Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <84F86108-C0D3-4CAA-A9A7-C989788C78C1@beckweb.net>
Date: Wed, 6 Mar 2024 16:48:37 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* AppSpider Plugin 1.0.17
* Bitbucket Branch Source Plugin 871.v28d74e8b_4226
* Delphix Plugin 3.0.2 and 3.1.1
* HTML Publisher Plugin 1.32.1
* MQ Notifier Plugin 1.4.1
* OWASP Dependency-Check Plugin 5.4.6
* Trilead API Plugin 2.141.v284120fd0c46

Additionally, we announce unresolved security issues in the following
plugins:

* Build Monitor View Plugin
* docker-build-step Plugin
* GitBucket Plugin
* iceScrum Plugin
* Subversion Partial Release Manager Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2024-03-06/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3333 / CVE-2023-48795
Trilead API Plugin bundles the Jenkins project's fork of the Trilead SSH2
library for use by other plugins.

Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except
2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are
susceptible to CVE-2023-48795 (Terrapin). This vulnerability allows a
machine-in-the-middle attacker to reduce the security of an SSH connection.


SECURITY-3301 / CVE-2024-28149
SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in
HTML Publisher Plugin 1.15 and earlier. The fix for it retained
compatibility for older reports as a fallback.

In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this fallback
for reports created in HTML Publisher Plugin 1.15 and earlier does not
properly sanitize input. This allows attackers with Item/Configure
permission to do the following:

* Implement stored cross-site scripting (XSS) attacks.
* Determine whether a path on the Jenkins controller file system exists,
  without being able to access it.


SECURITY-3302 / CVE-2024-28150
HTML Publisher Plugin 1.32 and earlier does not escape job names, report
names, and index page titles shown as part of the report frame.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-3303 / CVE-2024-28151
HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in
report directories on agents and recreates them on the controller.
Attackers with Item/Configure permission can use them to determine whether
a path on the Jenkins controller file system exists, without being able to
access it.


SECURITY-3300 / CVE-2024-28152
Multibranch Pipelines with Bitbucket branch source can be configured to
discover pull requests from forks. The trust policy is set to "Forks in the
same account" by default.

In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except
848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles
from users without write access to the project when using Bitbucket Server.
This allows attackers able to submit pull requests from forks to change the
Pipeline behavior.


SECURITY-3344 / CVE-2024-28153
OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape
vulnerability metadata from Dependency-Check reports on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control workspace contents or CVE
metadata.


SECURITY-3180 / CVE-2024-28154
MQ Notifier Plugin has a global option to log the JSON payload it sends to
RabbitMQ in the build log. This includes the build parameters, some of
which may be sensitive, and they are not masked.

In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by default.
This results in unwanted exposure of sensitive information in build logs.


SECURITY-3144 / CVE-2024-28155
AppSpider Plugin 1.0.16 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to obtain information
about available scan config names, engine group names, and client names.


SECURITY-3215 / CVE-2024-28161
Delphix Plugin provides a global option for administrators to enable or
disable SSL/TLS certificate validation for Data Control Tower (DCT)
connections.

In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS certificate
validation by default.


SECURITY-3330 / CVE-2024-28162
Delphix Plugin provides a global option for administrators to enable or
disable SSL/TLS certificate validation for Data Control Tower (DCT)
connections.

In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option change
from disabled validation to enabled validation fails to take effect until
Jenkins is restarted.


SECURITY-3200 / CVE-2024-2215 (CSRF) & CVE-2024-2216 (permission check)
docker-build-step Plugin 2.11 and earlier does not perform a permission
check in an HTTP endpoint implementing a connection test.

This allows attackers with Overall/Read permission to connect to an
attacker-specified TCP or Unix socket URL. Additionally, the plugin
reconfigures itself using the provided connection test parameters,
affecting future build step executions.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-3280 / CVE-2024-28156
Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not
escape Build Monitor View names.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure Build Monitor Views.

As of publication of this advisory, there is no fix.


SECURITY-3249 / CVE-2024-28157
GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build
views.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix.


SECURITY-3325 / CVE-2024-28158 (CSRF) & CVE-2024-28159 (permission check)
Subversion Partial Release Manager Plugin 1.0.1 and earlier does not
perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to trigger a build.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-3248 / CVE-2024-28160
iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs
on build views.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.