Jenkins Security Advisory 2021-08-31

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

RCE vulnerability in Code Coverage Plugin

SECURITY-2376 / CVE-2021-21677
Severity (CVSS): High
Affected plugin: code-coverage-api
Description:

Code Coverage Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

SAML Plugin allows bypassing CSRF protection for any URL

SECURITY-2469 / CVE-2021-21678
Severity (CVSS): High
Affected plugin: saml
Description:

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

Microsoft Entra ID (previously Azure AD) Plugin allows bypassing CSRF protection for any URL

SECURITY-2470 / CVE-2021-21679
Severity (CVSS): High
Affected plugin: azure-ad
Description:

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Microsoft Entra ID (previously Azure AD) Plugin implements this extension point for URLs used by a JavaScript component.

In Microsoft Entra ID (previously Azure AD) Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Microsoft Entra ID (previously Azure AD) Plugin 164.v5b48baa961d2.

Microsoft Entra ID (previously Azure AD) Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

XXE vulnerability in Nested View Plugin

SECURITY-2411 / CVE-2021-21680
Severity (CVSS): High
Affected plugin: nested-view
Description:

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

Password stored in plain text by Nomad Plugin

SECURITY-2396 / CVE-2021-21681
Severity (CVSS): Low
Affected plugin: nomad
Description:

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

Severity

Affected Versions

  • Code Coverage Plugin up to and including 1.4.0
  • Microsoft Entra ID (previously Azure AD) Plugin up to and including 179.vf6841393099e
  • Nested View Plugin up to and including 1.20
  • Nomad Plugin up to and including 0.7.4
  • SAML Plugin up to and including 2.0.7

Fix

  • Code Coverage Plugin should be updated to version 1.4.1
  • Microsoft Entra ID (previously Azure AD) Plugin should be updated to version 180.v8b1e80e6f242
  • Nested View Plugin should be updated to version 1.21
  • Nomad Plugin should be updated to version 0.7.5
  • SAML Plugin should be updated to version 2.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Brian Hysell, Synopsys Software Integrity Group for SECURITY-2411
  • Daniel Beck, CloudBees, Inc. for SECURITY-2469, SECURITY-2470