This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trigger build of job without parameters.
Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.
Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Mailer Plugin 408.vd726a_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.
Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.
Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.
Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.
Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.
This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.
Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.
SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.
Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml
on the Jenkins controller as part of its configuration.
This access key can be viewed by users with access to the Jenkins controller file system.
Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.
Additionally, the token value is only displayed once when it is generated.
Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.
Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps
is set to true
.
This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).
Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.
Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps
was set to true
.
Note
|
The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE .
See the plugin documentation for further details.
|
Note
|
Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs. |
Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.
This could potentially allow attackers to use statistical methods to obtain a valid authentication token.
Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.
Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.
This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.
Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.
Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.
Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.
Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.
HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.
This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.
HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.
This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.
Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.
As of publication of this advisory, there is no fix.
Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.
This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.
Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.
This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.
As of publication of this advisory, there is no fix.
Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml
on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.
As of publication of this advisory, there is no fix.
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.
This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.
As of publication of this advisory, there is no fix.
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.
This allows attackers able to control agent processes to retrieve those credentials.
As of publication of this advisory, there is no fix.
Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git
at an attacker-specified path on the controller.
This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: