Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <8E0CD9A4-3FAD-4F7E-AE43-E44BF27F8E14@beckweb.net>
Date: Tue, 29 Mar 2022 14:18:34 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Bitbucket Server Integration Plugin 3.2.0
* Continuous Integration with Toad Edge Plugin 2.4
* Flaky Test Handler Plugin 1.2.2
* instant-messaging Plugin 1.42
* JiraTestResultReporter Plugin 166.v0cc6208295b5
* Proxmox Plugin 0.6.0, 0.7.0, and 0.7.1
* RocketChat Notifier Plugin 1.5.0

Additionally, we announce unresolved security issues in the following
plugins:

* Coverage/Complexity Scatter Plot Plugin
* Job and Node ownership Plugin
* Pipeline: Phoenix AutoTest Plugin
* SiteMonitor Plugin
* Tests Selector Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-03-29/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2639 / CVE-2022-28133
Bitbucket Server Integration Plugin 2.0.0 through 3.1.0 (inclusive) does
not limit URL schemes for callback URLs on OAuth consumers.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to create BitBucket Server consumers.


SECURITY-2640 / CVE-2022-28134
Bitbucket Server Integration Plugin 3.1.0 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create, view, and
delete BitBucket Server consumers.


SECURITY-2161 / CVE-2022-28135
instant-messaging Plugin provides a framework for plugins integrating
Jenkins with instant messaging services.

instant-messaging Plugin 1.41 and earlier stores passwords for group chats
unencrypted in the global configuration file of plugins based on
instant-messaging Plugin on the Jenkins controller.

These passwords can be viewed by users with access to the Jenkins
controller file system.


SECURITY-2236 / CVE-2022-28136 (CSRF) & CVE-2022-28137 (missing permission check)
JiraTestResultReporter Plugin 165.v817928553942 and earlier does not
perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2241 / CVE-2022-28138 (CSRF) & CVE-2022-28139 (missing permission check)
RocketChat Notifier Plugin 1.4.10 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-1896 / CVE-2022-28140
Flaky Test Handler Plugin 1.2.1 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins controller or server-side request forgery.


SECURITY-2079 / CVE-2022-28141
Proxmox Plugin 0.5.0 and earlier stores the Proxmox Datacenter password
unencrypted in the global `config.xml` file on the Jenkins controller as
part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.


SECURITY-2081 / CVE-2022-28142
Proxmox Plugin 0.6.0 and earlier disables SSL/TLS certificate validation
for the entire Jenkins controller JVM when configured to ignore SSL/TLS
issues.


SECURITY-2082 / CVE-2022-28143 (CSRF) & CVE-2022-28144 (missing permission check)
Proxmox Plugin 0.7.0 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to:

* connect to an attacker-specified host using attacker-specified username
and password, performing a connection test,
* disable SSL/TLS validation for the entire Jenkins controller JVM as part
of the connection test (see SECURITY-2081 / CVE-2022-28142),
* and test a rollback with attacker-specified parameters.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.


SECURITY-1892 / CVE-2022-28145
Continuous Integration with Toad Edge Plugin 2.3 and earlier uses a patched
fork of an old version of the file browser for workspaces, archived
artifacts, and `userContent/` from Jenkins core (`DirectoryBrowserSupport`)
to serve reports.

This fork removes the `Content-Security-Policy` header functionality
introduced for SECURITY-95.

This results in a stored cross-site scripting (XSS) exploitable by attackers
with Item/Configure permission or otherwise able to control report contents.


SECURITY-2633 / CVE-2022-28146
Continuous Integration with Toad Edge Plugin 2.3 and earlier allows
attackers with Item/Configure permission to read arbitrary files on the
Jenkins controller by specifying an input folder on the Jenkins controller
as a parameter to its build steps.


SECURITY-2635 / CVE-2022-28147
Continuous Integration with Toad Edge Plugin 2.3 and earlier does not
perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of an attacker-specified file path on the Jenkins controller file
system.


SECURITY-2654 / CVE-2022-28148
Continuous Integration with Toad Edge Plugin 2.3 and earlier uses a patched
fork of an old version of the file browser for workspaces, archived
artifacts, and `userContent/` from Jenkins core (`DirectoryBrowserSupport`)
to serve reports.

The fork did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS
2.303.2.

This results in a path traversal vulnerability allowing attackers with
Item/Read permission to obtain the contents of arbitrary files on Windows
controllers.


SECURITY-2285 / CVE-2022-28149
Job and Node ownership Plugin 0.13.0 and earlier does not escape the names
of secondary owners.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2062 (1) / CVE-2022-28150 (CSRF) & CVE-2022-28151 (missing permission check)
Job and Node ownership Plugin 0.13.0 and earlier does not perform a
permission check in several HTTP endpoints.

This allows attackers with Item/Read permission to change the owners and
item-specific permissions of a job.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

NOTE: This CSRF vulnerability is only exploitable in Jenkins 2.286 and
earlier, LTS 2.277.1 and earlier. See the
link:/doc/upgrade-guide/2.277/#upgrading-to-jenkins-lts-2-277-2[LTS upgrade
guide].

As of publication of this advisory, there is no fix.


SECURITY-2062 (2) / CVE-2022-28152
Job and Node ownership Plugin 0.13.0 and earlier does not require POST
requests for an HTTP endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to restore the default ownership of a
job.

As of publication of this advisory, there is no fix.


SECURITY-1932 / CVE-2022-28153
SiteMonitor Plugin 0.6 and earlier does not escape URLs of sites to monitor
in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-1899 / CVE-2022-28154
Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not
configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the 'Public
Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-1897 / CVE-2022-28155
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the `readXml` or
`writeXml` build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2683 / CVE-2022-28156
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier implements a Pipeline
step (`copy`) to copy files from the running build's directory on the
Jenkins controller to an agent without sanitizing the path specified.

This allows attackers with Item/Configure permission to copy arbitrary
files and directories from the Jenkins controller to the agent workspace.

As of publication of this advisory, there is no fix.


SECURITY-2684 / CVE-2022-28157
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier implements a Pipeline
step (`ftp`) to upload files to an FTP server without limiting the source
directory.

This allows attackers with Item/Configure permission to upload arbitrary
files from the Jenkins controller via FTP to an attacker-specified FTP
server.

As of publication of this advisory, there is no fix.


SECURITY-2685 / CVE-2022-28158
Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2262 / CVE-2022-28159
Tests Selector Plugin 1.3.3 and earlier does not escape the Properties File
Path option for Choosing Tests parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2338 / CVE-2022-28160
Tests Selector Plugin 1.3.3 and earlier allows users with Item/Configure
permission to read arbitrary files on the Jenkins controller using the
Choosing Tests parameter.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.