Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <A0107057-3D70-4F39-ABD3-B186779F6A3C@beckweb.net>
Date: Thu, 30 Jun 2022 16:44:33 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* GitLab Plugin 1.5.35
* requests-plugin Plugin 2.2.17
* TestNG Results Plugin 555.va0d5f66521e3
* XebiaLabs XL Release Plugin 22.0.1

Additionally, we announce unresolved security issues in the following
plugins:

* Build Notifications Plugin
* build-metrics Plugin
* Cisco Spark Plugin
* Deployment Dashboard Plugin
* Elasticsearch Query Plugin
* eXtreme Feedback Panel Plugin
* Failed Job Deactivator Plugin
* HPE Network Virtualization Plugin
* Jigomerge Plugin
* Matrix Reloaded Plugin
* OpsGenie Plugin
* Plot Plugin
* Project Inheritance Plugin
* Recipe Plugin
* Request Rename Or Delete Plugin
* Rich Text Publisher Plugin
* RocketChat Notifier Plugin
* RQM Plugin
* Skype notifier Plugin
* Validating Email Parameter Plugin
* XPath Configuration Viewer Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-06-30/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2316 / CVE-2022-34777
GitLab Plugin 1.5.34 and earlier does not escape multiple user-provided
values shown as part of the build case of webhook-triggered builds.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2788 / CVE-2022-34778
TestNG Results Plugin has options in its post-build step configuration to
not escape test descriptions and exception messages.

If those options are unchecked, TestNG Results Plugin 554.va4a552116332 and
earlier renders the unescaped text provided in test results.

This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to configure jobs or control test results.


SECURITY-2773 (1) / CVE-2022-34779
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2773 (2) / CVE-2022-34780 (CSRF) & CVE-2022-34781 (missing authorization)
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission
checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2650 / CVE-2022-34782
requests-plugin Plugin 2.2.16 and earlier does not correctly perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of
pending requests.

NOTE: This is basically the same vulnerability as SECURITY-1995, whose fix
was ineffective.


SECURITY-2220 / CVE-2022-34783
Plot Plugin 2.1.10 and earlier does not escape plot descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1118 / CVE-2022-34784
build-metrics Plugin 1.3 does not escape the build description on one of
its views.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Build/Update permission.

As of publication of this advisory, there is no fix.


SECURITY-2643 / CVE-2022-34785
build-metrics Plugin 1.3 and earlier does not perform a permission check in
multiple HTTP endpoints.

This allows attackers with Overall/Read permission to obtain information
about jobs otherwise inaccessible to them.

As of publication of this advisory, there is no fix.


SECURITY-2332 / CVE-2022-34786
Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message
set by its post-build step.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix.


SECURITY-1919 / CVE-2022-34787
Project Inheritance Plugin 21.04.03 and earlier does not escape the reason
a build is blocked in tooltips.

This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to control the reason a queue item is blocked.

As of publication of this advisory, there is no fix.


SECURITY-1926 / CVE-2022-34788
Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in
tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2016 / CVE-2022-34789
Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for
an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to rebuild previous matrix builds.

As of publication of this advisory, there is no fix.


SECURITY-1939 / CVE-2022-34790
eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job
names used in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2165 / CVE-2022-34791
Validating Email Parameter Plugin 1.10 and earlier does not escape the name
and description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and
LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects
the "Build With Parameters" and "Parameters" pages from vulnerabilities
like this by default.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2000 / CVE-2022-34792 (CSRF) & CVE-2022-34793 (XXE) &
CVE-2022-34794 (missing permission check)
Recipe Plugin 1.2 and earlier does not perform a permission check in
multiple HTTP endpoints.

This allows attackers with Overall/Read permission to send an HTTP request
to an attacker-specified URL and parse the response as XML.

As the plugin does not configure its XML parser to prevent XML external
entity (XXE) attacks, attackers can have Jenkins parse a crafted XML
response that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin allows users to export the full configuration of
jobs as part of a recipe, granting access to job configuration XML data to
every user with Item/Read permission. The encrypted values of secrets
stored in the job configuration are not redacted, as they would be by the
config.xml API for users without Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2799 / CVE-2022-34795
Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment
names on its Deployment Dashboard view.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with View/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2798 (1) / CVE-2022-34796
Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2798 (2) / CVE-2022-34797 (CSRF) & CVE-2022-34798 (missing authorization)
Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP URL using attacker-specified username and password.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2070 / CVE-2022-34799
Deployment Dashboard Plugin 1.0.10 and earlier stores a password
unencrypted in its global configuration file
`de.codecentric.jenkins.dashboard.DashboardView.xml` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-2056 / CVE-2022-34800 (storage) & CVE-2022-34801 (transmission)
Build Notifications Plugin 1.5.0 and earlier stores multiple tokens
unencrypted in its global configuration files on the Jenkins controller as
part of its configuration:

* Pushover Application Token in
  `tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml`
* Slack Bot Token in
  `tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml`
* Telegram Bot Token in
  `tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml`

Additionally, they are transmitted in plain text as part of the global
configuration form.

These tokens can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-2088 / CVE-2022-34802
RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and
webhook token unencrypted in its global configuration file
`RocketChatNotifier.xml` on the Jenkins controller as part of its
configuration.

These secrets can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-1877 / CVE-2022-34803 (storage) & CVE-2022-34804 (transmission)
OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global
configuration file `com.opsgenie.integration.jenkins.OpsGenieNotifier.xml`
and in job `config.xml` files on the Jenkins controller as part of its
configuration.

Additionally, they are transmitted in plain text as part of the respective
configuration forms.

These API keys can be viewed by users with Item/Extended Read permission
(job `config.xml` only) or access to the Jenkins controller file system
(both).

As of publication of this advisory, there is no fix.


SECURITY-2160 / CVE-2022-34805
Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in
its global configuration file
`hudson.plugins.skype.im.transport.SkypePublisher.xml` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-2083 / CVE-2022-34806
Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job
`config.xml` files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2073 / CVE-2022-34807
Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in
its global configuration file
`org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml` on
the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-2055 / CVE-2022-34808
Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in
its global configuration file
`org.jenkinsci.plugins.spark.SparkNotifier.xml` on the Jenkins controller
as part of its configuration.

These bearer tokens can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2155 / CVE-2022-34809
RQM Plugin 2.8 and earlier stores a password unencrypted in its global
configuration file `net.praqma.jenkins.rqm.RqmBuilder.xml` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-2806 / CVE-2022-34810
RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2002 / CVE-2022-34811
XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the XPath
Configuration Viewer page. Given appropriate XPath expressions, this page
grants access to job configuration XML data to every user with Item/Read
permission. The encrypted values of secrets stored in the job configuration
are not redacted, as they would be by the config.xml API for users without
Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2658 / CVE-2022-34812 (CSRF) & CVE-2022-34813 (missing permission check)
XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create and delete
XPath expressions.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-1996 / CVE-2022-34814
Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly
perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an
administrative configuration page listing pending requests.

As of publication of this advisory, there is no fix.


SECURITY-2657 / CVE-2022-34815
Request Rename Or Delete Plugin 1.1.0 and earlier does not require POST
requests for HTTP endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to accept pending requests, thereby
renaming or deleting jobs.

As of publication of this advisory, there is no fix.


SECURITY-2080 / CVE-2022-34816
HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its
global configuration file
`org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml` on the
Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2061 / CVE-2022-34817 (CSRF) & CVE-2022-34818 (missing authorization)
Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission
checks in several views and HTTP endpoints.

This allows attackers with Overall/Read permission to disable jobs.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

NOTE: This CSRF vulnerability is only exploitable in Jenkins 2.286 and
earlier, LTS 2.277.1 and earlier.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.