[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Multiple vulnerabilities in Jenkins plugins
From: Demi Marie Obenour <demi () invisiblethingslab ! com>
Date: 2023-08-16 13:23:33
Message-ID: ZNzN1lVfY6z08z+K () itl-email
[Download RAW message or body]
On Wed, Aug 16, 2023 at 03:11:18PM +0200, Daniel Beck wrote:
> Jenkins is an open source automation server which enables developers around
> the world to reliably build, test, and deploy their software.
>
> The following releases contain fixes for security vulnerabilities:
>
> * Blue Ocean Plugin 1.27.5.1
> * Config File Provider Plugin 953.v0432a_802e4d2
> * Delphix Plugin 3.0.3
> * Flaky Test Handler Plugin 1.2.3
> * Folders Plugin 6.848.ve3b_fd7839a_81
> * Fortify Plugin 22.2.39
> * NodeJS Plugin 1.6.0.1
> * Shortcut Job Plugin 0.5
> * Tuleap Authentication Plugin 1.1.21
>
> Additionally, we announce unresolved security issues in the following
> plugins:
>
> * Docker Swarm Plugin
> * Favorite View Plugin
> * Gogs Plugin
> * Maven Artifact ChoiceListProvider (Nexus) Plugin
>
> Summaries of the vulnerabilities are below. More details, severity, and
> attribution can be found here:
> https://www.jenkins.io/security/advisory/2023-08-16/
>
> We provide advance notification for security updates on this mailing list:
> https://groups.google.com/d/forum/jenkinsci-advisories
>
> If you discover security vulnerabilities in Jenkins, please report them as
> described here:
> https://www.jenkins.io/security/#reporting-vulnerabilities
>
> ---
>
> SECURITY-3106 / CVE-2023-40336
> Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
>
> This vulnerability allows attackers to copy an item, which could
> potentially automatically approve unsandboxed scripts and allow the
> execution of unsafe scripts.
>
>
> SECURITY-3105 / CVE-2023-40337
> Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
>
> This vulnerability allows attackers to copy a view inside a folder.
>
>
> SECURITY-3109 / CVE-2023-40338
> Folders Plugin displays an error message when attempting to access the Scan
> Organization Folder Log if no logs are available.
>
> In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message
> includes the absolute path of a log file, exposing information about the
> Jenkins controller file system.
>
>
> SECURITY-3090 / CVE-2023-40339
> Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask
> (i.e., replace with asterisks) credentials specified in configuration files
> when they're written to the build log.
>
>
> SECURITY-3196 / CVE-2023-40340
> NodeJS Plugin integrates with Config File Provider Plugin to specify custom
> NPM settings, including credentials for authentication, in a Npm config
> file.
>
> NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with
> asterisks) credentials specified in the Npm config file in Pipeline build
> logs.
>
>
> SECURITY-3116 / CVE-2023-40341
> Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an
> HTTP endpoint, resulting in a cross-site request forgery (CSRF)
> vulnerability.
>
> This vulnerability allows attackers to connect to an attacker-specified
> URL, capturing GitHub credentials associated with an attacker-specified
> job.
>
>
> SECURITY-3115 / CVE-2023-4301 (CSRF) & CVE-2023-4302 (missing permission check)
> Fortify Plugin 22.1.38 and earlier does not perform permission checks in
> several HTTP endpoints.
>
> This allows attackers with Overall/Read permission to connect to an
> attacker-specified URL using attacker-specified credentials IDs obtained
> through another method, capturing credentials stored in Jenkins.
>
> Additionally, these HTTP endpoints do not require POST requests, resulting
> in a cross-site request forgery (CSRF) vulnerability.
>
>
> SECURITY-3140 / CVE-2023-4303
> Fortify Plugin 22.1.38 and earlier does not escape the error message for a
> form validation method. This results in an HTML injection vulnerability.
>
> NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form
> validation responses prevents JavaScript execution, so no scripts can be
> injected.
>
>
> SECURITY-3223 / CVE-2023-40342
> Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test
> contents when showing them on the Jenkins UI.
>
> This results in a stored cross-site scripting (XSS) vulnerability
> exploitable by attackers able to control JUnit report file contents.
>
>
> SECURITY-3229 / CVE-2023-40343
> Tuleap Authentication Plugin 1.1.20 and earlier does not use a
> constant-time comparison when checking whether two authentication tokens
> are equal.
>
> This could potentially allow attackers to use statistical methods to obtain
> a valid authentication token.
>
>
> SECURITY-3214 (1) / CVE-2023-40344
> Delphix Plugin 3.0.2 and earlier does not perform a permission check in an
> HTTP endpoint.
>
> This allows attackers with Overall/Read permission to enumerate credentials
> IDs of credentials stored in Jenkins. Those can be used as part of an
> attack to capture the credentials using another vulnerability.
>
>
> SECURITY-3214 (2) / CVE-2023-40345
> Delphix Plugin 3.0.2 and earlier does not set the appropriate context for
> credentials lookup, allowing the use of System-scoped credentials otherwise
> reserved for the global configuration.
>
> This allows attackers with Overall/Read permission to access and capture
> credentials they are not entitled to.
>
>
> SECURITY-3071 / CVE-2023-40346
> Shortcut Job Plugin 0.4 and earlier does not escape the shortcut
> redirection URL.
>
> This results in a stored cross-site scripting (XSS) vulnerability
> exploitable by attackers able to configure shortcut jobs.
>
>
> SECURITY-3153 / CVE-2023-40347
> Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not
> set the appropriate context for credentials lookup, allowing the use of
> System-scoped credentials otherwise reserved for the global configuration.
>
> This allows attackers with Item/Configure permission to access and capture
> credentials they are not entitled to.
>
> As of publication of this advisory, there is no fix.
>
>
> SECURITY-2894 / CVE-2023-40348 (information disclosure) & CVE-2023-40349 (insecure default)
> Gogs Plugin provides a webhook endpoint at `/gogs-webhook` that can be used
> to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to
> specify a Gogs secret for this webhook is provided, but not enabled by
> default.
>
> This allows unauthenticated attackers to trigger builds of jobs
> corresponding to the attacker-specified job name.
>
> Additionally, the output of the webhook endpoint includes whether a job
> corresponding to the attacker-specified job name exists, even if the
> attacker has no permission to access it.
>
> As of publication of this advisory, there is no fix.
>
>
> SECURITY-2811 / CVE-2023-40350
> Docker Swarm Plugin processes Docker responses to generate the Docker Swarm
> Dashboard view.
>
> Docker Swarm Plugin 1.11 and earlier does not escape values returned from
> Docker before inserting them into the Docker Swarm Dashboard view. This
> results in a stored cross-site scripting (XSS) vulnerability exploitable by
> attackers able to control responses from Docker.
>
> As of publication of this advisory, there is no fix.
>
>
> SECURITY-3201 / CVE-2023-40351
> Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST
> requests for an HTTP endpoint, resulting in a cross-site request forgery
> (CSRF) vulnerability.
>
> This vulnerability allows attackers to add or remove views from another
> user's favorite views tab bar.
>
> As of publication of this advisory, there is no fix.
I strongly recommend that Jenkins add the following:
- Documentation recommending that Jenkins _not_ be exposed to the public
Internet, due to its very large attack surface.
- A configuration option to disable all plugins with known
vulnerabilities.
- A process for removing plugins whose maintainers do not resolve
security vulnerabilities reasonably quickly.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic