Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKG2iZjg6wdrWir1t8DqRZNvyXaBxOoYXbkUMWoL6phzEauONg@mail.gmail.com>
Date: Wed, 14 May 2025 19:17:00 +0200
From: Kevin Guerroudj <kguerroudj@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Cadence vManager Plugin 4.0.1-288.v8804b_ea_a_cb_7f
* Health Advisor by CloudBees Plugin 374.376.v3a_41a_a_142efe
* OpenID Connect Provider Plugin 111.v29fd614b_3617

Additionally, we announce unresolved security issues in the following
plugins:

* DingTalk Plugin
* WSO2 Oauth Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-05-14/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3574 / CVE-2025-47884
In OpenID Connect Provider Plugin, claim templates can use environment
variables for jobs and builds for dynamic content. The default claim
template for build ID tokens uses the `JOB_URL` environment variable for
the `sub` (Subject) claim.

In OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the
generation of build ID Tokens uses potentially overridden values of
environment variables.

When certain other plugins are installed which allow arbitrary environment
variables to be overridden (e.g., Environment Injector
Plugin), this allows attackers able to configure jobs to craft a build ID
Token that impersonates a trusted job, potentially gaining unauthorized
access to external services.


SECURITY-3559 / CVE-2025-47885
Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not
escape responses from the Jenkins Health Advisor server.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control Jenkins Health Advisor server
responses.


SECURITY-3548 / CVE-2025-47886 (CSRF) & CVE-2025-47887 (missing permission
check)
Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier does not
perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-3353 / CVE-2025-47888
DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS
certificate and hostname validation for connections to the configured
DingTalk webhooks.

As of publication of this advisory, there is no fix.


SECURITY-3481 / CVE-2025-47889
In WSO2 Oauth Plugin 1.0 and earlier authentication claims are accepted
without validation by the "WSO2 Oauth" security realm.

This allows unauthenticated attackers to log in to controllers using this
security realm using any username and any password, including usernames
that do not exist.

Sessions created this way do not have any additional authorities, i.e.,
memberships in groups. Even the "authenticated" group membership is absent.
The impact of successfully creating a session this way depends on the
authorization strategy and how it is configured. Commonly used
authorization strategies behave as described below:

* The authorization strategy "Logged-in users can do anything" determines
  that users who logged in this way are not the anonymous user, and are
  granted Overall/Administer permission.
* The authorization strategy "Role-based strategy" provided by Role-based
  Authorization Strategy Plugin grants attackers permissions assigned
  directly to the specified user (or ambiguous permissions applicable to
  both users and groups).
Permissions that would be granted through groups would not be granted.

* The authorization strategies "Matrix-based security" and "Project-based
  Matrix Authorization Strategy" provided by Matrix Authorization Strategy
  Plugin grant permissions assigned directly to the specified user (or
  ambiguous permissions applicable to both users and groups, typically
  predating version 3.0 of the plugin).
Permissions that would be granted through groups would not be granted.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.