Jenkins Security Advisory 2022-09-21

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

XSS vulnerability

SECURITY-2886 / CVE-2022-41224
Severity (CVSS): High
Description:

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable tooltip contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

Stored XSS vulnerability in Anchore Container Image Scanner Plugin

SECURITY-2821 / CVE-2022-41225
Severity (CVSS): High
Affected plugin: anchore-container-scanner
Description:

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

XXE vulnerability in BMC AMI Common Configuration Plugin

SECURITY-2832 / CVE-2022-41226
Severity (CVSS): High
Affected plugin: compuware-common-configuration
Description:

BMC AMI Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

BMC AMI Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin

SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)
Severity (CVSS): Medium
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin

SECURITY-2858 / CVE-2022-41229
Severity (CVSS): High
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing permission check in build-publisher Plugin

SECURITY-1994 / CVE-2022-41230
Severity (CVSS): Medium
Affected plugin: build-publisher
Description:

build-publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

As of publication of this advisory, there is no fix. Learn why we announce this.

Path traversal and CSRF vulnerability in build-publisher Plugin

SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)
Severity (CVSS): High
Affected plugin: build-publisher
Description:

build-publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing permission checks in Rundeck Plugin

SECURITY-2170 / CVE-2022-41233
Severity (CVSS): Medium
Affected plugin: rundeck
Description:

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing webhook endpoint authorization in Rundeck Plugin

SECURITY-2169 / CVE-2022-41234
Severity (CVSS): Medium
Affected plugin: rundeck
Description:

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

As of publication of this advisory, there is no fix. Learn why we announce this.

Agent-to-controller security bypass in WildFly Deployer Plugin allows reading arbitrary files

SECURITY-2645 / CVE-2022-41235
Severity (CVSS): Medium
Affected plugin: wildfly-deployer
Description:

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability in Security Inspector Plugin

SECURITY-2051 / CVE-2022-41236
Severity (CVSS): Medium
Affected plugin: security-inspector
Description:

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the Single user, multiple jobs report. Other report types are still affected.

As of publication of this advisory, there is no fix. Learn why we announce this.

RCE vulnerability in DotCi Plugin

SECURITY-1737 / CVE-2022-41237
Severity (CVSS): High
Affected plugin: DotCi
Description:

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

As of publication of this advisory, there is no fix. Learn why we announce this.

Lack of authentication mechanism in DotCi Plugin webhook

SECURITY-2867 / CVE-2022-41238
Severity (CVSS): Medium
Affected plugin: DotCi
Description:

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in DotCi Plugin

SECURITY-2884 / CVE-2022-41239
Severity (CVSS): High
Affected plugin: DotCi
Description:

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Walti Plugin

SECURITY-1870 / CVE-2022-41240
Severity (CVSS): High
Affected plugin: walti
Description:

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

As of publication of this advisory, there is no fix. Learn why we announce this.

XXE vulnerability in RQM Plugin

SECURITY-2805 / CVE-2022-41241
Severity (CVSS): Medium
Affected plugin: rqm-plugin
Description:

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing permission check in extreme-feedback Plugin

SECURITY-2001 / CVE-2022-41242
Severity (CVSS): Medium
Affected plugin: extreme-feedback
Description:

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing hostname validation in SmallTest Plugin

SECURITY-2068 / CVE-2022-41243
Severity (CVSS): Medium
Affected plugin: smalltest
Description:

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing hostname validation in View26 Test-Reporting Plugin

SECURITY-2069 / CVE-2022-41244
Severity (CVSS): Medium
Affected plugin: view26
Description:

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials

SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)
Severity (CVSS): Medium
Affected plugin: ws-execution-manager
Description:

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

API key stored in plain text by BigPanda Notifier Plugin

SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)
Severity (CVSS): Low
Affected plugin: bigpanda-jenkins
Description:

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials

SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)
Severity (CVSS): Medium
Affected plugin: scm-httpclient
Description:

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing permission check in Apprenda Plugin allows enumerating credentials IDs

SECURITY-2710 / CVE-2022-41251
Severity (CVSS): Medium
Affected plugin: apprenda
Description:

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs

SECURITY-2752 / CVE-2022-41252
Severity (CVSS): Medium
Affected plugin: cons3rt
Description:

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials

SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)
Severity (CVSS): Medium
Affected plugin: cons3rt
Description:

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

API token stored in plain text by CONS3RT Plugin

SECURITY-2759 / CVE-2022-41255
Severity (CVSS): Low
Affected plugin: cons3rt
Description:

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.369
  • Anchore Container Image Scanner Plugin up to and including 1.0.24
  • Apprenda Plugin up to and including 2.2.0
  • BigPanda Notifier Plugin up to and including 1.4.0
  • BMC AMI Common Configuration Plugin up to and including 1.0.14
  • build-publisher Plugin up to and including 1.22
  • CONS3RT Plugin up to and including 1.0.0
  • DotCi Plugin up to and including 2.40.00
  • extreme-feedback Plugin up to and including 1.7
  • NS-ND Integration Performance Publisher Plugin up to and including 4.8.0.129
  • NS-ND Integration Performance Publisher Plugin up to and including 4.8.0.134
  • RQM Plugin up to and including 2.8
  • Rundeck Plugin up to and including 3.6.11
  • SCM HttpClient Plugin up to and including 1.5
  • Security Inspector Plugin up to and including 117.v6eecc36919c2
  • SmallTest Plugin up to and including 1.0.4
  • View26 Test-Reporting Plugin up to and including 1.0.7
  • Walti Plugin up to and including 1.0.1
  • WildFly Deployer Plugin up to and including 1.0.2
  • Worksoft Execution Manager Plugin up to and including 10.0.3.503

Fix

  • Jenkins weekly should be updated to version 2.370
  • Anchore Container Image Scanner Plugin should be updated to version 1.0.25
  • BMC AMI Common Configuration Plugin should be updated to version 1.0.15
  • NS-ND Integration Performance Publisher Plugin should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Apprenda Plugin
  • BigPanda Notifier Plugin
  • build-publisher Plugin
  • CONS3RT Plugin
  • DotCi Plugin
  • extreme-feedback Plugin
  • NS-ND Integration Performance Publisher Plugin
  • RQM Plugin
  • Rundeck Plugin
  • SCM HttpClient Plugin
  • Security Inspector Plugin
  • SmallTest Plugin
  • View26 Test-Reporting Plugin
  • Walti Plugin
  • WildFly Deployer Plugin
  • Worksoft Execution Manager Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
  • Jeff Thompson, CloudBees, Inc. for SECURITY-2051
  • Jesse Glick, CloudBees, Inc. for SECURITY-2886
  • Kevin Guerroudj, CloudBees, Inc. for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
  • Long Nguyen, Viettel Cyber Security for SECURITY-2068, SECURITY-2069
  • Marc Heyries for SECURITY-2243
  • Matt Sicker, CloudBees, Inc. for SECURITY-1994, SECURITY-2001
  • Valdes Che Zogou, CloudBees, Inc. for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
  • Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc. for SECURITY-2759
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-1870, SECURITY-2139