Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <CC31A878-887C-4C58-9C78-947CB2279BAF@beckweb.net>
Date: Wed, 25 Oct 2023 15:27:24 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* CloudBees CD Plugin 1.1.33
* GitHub Plugin 1.37.3.1
* lambdatest-automation Plugin 1.20.10 and 1.21.0
* Warnings Plugin 10.5.1

Additionally, we announce unresolved security issues in the following
plugins:

* Edgewall Trac Plugin
* Gogs Plugin
* MSTeams Webhook Trigger Plugin
* Multibranch Scan Webhook Trigger Plugin
* Zanata Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2023-10-25/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3246 / CVE-2023-46650
GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on
the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-3265 / CVE-2023-46651
Warnings Plugin 10.5.0 and earlier does not set the appropriate context for
credentials lookup, allowing the use of system-scoped credentials otherwise
reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture
credentials they are not entitled to.


SECURITY-3222 / CVE-2023-46652
lambdatest-automation Plugin 1.20.9 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part
of an attack to capture the credentials using another vulnerability.


SECURITY-3202 / CVE-2023-46653
lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST
Credentials access token at the INFO level.

This can result in accidental exposure of the token through the default
system log.


SECURITY-3237 / CVE-2023-46654
In CloudBees CD Plugin, artifacts that were previously copied from an agent
to the controller are deleted after publishing by the 'CloudBees CD -
Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations
outside of the expected directory during this cleanup process.

This allows attackers able to configure jobs to delete arbitrary files on
the Jenkins controller file system.


SECURITY-3238 / CVE-2023-46655
CloudBees CD Plugin temporarily copies files from an agent workspace to the
controller in preparation for publishing them in the 'CloudBees CD -
Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations
outside of the temporary directory on the controller when collecting the
list of files to publish.

This allows attackers able to configure jobs to publish arbitrary files
from the Jenkins controller file system to the previously configured
CloudBees CD server.


SECURITY-2875 / CVE-2023-46656
Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a
constant-time comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-2896 / CVE-2023-46657
Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when
checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-2876 / CVE-2023-46658
MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a
constant-time comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.


SECURITY-3247 / CVE-2023-46659
Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL
on the build page.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2879 / CVE-2023-46660
Zanata Plugin 0.6 and earlier does not use a constant-time comparison when
checking whether the provided and expected webhook token hashes are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.

As of publication of this advisory, there is no fix.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.