This advisory announces vulnerabilities in the following Jenkins deliverables:
workflow-cps
Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.
This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.
These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.
script-security
Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations.
This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.
Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.
This issue is due to an incomplete fix of SECURITY-1266.
Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.
subversion
Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.
Subversion Plugin 2.13.1 escapes the affected part of the error message.
git-parameter
Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.
Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.
s3
S3 publisher Plugin stores a secret key in its global configuration.
While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.
S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.
nunit
NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
NUnit Plugin 0.26 disables external entity processing for its XML parser.
pipeline-githubnotify-step
Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.
pipeline-githubnotify-step
Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.
This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.
azure-ad
Microsoft Entra ID (previously Azure AD) Plugin stores a client secret in its global configuration.
While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Microsoft Entra ID (previously Azure AD) Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Microsoft Entra ID (previously Azure AD) Plugin 1.2.0 transmits the client secret in its global configuration encrypted.
fitnesse
FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.
FitNesse Plugin 1.31 disables external entity processing for its XML parser.
google-kubernetes-engine
Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.
Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.
brakeman
brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.
This vulnerability can be exploited by users able to control the Brakeman post-build step input data.
brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.
| This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values. |
radargun
RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.
RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.
dynamic_extended_choice_parameter
Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
debian-package-builder
debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller.
This credential can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
digitalocean-plugin
DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration.
This credential can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
bmc-rpd
BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller.
This credential can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
catalogic-ecx
ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
eagle-tester
Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller.
This credential can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
harvest
Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller.
These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).
As of publication of this advisory, there is no fix.
environment-manager
Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
applatix
Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration.
This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: