Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <C710E6BF-A7C7-4ADF-95A5-8C6A920601C1@beckweb.net>
Date: Wed, 12 Jul 2023 16:10:45 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins 

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Active Directory Plugin 2.30.1
* Datadog Plugin 5.4.2
* External Monitor Job Type Plugin 207.v98a_a_37a_85525
* mabl Plugin 0.0.47
* OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432
* Oracle Cloud Infrastructure Compute Plugin 1.0.17
* Orka by MacStadium Plugin 1.34
* SAML Single Sign On(SSO) Plugin 2.3.1

Additionally, we announce unresolved security issues in the following
plugins:

* Assembla Auth Plugin
* Benchmark Evaluator Plugin
* ElasticBox CI Plugin
* MathWorks Polyspace Plugin
* Pipeline restFul API Plugin
* Rebuilder Plugin
* Sumologic Publisher Plugin
* Test Results Aggregator Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2023-07-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3133 / CVE-2023-37942
External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not
configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a
crafted HTTP request with XML data that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.


SECURITY-3059 / CVE-2023-37943
Active Directory Plugin allows testing a new, unsaved configuration by
performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and
"StartTls" options and always performs the connection test to Active
directory unencrypted. This allows attackers able to capture network
traffic between the Jenkins controller and Active Directory servers to
obtain Active Directory credentials.

NOTE: This only affects the connection test. Connections established during
the login process are encrypted if the corresponding TLS option is enabled.


SECURITY-3130 / CVE-2023-37944
Datadog Plugin 5.4.1 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-3164 / CVE-2023-37945
SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to download a string
representation of the current security realm (Java `Object#toString()`),
which potentially includes sensitive information.


SECURITY-2998 / CVE-2023-37946
OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not
invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.


SECURITY-2999 / CVE-2023-37947
OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly
determines that a redirect URL after login is legitimately pointing to
Jenkins.

This allows attackers to perform phishing attacks by having users go to a
Jenkins URL that will forward them to a different site after successful
authentication.


SECURITY-3044 / CVE-2023-37948
Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not
perform SSH host key validation when connecting to OCI clouds.

This lack of validation could be abused using a man-in-the-middle attack to
intercept these connections to OCI clouds.


SECURITY-3128 / CVE-2023-37949
Orka by MacStadium Plugin 1.33 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-3137 (1) / CVE-2023-37950
mabl Plugin 0.0.46 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-3137 (2) / CVE-2023-37951
mabl Plugin 0.0.46 and earlier does not set the appropriate context for
credentials lookup, allowing the use of System-scoped credentials otherwise
reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture
credentials they are not entitled to.


SECURITY-3127 / CVE-2023-37952 (CSRF) & CVE-2023-37953 (missing permission check)
mabl Plugin 0.0.46 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-3033 / CVE-2023-37954
Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier does not require POST
requests for an HTTP endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to rebuild a previous build.

As of publication of this advisory, there is no fix.


SECURITY-3122 / CVE-2023-37955 (CSRF) & CVE-2023-37956 (missing permission check)
Test Results Aggregator Plugin 1.2.13 and earlier does not perform a
permission check in an HTTP endpoint implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-3126 / CVE-2023-37957
Pipeline restFul API Plugin 0.11 and earlier does not require POST requests
for an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to have Jenkins connect to an
attacker-specified URL, capturing a newly generated JCLI token that allows
impersonating the victim.

As of publication of this advisory, there is no fix.


SECURITY-3117 / CVE-2023-37958 (CSRF) & CVE-2023-37959 (missing permission check)
Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-3124 / CVE-2023-37960
MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of
the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with
arbitrary files from the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2988 / CVE-2023-37961
Assembla Auth Plugin 1.14 and earlier does not implement a state parameter
in its OAuth flow, a unique and non-guessable value associated with each
authentication request.

This vulnerability allows attackers to trick users into logging in to the
attacker's account.

As of publication of this advisory, there is no fix.


SECURITY-3119 / CVE-2023-37962 (CSRF) & CVE-2023-37963 (missing permission check)
Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL and to check for the existence of directories,
`.csv`, and `.ycsb` files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-3131 / CVE-2023-37964 (CSRF) & CVE-2023-37965 (missing permission check)
ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks
in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.