Jenkins Security Advisory 2021-04-21

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XXE vulnerability in Config File Provider Plugin

SECURITY-2204 / CVE-2021-21642
Severity (CVSS): High
Affected plugin: config-file-provider
Description:

Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

Incorrect permission checks in Config File Provider Plugin allow enumerating credentials IDs

SECURITY-2254 / CVE-2021-21643
Severity (CVSS): Medium
Affected plugin: config-file-provider
Description:

Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of system-scoped credentials IDs in Config File Provider Plugin 3.7.1 requires Overall/Administer permission.

CSRF vulnerability in Config File Provider Plugin allows deleting configuration files

SECURITY-2202 / CVE-2021-21644
Severity (CVSS): Medium
Affected plugin: config-file-provider
Description:

Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.

This is due to an incomplete fix of SECURITY-938.

Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

Missing permission checks in Config File Provider Plugin allow enumerating configuration file IDs

SECURITY-2203 / CVE-2021-21645
Severity (CVSS): Medium
Affected plugin: config-file-provider
Description:

Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate configuration file IDs.

An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions.

Remote code execution vulnerability in Templating Engine Plugin

SECURITY-2311 / CVE-2021-21646
Severity (CVSS): High
Affected plugin: templating-engine
Description:

Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.

This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.

Missing permission check in CloudBees CD Plugin allows scheduling builds

SECURITY-2309 / CVE-2021-21647
Severity (CVSS): Medium
Affected plugin: electricflow
Description:

CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint.

Severity

Affected Versions

  • CloudBees CD Plugin up to and including 1.1.21
  • Config File Provider Plugin up to and including 3.7.0
  • Templating Engine Plugin up to and including 2.1

Fix

  • CloudBees CD Plugin should be updated to version 1.1.22
  • Config File Provider Plugin should be updated to version 3.7.1
  • Templating Engine Plugin should be updated to version 2.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-2254, SECURITY-2311
  • Devin Nusbaum, CloudBees, Inc. for SECURITY-2309