Jenkins Security Advisory 2021-03-30

Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Build With Parameters Plugin 1.5.1 escapes parameter names and descriptions.

Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to build a project with attacker-specified parameters.

Build With Parameters Plugin 1.5.1 requires POST requests for the affected HTTP endpoint.

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.

Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.

Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

Cloud Statistics Plugin 0.27 requires Overall/Administer permission to access provisioning exception error messages.

OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

REST List Parameter Plugin 1.3.1 no longer identifies a parameter using user-specified content.

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.