE-2022-41225
Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape
content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control API responses by Anchore engine.


SECURITY-2832 / CVE-2022-41226
Compuware Common Configuration Plugin 1.0.14 and earlier does not configure
its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench
CLI home directory on agents to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.


SECURITY-2737 / CVE-2022-41227 (CSRF) & CVE-2022-41228 (missing permission check)
NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does
not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified webserver using attacker-specified username and
password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2858 / CVE-2022-41229
NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does
not escape configuration options of the Execute NetStorm/NetCloud Test
build step.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1994 / CVE-2022-41230
Build-Publisher Plugin 1.22 and earlier does not perform a permission check
in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs
of Jenkins servers that the plugin is configured to publish builds to, as
well as builds pending for publication to those Jenkins servers.

As of publication of this advisory, there is no fix.


SECURITY-2139 / CVE-2022-41231 (path traversal) & CVE-2022-41232 (CSRF)
Build-Publisher Plugin 1.22 and earlier allows attackers with
Item/Configure permission to create or replace any `config.xml` file on the
Jenkins controller file system by providing a crafted file name to an API
endpoint.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability that allows attackers to
replace any config.xml file on the Jenkins controller file system with an
empty file.

As of publication of this advisory, there is no fix.


SECURITY-2170 / CVE-2022-41233
Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission
checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about
build artifacts of a given job, if the optional Run/Artifacts permission is
enabled.

As of publication of this advisory, there is no fix.


SECURITY-2169 / CVE-2022-41234
Rundeck Plugin 3.6.11 and earlier does not protect access to the
`/plugin/rundeck/webhook/` endpoint.

This allows attackers with Item/Read permission to trigger jobs that are
configured to be triggerable via Rundeck.

As of publication of this advisory, there is no fix.


SECURITY-2645 / CVE-2022-41235
WildFly Deployer Plugin 1.0.2 and earlier implements functionality that
allows agent processes to read arbitrary files on the Jenkins controller
file system.

This allows attackers able to control agent processes to read arbitrary
files on the Jenkins controller file system.

NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier,
LTS 2.303.2 and earlier.

As of publication of this advisory, there is no fix.


SECURITY-2051 / CVE-2022-41236
Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require
POST requests for an HTTP endpoint, resulting in a cross-site request
forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored
in a per-session cache and displayed to authorized users at the
`.../report` URL with a report based on attacker-specified report
generation options. This could create confusion in users of the plugin who
are expecting to see a different result.

NOTE: A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents
exploitation of this vulnerability for the "Single user, multiple jobs"
report. Other report types are still affected.

As of publication of this advisory, there is no fix.


SECURITY-1737 / CVE-2022-41237
DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to
prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by
attackers able to modify `.ci.yml` files in SCM.

As of publication of this advisory, there is no fix.


SECURITY-2867 / CVE-2022-41238
DotCi Plugin provides a webhook endpoint at `/githook/` that can be used to
trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository for attacker-specified
commits.

As of publication of this advisory, there is no fix.


SECURITY-2884 / CVE-2022-41239
DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name
parameter provided to commit notifications when displaying them in a build
cause.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to submit crafted commit notifications to the
`/githook/` endpoint (see also SECURITY-2867).

NOTE: This vulnerability is only exploitable in Jenkins 2.314 and earlier,
LTS 2.303.1 and earlier.

As of publication of this advisory, there is no fix.


SECURITY-1870 / CVE-2022-41240
Walti Plugin 1.0.1 and earlier does not escape the information provided by
the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to provide malicious API responses from
Walti.

As of publication of this advisory, there is no fix.


SECURITY-2805 / CVE-2022-41241
RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML
external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational
Quality Manager to have Jenkins parse a crafted XML document that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2001 / CVE-2022-41242
extreme-feedback Plugin 1.7 and earlier does not perform a permission check
in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information
about job names attached to lamps, discover MAC and IP addresses of
existing lamps, and rename lamps.

As of publication of this advisory, there is no fix.


SECURITY-2068 / CVE-2022-41243
SmallTest Plugin 1.0.4 and earlier does not perform hostname validation
when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to
intercept these connections.

As of publication of this advisory, there is no fix.


SECURITY-2069 / CVE-2022-41244
View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname
validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to
intercept these connections.

As of publication of this advisory, there is no fix.


SECURITY-2237 / CVE-2022-41245 (CSRF) & CVE-2022-41246 (missing permission check)
Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2243 / CVE-2022-41247 (storage) & CVE-2022-41248 (masking)
BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key
unencrypted in its global configuration file `BigpandaGlobalNotifier.xml`
on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller
file system.

Additionally, the global configuration form does not mask the API key,
increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix.


SECURITY-2708 / CVE-2022-41249 (CSRF) & CVE-2022-41250 (missing permission check)
SCM HttpClient Plugin 1.5 and earlier does not perform permission check in
a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2710 / CVE-2022-41251
Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2752 / CVE-2022-41252
CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2751 / CVE-2022-41253 (CSRF) & CVE-2022-41254 (missing permission check)
CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2759 / CVE-2022-41255
CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in
job `config.xml` files on the Jenkins controller as part of its
configuration.

This API token can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.