Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <92CF66A6-B73C-4B35-9568-E23FE48FC695@beckweb.net>
Date: Wed, 13 Nov 2024 21:02:39 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Authorize Project Plugin 1.8.0
* IvyTrigger Plugin 1.02
* OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_
* Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72
* Pipeline: Groovy Plugin 3993.v3e20a_37282f8
* Script Security Plugin 1368.vb_b_402e3547e7
* Shared Library Version Override Plugin 19.v3a_c975738d4a_


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2024-11-13/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3447 / CVE-2024-52549
Script Security Plugin 1367.vdf2fc45f229c and earlier, except
1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform
a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the
existence of files on the controller file system.


SECURITY-3362 / CVE-2024-52550
Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except
3975.3977.v478dd9e956c3, does not check whether the main (Jenkinsfile)
script for a rebuilt build is approved.

This allows attackers with Item/Build permission to rebuild a previous
build whose (Jenkinsfile) script is no longer approved.

NOTE: This does not apply to builds whose (Jenkinsfile) script was never
approved, but only to builds whose (Jenkinsfile) script got its approval
revoked.


SECURITY-3361 / CVE-2024-52551
Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not
check whether the main (Jenkinsfile) script used to restart a build from a
specific stage is approved.

This allows attackers with Item/Build permission to restart a previous
build whose (Jenkinsfile) script is no longer approved.

NOTE: This does not apply to builds whose (Jenkinsfile) script was never
approved, but only to builds whose (Jenkinsfile) script got its approval
revoked.


SECURITY-3010 / CVE-2024-52552
Authorize Project Plugin 1.7.2 and earlier evaluates a string containing
the job name with JavaScript on the Authorization view.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-3473 / CVE-2024-52553
OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does
not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.


SECURITY-2954 / CVE-2022-46751
IvyTrigger Plugin 1.01 and earlier bundles versions of Apache Ivy
vulnerable to CVE-2022-46751.

This allows attackers able to control the input files for the "IvyTrigger -
Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML
document that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.


SECURITY-3466 / CVE-2024-52554
Shared Library Version Override Plugin 17.v786074c9fce7 and earlier
declares folder-scoped library overrides as trusted, so that they're not
executed in the Script Security sandbox.

This allows attackers with Item/Configure permission on a folder to
configure a folder-scoped library override that runs without sandbox
protection.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.