Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <3E104BB5-6336-49DD-9C5D-4B0F6DB7D403@beckweb.net>
Date: Wed, 24 Jan 2024 15:57:49 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.442
* Jenkins LTS 2.426.3
* Git server Plugin 99.101.v720e86326c09
* GitLab Branch Source Plugin 688.v5fa_356ee8520
* Matrix Project Plugin 822.824.v14451b_c0fd42
* Qualys Policy Compliance Scanning Connector Plugin 1.0.6
* Red Hat Dependency Analytics Plugin 0.9.0

Additionally, we announce unresolved security issues in the following
plugins:

* Log Command Plugin

Summaries of the vulnerabilities are below. More details, workarounds,
severity, and attribution can be found here:
https://www.jenkins.io/security/advisory/2024-01-24/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3314 / CVE-2024-23897
Jenkins has a built-in command line interface (CLI) to access Jenkins from
a script or shell environment.

Jenkins uses the args4j library to parse command arguments and options on
the Jenkins controller when processing CLI commands. This command parser
has a feature that replaces an `@` character followed by a file path in an
argument with the file's contents (`expandAtFiles`). This feature is
enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier
does not disable it.

This allows attackers to read arbitrary files on the Jenkins controller
file system using the default character encoding of the Jenkins controller
process.

* Attackers with Overall/Read permission can read entire files.
* Attackers _without_ Overall/Read permission can read the first few lines
  of files. The number of lines that can be read depends on available CLI
  commands. As of publication of this advisory, the Jenkins security team
  has found ways to read the first three lines of files in recent releases
  of Jenkins without having any plugins installed, and has not identified
  any plugins that would increase this line count.

Binary files containing cryptographic keys used for various Jenkins
features can also be read, with some limitations. As of publication,
the Jenkins security team has confirmed the following possible attacks in
addition to reading contents of all files with a known file path. All of
them leverage attackers' ability to obtain cryptographic keys from binary
files, and are therefore only applicable to instances where that is
feasible.

WARNING: This list is not definitive. Further attacks likely exist,
including ones that do not need attackers to obtain cryptographic keys from
binary files.

* Remote code execution via Resource Root URLs (Variant 1)
* Remote code execution via Resource Root URLs (Variant 2)
* Remote code execution via "Remember me" cookie
* Remote code execution via stored cross-site scripting (XSS) attacks
  through build logs
* Remote code execution via CSRF protection bypass
* Decrypt secrets stored in Jenkins
* Delete any item in Jenkins
* Download a Java heap dump

Limitations for reading binary files:
While files containing binary data can be read, the affected feature
attempts to read them as strings using the controller process's default
character encoding. This is likely to result in some bytes not being read
successfully and being replaced with a placeholder value. Which bytes can
or cannot be read depends on this character encoding. For example,
attempting to read random binary data using UTF-8, roughly half of all
bytes will be replaced with a placeholder for an illegal value. For 32 byte
random binary secrets, as commonly used in Jenkins for HMAC-SHA256, this
would require attackers to correctly guess on average 16 bytes, which is
infeasible. In contrast, with the encoding Windows-1252, only 5 out of 256
possible values are illegal and would be replaced with a placeholder. This
is a significantly lower number of bytes to guess in a binary secret on
average, as well as fewer possible options for each byte.

IMPORTANT: While it is _unlikely_ that randomly generated keys use
significantly fewer than average of the byte values that cannot be read
using a character encoding like UTF-8, it isn't _impossible_. Therefore
administrators should update Jenkins in a timely manner, regardless of the
value of `file.encoding`.


SECURITY-3315 / CVE-2024-23898
Jenkins has a built-in command line interface (CLI) to access Jenkins from
a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of
the ways to communicate with the CLI is through a WebSocket endpoint. This
endpoint relies on the default Jenkins web request authentication
functionality, like HTTP Basic authentication with API tokens, or session
cookies. This endpoint is enabled when running on a version of Jetty for
which Jenkins supports WebSockets. This is the case when using the provided
native installers, packages, or the Docker containers, as well as when
running Jenkins with the command `java -jar jenkins.war`.

Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2
(both inclusive) does not perform origin validation of requests made
through the CLI WebSocket endpoint, resulting in a cross-site WebSocket
hijacking (CSWSH) vulnerability.

Additionally, Jenkins does not set an explicit `SameSite` attribute for
session cookies. This can allow cross-site requests to make use of the
session cookie, i.e., those requests are sent with the logged-in user's
authentication.

This vulnerability allows attackers to execute CLI commands on the Jenkins
controller. The impact depends on the permissions of the anonymous user
and/or the browser(s) used by the victim(s) of the CSWSH attack.

Additionally, this vulnerability allows exploiting SECURITY-3314 to read
the first few lines of files on the Jenkins controller. See that issue for
more information about the potential impact.


SECURITY-3319 / CVE-2024-23899
Git server Plugin uses the args4j library to parse command arguments and
options on the Jenkins controller when processing Git commands received via
SSH. This command parser has a feature that replaces an `@` character
followed by a file path in an argument with the file's contents
(`expandAtFiles`). This feature is enabled by default and Git server Plugin
99.va_0826a_b_cdfa_d and earlier does not disable it.

This allows attackers with Overall/Read permission to read the first two
lines of arbitrary files on the Jenkins controller file system using the
default character encoding of the Jenkins controller process.

See SECURITY-3314 for further information about the potential impact of being
able to read files on the Jenkins controller, as well as the limitations for
reading binary files. Note that for this issue, unlike SECURITY-3314, attackers
need Overall/Read permission.


SECURITY-3289 / CVE-2024-23900
Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize
user-defined axis names of multi-configuration projects submitted through
the `config.xml` REST API endpoint.

This allows attackers with Item/Configure permission to create or replace
any `config.xml` file on the Jenkins controller file system with content
not controllable by the attackers.


SECURITY-3040 / CVE-2024-23901
GitLab allows sharing a project with another group.

GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally
discovers projects that are shared with the configured owner group.

This allows attackers to configure and share a project, resulting in a
crafted Pipeline being built by Jenkins after the next scan of the group's
projects.


SECURITY-3251 / CVE-2024-23902
GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not
require POST requests for a form validation endpoint, resulting in a
cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified
URL.


SECURITY-2871 / CVE-2024-23903
GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a
constant-time comparison function when checking whether the provided and
expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid webhook token.


SECURITY-3006 / CVE-2023-6148
Qualys Policy Compliance Scanning Connector Plugin 1.0.5 and earlier does
not escape Qualys API responses displayed on the job configuration page.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.


SECURITY-3005 / CVE-2023-6147
Qualys Policy Compliance Scanning Connector Plugin 1.0.5 and earlier does
not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to configure jobs to have Jenkins parse a
crafted HTTP response with XML data that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.


SECURITY-3007 / CVE pending
Qualys Policy Compliance Scanning Connector Plugin 1.0.5 and earlier does
not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Item/Configure permission (while lacking
Item/Configure permission on any particular job) to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-3322 / CVE-2024-23905
Jenkins sets the `Content-Security-Policy` header to static files served by
Jenkins (specifically `DirectoryBrowserSupport`), such as workspaces,
`/userContent`, or archived artifacts, unless a Resource Root URL is
specified.

Red Hat Dependency Analytics Plugin 0.7.1 and earlier globally disables the
`Content-Security-Policy` header for static files served by Jenkins
whenever the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is
executed. This allows cross-site scripting (XSS) attacks by users with the
ability to control files in workspaces, archived artifacts, etc.


SECURITY-3334 / CVE-2024-23904
Log Command Plugin uses the args4j library to parse command arguments and
options on the Jenkins controller when processing commands received via
instant messaging platforms such as IRC or Jabber. This command parser has
a feature that replaces an `@` character followed by a file path in an
argument with the file's contents (`expandAtFiles`). This feature is
enabled by default and Log Command Plugin 1.0.2 and earlier does not
disable it.

This allows unauthenticated attackers to read the first line of arbitrary
files on the Jenkins controller file system using the default character
encoding of the Jenkins controller process.

See SECURITY-3314 for further information about the potential impact of being
able to read files on the Jenkins controller, as well as the limitations for
reading binary files.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.