This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.
Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.
As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.
Jenkins 2.300, LTS 2.289.2 invalidates the existing session on login.
Note
|
In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2 , or disable the fix entirely by setting that system property to 0 .
|
Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.
CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.
requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view the list of pending requests.
requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.
Note
|
The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed on 2021-07-05. |
requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.
requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints.
This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.
requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.
requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: