Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20241D7D-8489-4A8A-82BE-7CFD4F92E1F8@beckweb.net>
Date: Thu, 18 Mar 2021 14:28:59 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* CloudBees AWS Credentials Plugin 1.28.1
* Libvirt Agents Plugin 1.9.1
* Matrix Authorization Strategy Plugin 2.6.6
* Role-based Authorization Strategy Plugin 3.1.1
* Warnings Next Generation Plugin 8.5.0


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-03-18/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2180 / CVE-2021-21623
Items (like jobs) can be organized hierarchically in Jenkins, using the
Folders Plugin or something similar. An item is expected to be accessible
only if all its ancestors are accessible as well.

Matrix Authorization Strategy Plugin 2.6.5 and earlier does not correctly
perform permission checks to determine whether an item should be
accessible.

This allows attackers with Item/Read permission on nested items to access
them, even if they lack Item/Read permission for parent folders.


SECURITY-2182 / CVE-2021-21624
Items (like jobs) can be organized hierarchically in Jenkins, using the
Folders Plugin or something similar. An item is expected to be accessible
only if all its ancestors are accessible as well.

Role-based Authorization Strategy Plugin 3.1 and earlier does not correctly
perform permission checks to determine whether an item should be
accessible.

This allows attackers with Item/Read permission on nested items to access
them, even if they lack Item/Read permission for parent folders.


SECURITY-2032 / CVE-2021-21625
CloudBees AWS Credentials Plugin 1.28 and earlier does not perform a
permission check in a helper method for HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of AWS credentials stored in Jenkins if any of the following plugins
are installed:

* Amazon Elastic Container Service (ECS) / Fargate
* AWS Parameter Store Build Wrapper
* AWS SAM

Further plugins may use this helper method as well without performing a
permission check themselves.

Credentials IDs obtained this way can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2041 / CVE-2021-21626
Warnings Next Generation Plugin 8.4.4 and earlier does not perform
permission checks in methods implementing form validation.

This allows attackers with Item/Read permission but without Item/Workspace
or Item/Configure permission to check whether attacker-specified file
patterns match workspace contents. A sequence of requests can be used to
effectively list workspace contents.


SECURITY-1764 / CVE-2021-21627
Libvirt Agents Plugin 1.9.0 and earlier does not require POST requests for
a form submission endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to stop hypervisor domains.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.