Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <7B02B649-609D-491C-B80E-A6CD114D27BA@beckweb.net>
Date: Tue, 21 Mar 2023 15:30:46 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* JaCoCo Plugin 3.3.2.1
* OctoPerf Load Testing Plugin 4.5.1, 4.5.2, and 4.5.3
* Pipeline Aggregator View Plugin 1.14
* Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162

Additionally, we announce unresolved security issues in the following
plugins:

* AbsInt a³ Plugin
* Convert To Pipeline Plugin
* Cppcheck Plugin
* Crap4J Plugin
* Mashup Portlets Plugin
* Performance Publisher Plugin
* Phabricator Differential Plugin
* remote-jobs-view-plugin Plugin
* Visual Studio Code Metrics Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2023-03-21/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3053 / CVE-2023-28668
Permissions in Jenkins can be enabled and disabled. Some permissions are
disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled
permissions cannot be granted directly, only through greater permissions
that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier
grants permissions even after they've been disabled.

This allows attackers to have greater access than they're entitled to after
the following operations took place:

1. A permission is granted to attackers directly or through groups. 2. The
permission is disabled, e.g., through the script console.


SECURITY-3061 / CVE-2023-28669
JaCoCo Plugin 3.3.2 and earlier does not escape class and method names
shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control input files for the 'Record JaCoCo
coverage report' post-build action.


SECURITY-2885 / CVE-2023-28670
Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable
representing the current view's URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by authenticated attackers with Overall/Read permission.


SECURITY-3067 (1) / CVE-2023-28671
OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST
requests for a connection test HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL
using attacker-specified credentials IDs obtained through another method,
capturing credentials stored in Jenkins.


SECURITY-3067 (2) / CVE-2023-28672
OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a
permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-3067 (3) / CVE-2023-28673
OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-3067 (4) / CVE-2023-28674 (CSRF) & CVE-2023-28675 (missing permission check)
OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a
previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.


SECURITY-2963 / CVE-2023-28676
Convert To Pipeline Plugin 1.0 and earlier does not require POST requests
for the HTTP endpoint converting a Freestyle project to Pipeline, resulting
in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a
Freestyle project. Combined with SECURITY-2966, this can result in the
execution of unsandboxed Pipeline scripts.

As of publication of this advisory, there is no fix.


SECURITY-2966 / CVE-2023-28677
Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation
to convert Freestyle projects' Build Environment, Build Steps, and
Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a
crafted configuration that injects Pipeline script code into the
(unsandboxed) Pipeline resulting from a convertion by Convert To Pipeline
Plugin. If an administrator converts the Freestyle project to a Pipeline,
the script will be pre-approved.

As of publication of this advisory, there is no fix.


SECURITY-2809 / CVE-2023-28678
Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck
report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control report file contents.

As of publication of this advisory, there is no fix.


SECURITY-2813 / CVE-2023-28679
Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet"
feature that lets a user populate a portlet using a custom JavaScript
expression.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by authenticated attackers with Overall/Read permission.

As of publication of this advisory, there is no fix.


SECURITY-2925 / CVE-2023-28680
Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have
Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


SECURITY-2926 / CVE-2023-28681
Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have
Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


SECURITY-2928 / CVE-2023-28682
Performance Publisher Plugin 8.09 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have
Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


SECURITY-2942 / CVE-2023-28683
Phabricator Differential Plugin 2.1.5 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the
'Post to Phabricator' post-build action to have Jenkins parse a crafted XML
document that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2956 / CVE-2023-28684
remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have
Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


SECURITY-2930 / CVE-2023-28685
AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have
Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.