This advisory announces vulnerabilities in the following Jenkins deliverables:
workflow-job
Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.
| The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts. |
Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.
ldap
LDAP Plugin 673.v034ec70ec2b_b_ and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
LDAP Plugin 676.vfa_64cf6b_b_002 requires POST requests for the affected form validation method.
email-ext
Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.
This form validation method requires the appropriate permission in Email Extension Plugin 2.96.1.
email-ext
Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This allows attackers to make another user stop watching an attacker-specified job.
Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.
pipeline-utility-steps
Pipeline Utility Steps Plugin provides the untar and unzip Pipeline steps to extract archives into job workspaces.
Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit file paths of files contained within these archives.
This allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.
Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in tar and zip archives that would be placed outside the expected destination directory.
ansible
Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.
Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.
Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.
testng-plugin
TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin’s test information pages.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.
TestNG Results Plugin 730.732.v959a_3a_a_eb_a_72 escapes the affected values that are parsed from TestNG report files.
sidebar-link
Sidebar Link Plugin allows specifying files in the userContent/ directory for use as link icons.
Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Sidebar Link Plugin 2.2.2 ensures that only files located within the expected userContent/ directory can be accessed.
file-parameters
File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.
This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.
reverse-proxy-auth-plugin
Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
Reverse Proxy Auth Plugin 1.7.5 requires POST requests for the affected form validation method.
azure-vm-agents
Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Azure VM Agents Plugin 853.v4a_1a_dd947520 requires Overall/Administer permission.
azure-vm-agents
Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
miniorange-saml-sp
SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints.
This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.
As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
SAML Single Sign On(SSO) Plugin 2.1.0 requires POST requests and Overall/Administer permission for the affected HTTP endpoints.
miniorange-saml-sp
SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.
SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
miniorange-saml-sp
SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.
SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
miniorange-saml-sp
SAML Single Sign On(SSO) Plugin 2.0.0 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange’s API for sending emails.
Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
SAML Single Sign On(SSO) Plugin 2.0.1 removes the affected HTTP endpoint.
cas-plugin
CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
CAS Plugin 1.6.3 invalidates the existing session on login.
codedx
Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
codedx
Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.
Code Dx Plugin 4.0.0 requires Item/Configure permission for this form validation method and ensures that only files located within the workspace can be checked.
codedx
Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.
Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.
jenkinsci-appspider-plugin
AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.
cavisson-ns-nd-integration
NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.
While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.
NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.
hashicorp-vault-plugin
HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:
The credentials are printed in build steps executing on an agent (typically inside a node block).
Push mode for durable task logging is enabled.
This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING.
It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.
| An improvement in Credentials Binding 523.525.vb_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue. |
As of publication of this advisory, there is no fix. Learn why we announce this.
TestComplete
TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name in its test result page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix. Learn why we announce this.
tag-profiler
Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to reset profiler statistics.
Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
wso2id-oauth
WSO2 Oauth Plugin 1.0 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
As of publication of this advisory, there is no fix. Learn why we announce this.
wso2id-oauth
WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.
This vulnerability allows attackers to trick users into logging in to the attacker’s account.
As of publication of this advisory, there is no fix. Learn why we announce this.
loadcomplete
LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name in its test result page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: