Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKG2iZgvRCS1i2SfWtW0dVatV1ASLUKP6TYBSo4cmWW8Luqomg@mail.gmail.com>
Date: Wed, 22 Jan 2025 17:27:31 +0100
From: Kevin Guerroudj <kguerroudj@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Bitbucket Server Integration Plugin 4.1.4
* Eiffel Broadcaster Plugin 2.10.3
* GitLab Plugin 1.9.7
* OpenId Connect Authentication Plugin 4.453.v4d7765c854f4
* Zoom Plugin 1.4 and 1.6

Additionally, we announce unresolved security issues in the following
plugins:

* Azure Service Fabric Plugin
* Folder-based Authorization Strategy Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-01-22/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3260 / CVE-2025-24397
GitLab Plugin 1.9.6 and earlier does not correctly perform a permission
check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while lacking
Item/Configure permission on any particular job) to enumerate credential
IDs of GitLab API token credentials and Secret text credentials stored in
Jenkins. Those can be used as part of an attack to capture the credentials
using another vulnerability.


SECURITY-3434 / CVE-2025-24398
An extension point in Jenkins allows selectively disabling cross-site
request forgery (CSRF) protection for specific URLs. Bitbucket Server
Integration Plugin implements this extension point to support OAuth 1.0
authentication.

In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive)
this implementation is too permissive, allowing attackers to craft URLs
that would bypass the CSRF protection of any target URL.


SECURITY-3461 / CVE-2025-24399
OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier
treats usernames as case-insensitive.

On a Jenkins instance configured with a case-sensitive OpenID Connect
provider, this allows attackers to log in as any user by providing a
username that differs only in letter case, potentially gaining
administrator access to Jenkins.


SECURITY-3292 (1) / CVE-2025-0142
Zoom Plugin 1.3 and earlier stores Zoom integration tokens unencrypted in
job `config.xml` files on the Jenkins controller as part of its
configuration.

These tokens can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.


SECURITY-3292 (2) / CVE pending
Zoom Plugin requires Zoom integration tokens for `Zoom Build Notifier`
post-build actions.

In Zoom Plugin 1.5 and earlier the job configuration form does not mask
these tokens, increasing the potential for attackers to observe and capture
them.


SECURITY-3485 / CVE-2025-24400
Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed
using certificate credentials. To improve performance, the plugin caches
some data from the credential.

Eiffel Broadcaster Plugin 2.10.2 and earlier uses the credential ID as the
cache key. This allows attackers able to create a credential with the same
ID as a legitimate one in a different credentials store, to sign an event
published to RabbitMQ with the legitimate certificate credentials.

NOTE: Signing is disabled by default, only instances explicitly configured
to enable it are affected.


SECURITY-3062 / CVE-2025-24401
Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier
does not verify that permissions configured to be granted are enabled. This
may allow users formerly granted (typically optional permissions, like
Overall/Manage) to access functionality they're no longer entitled to.

As of publication of this advisory, there is no fix.


SECURITY-3094 / CVE-2025-24402 (CSRF) & CVE-2025-24403 (missing permission
check)
Azure Service Fabric Plugin 1.6 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of Azure credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

Additionally, those HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability, allowing attackers to
connect to a previously configured Service Fabric URL using
attacker-specified credentials IDs.

As of publication of this advisory, there is no fix.
<jtalbot@...udbees.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.