Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <6D14D6C6-2FFB-49A2-BD66-C68DA4EF1ACC@beckweb.net>
Date: Wed, 22 Jun 2022 16:11:23 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.356
* Jenkins LTS 2.332.4 and 2.346.1
* Embeddable Build Status Plugin 2.0.4
* Hidden Parameter Plugin 0.0.5
* JUnit Plugin 1119.1121.vc43d0fc45561
* Nested View Plugin 1.26
* Pipeline: Input Step Plugin 449.v77f0e8b_845c4
* REST List Parameter Plugin 1.6.0
* xUnit Plugin 3.1.0

Additionally, we announce unresolved security issues in the following
plugins:

* Agent Server Parameter Plugin
* Beaker builder Plugin
* Convertigo Mobile Platform Plugin
* CRX Content Package Deployer Plugin
* Date Parameter Plugin
* Dynamic Extended Choice Parameter Plugin
* EasyQA Plugin
* Filesystem List Parameter Plugin
* Image Tag Parameter Plugin
* Jianliao Notification Plugin
* Maven Metadata Plugin for Jenkins CI server Plugin
* NS-ND Integration Performance Publisher Plugin
* ontrack Jenkins Plugin
* Package Version Plugin
* Readonly Parameter Plugin
* Repository Connector Plugin
* Sauce OnDemand Plugin
* Squash TM Publisher (Squash4Jenkins) Plugin
* Stash Branch Parameter Plugin
* ThreadFix Plugin
* vRealize Orchestrator Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-06-22/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2781 / CVE-2022-34170 through CVE-2022-34173
Multiple cross-site scripting (XSS) vulnerabilities in Jenkins 2.355 and
earlier, LTS 2.332.3 and earlier allow attackers to inject HTML and
JavaScript into the Jenkins UI:

* SECURITY-2779 (CVE-2022-34170): Since Jenkins 2.320 and LTS 2.332.1, help
  icon tooltips no longer escape the feature name, effectively undoing the
  fix for SECURITY-1955.
* SECURITY-2761 (CVE-2022-34171): Since Jenkins 2.321 and LTS 2.332.1, the
  HTML output generated for new symbol-based SVG icons includes the `title`
  attribute of `l:ionicon` until Jenkins 2.334 and `alt` attribute of
  `l:icon` since Jenkins 2.335 without further escaping.
* SECURITY-2776 (CVE-2022-34172): Since Jenkins 2.340, symbol-based icons
  unescape previously escaped values of `tooltip` parameters.
* SECURITY-2780 (CVE-2022-34173): Since Jenkins 2.340, the tooltip of the
  build button in list views supports HTML without escaping the job display
  name.

These vulnerabilities are known to be exploitable by attackers with
Job/Configure permission.


SECURITY-2566 / CVE-2022-34174
In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing
discrepancy on the login form allows distinguishing between login attempts
with an invalid username, and login attempts with a valid username and
wrong password, when using the Jenkins user database security realm. This
allows attackers to determine the validity of attacker-specified usernames.


SECURITY-2777 / CVE-2022-34175
Jenkins uses the Stapler web framework to render its UI views. These views
are frequently composed of several view fragments, enabling plugins to
extend existing views with more content.

Before SECURITY-534 was fixed in Jenkins 2.186 and LTS 2.176.2, attackers
could in some cases directly access a view fragment containing sensitive
information, bypassing any permission checks in the corresponding view.

In Jenkins 2.335 through 2.355 (both inclusive), the protection added for
SECURITY-534 is disabled for some views. As a result, attackers could in
very limited cases directly access a view fragment containing sensitive
information, bypassing any permission checks in the corresponding view.

NOTE: As of publication, the Jenkins security team is unaware of any
vulnerable view fragment across the Jenkins plugin ecosystem.


SECURITY-2760 / CVE-2022-34176
JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions
of test results.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Run/Update permission.


SECURITY-2705 / CVE-2022-34177
Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier allows
Pipeline authors to specify `file` parameters for Pipeline `input` steps
even though they are unsupported. Although the uploaded file is not copied
to the workspace, Jenkins archives the file on the controller as part of
build metadata using the parameter name without sanitization as a relative
path inside a build-related directory.

This allows attackers able to configure Pipelines to create or replace
arbitrary files on the Jenkins controller file system with
attacker-specified content.


SECURITY-2567 / CVE-2022-34178
Embeddable Build Status Plugin 2.0.3 allows specifying a `link` query
parameter that build status badges will link to, without restricting
possible values.

This results in a reflected cross-site scripting (XSS) vulnerability.


SECURITY-2792 / CVE-2022-34179
Embeddable Build Status Plugin 2.0.3 and earlier allows specifying a
`style` query parameter that is used to choose a different SVG image style
without restricting possible values.

This results in a relative path traversal vulnerability, allowing attackers
without Overall/Read permission to specify paths to other SVG images on the
Jenkins controller file system.


SECURITY-2794 / CVE-2022-34180
Embeddable Build Status Plugin 2.0.3 and earlier does not correctly perform
the ViewStatus permission check in the HTTP endpoint it provides for
"unprotected" status badge access.

This allows attackers without any permissions to obtain the build status
badge icon for any attacker-specified job and/or build.


SECURITY-2549 / CVE-2022-34181
xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message
that creates a user-specified directory if it doesn't exist, and parsing
files inside it as test results.

This allows attackers able to control agent processes to create an
arbitrary directory on the Jenkins controller or to obtain test results
from existing files in an attacker-specified directory.


SECURITY-2768 / CVE-2022-34182
Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape
search parameters.

This results in a reflected cross-site scripting (XSS) vulnerability.


SECURITY-2784 / CVE-2022-34183 through CVE-2022-34198
Multiple plugins do not escape the name and description of the parameter
types they provide:

* Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183)
* CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 /
  CVE-2022-34184)
* Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)
* Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 /
  CVE-2022-34186)
* Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 /
  CVE-2022-34187)
* Hidden Parameter Plugin 0.0.4 and earlier (SECURITY-2755 /
  CVE-2022-34188)
* Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)
* Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 /
  CVE-2022-34190)
* NS-ND Integration Performance Publisher 4.8.0.77 and earlier
  (SECURITY-2736 / CVE-2022-34191)
* ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192)
* Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193)
* Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194)
* Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195)
* REST List Parameter Plugin 1.5.2 and earlier (SECURITY-2730 /
  CVE-2022-34196)
* Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197)
* Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198)

This results in stored cross-site scripting (XSS) vulnerabilites
exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed
on another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, several plugins have previously been
updated to list parameters in a way that prevents exploitation by default,
see SECURITY-2617 in the 2022-04-12 security advisory for a list.


SECURITY-2064 / CVE-2022-34199
Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords
unencrypted in job `config.xml` files on the Jenkins controller as part of
its configuration.

These passwords can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2276 / CVE-2022-34200 (CSRF) & CVE-2022-34201 (missing permission check)
Convertigo Mobile Platform Plugin 1.1 and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2066 / CVE-2022-34202
EasyQA Plugin 1.0 and earlier stores user passwords unencrypted in its
global configuration file `EasyQAPluginProperties.xml` on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2281 / CVE-2022-34203 (CSRF) & CVE-2022-34204 (missing permission check)
EasyQA Plugin 1.0 and earlier does not perform a permission check in a
method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2240 / CVE-2022-34205 (CSRF) & CVE-2022-34206 (missing permission check)
Jianliao Notification Plugin 1.1 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to send HTTP POST
requests to an attacker-specified URL.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2248 / CVE-2022-34207 (CSRF) & CVE-2022-34208 (missing permission check)
Beaker builder Plugin 1.10 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2249 / CVE-2022-34209 (CSRF) & CVE-2022-34210 (missing permission check)
ThreadFix Plugin 1.5.4 and earlier does not perform a permission check in a
method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2279 / CVE-2022-34211 (CSRF) & CVE-2022-34212 (missing permission check)
vRealize Orchestrator Plugin 3.0 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send an HTTP POST
request to an attacker-specified URL.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2089 / CVE-2022-34213
Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier stores
passwords unencrypted in its global configuration file
`org.jenkinsci.squashtm.core.SquashTMPublisher.xml` on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.