Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.5232
Jenkins Security Advisory 2022-10-19
20 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Resolution: Patch/Upgrade
CVE Names: CVE-2022-43435 CVE-2022-43434 CVE-2022-43433
CVE-2022-43432 CVE-2022-43431 CVE-2022-43430
CVE-2022-43429 CVE-2022-43428 CVE-2022-43427
CVE-2022-43426 CVE-2022-43425 CVE-2022-43424
CVE-2022-43423 CVE-2022-43422 CVE-2022-43421
CVE-2022-43420 CVE-2022-43419 CVE-2022-43418
CVE-2022-43417 CVE-2022-43416 CVE-2022-43415
CVE-2022-43414 CVE-2022-43413 CVE-2022-43412
CVE-2022-43411 CVE-2022-43410 CVE-2022-43409
CVE-2022-43408 CVE-2022-43407 CVE-2022-43406
CVE-2022-43405 CVE-2022-43404 CVE-2022-43403
CVE-2022-43402 CVE-2022-43401 CVE-2017-2601
Original Bulletin:
https://www.jenkins.io/security/advisory/2022-10-19/
Comment: CVSS (Max): 8.8 CVE-2022-43432 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2022-10-19
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Compuware Source Code Download for Endevor, PDS, and ISPW Plugin
o Compuware Strobe Measurement Plugin
o Compuware Topaz for Total Test Plugin
o Compuware Topaz Utilities Plugin
o Compuware Xpediter Code Coverage Plugin
o Contrast Continuous Application Security Plugin
o Custom Checkbox Parameter Plugin
o 360 FireLine Plugin
o Generic Webhook Trigger Plugin
o GitLab Plugin
o Job Import Plugin
o Katalon Plugin
o Katalon Plugin
o Mercurial Plugin
o NeuVector Vulnerability Scanner Plugin
o NUnit Plugin
o Pipeline: Deprecated Groovy Libraries Plugin
o Pipeline: Groovy Plugin
o Pipeline: Groovy Libraries Plugin
o Pipeline: Input Step Plugin
o Pipeline: Stage View Plugin
o Pipeline: Supporting APIs Plugin
o REPO Plugin
o S3 Explorer Plugin
o ScreenRecorder Plugin
o Script Security Plugin
o Tuleap Git Branch Source Plugin
o XFramium Builder Plugin
Descriptions
Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline:
Groovy Plugin
SECURITY-2824 (1) / CVE-2022-43401 through CVE-2022-43404
Severity (CVSS): High
Affected plugins: script-security , workflow-cps
Description:
Script Security Plugin provides a sandbox feature that allows low privileged
users to define scripts, including Pipelines, that are generally safe to
execute. Calls to code defined inside a sandboxed script are intercepted, and
various allowlists are checked to determine whether the call is to be allowed.
Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and
Pipeline: Groovy Plugin:
o In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in
Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts
performed implicitly by the Groovy language runtime were not intercepted by
the sandbox. This includes casts performed when returning values from
methods, when assigning local variables, fields, properties, and when
defining default arguments for closure, constructor, and method parameters
(CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline:
Groovy Plugin).
o In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting
an array-like value to an array type, per-element casts to the component
type of the array are not intercepted by the sandbox (CVE-2022-43403).
o In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted
constructor bodies and calls to sandbox-generated synthetic constructors
can be used to construct any subclassable type (due to an incomplete fix
for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).
These vulnerabilities allow attackers with permission to define and run
sandboxed scripts, including Pipelines, to bypass the sandbox protection and
execute arbitrary code in the context of the Jenkins controller JVM.
These vulnerabilities have been fixed:
o Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin
2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the
Groovy language runtime (CVE-2022-43401 in Script Security Plugin and
CVE-2022-43402 in Pipeline: Groovy Plugin).
o Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts
when casting array-like values to array types (CVE-2022-43403).
o Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to
sandbox-generated synthetic constructors (CVE-2022-43404).
Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be
updated simultaneously. While Script Security Plugin could be updated
independently, doing so would cause errors in Pipeline: Groovy Plugin due to
an incompatible API change.
Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline:
Deprecated Groovy Libraries Plugin
SECURITY-2824 (2) / CVE-2022-43405 (Pipeline: Groovy Libraries Plugin),
CVE-2022-43406 (Pipeline: Deprecated Groovy Libraries Plugin)
Severity (CVSS): High
Affected plugins: pipeline-groovy-lib , workflow-cps-global-lib
Description:
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline:
Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries
Plugin) define the library Pipeline step, which allows Pipeline authors to
dynamically load Pipeline libraries. The return value of this step can be used
to instantiate classes defined in the loaded library.
In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in
Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier,
the library step can be used to invoke sandbox-generated synthetic constructors
in crafted untrusted libraries and construct any subclassable type. This is
similar to SECURITY-582 in the 2017-08-07 security advisory, but in a different
plugin.
This vulnerability allows attackers with permission to define untrusted
Pipeline libraries and to define and run sandboxed Pipelines, to bypass the
sandbox protection and execute arbitrary code in the context of the Jenkins
controller JVM.
Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to
sandbox-generated synthetic constructors when using the library step.
Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer
contains the library step. It has been moved into the Pipeline: Groovy
Libraries Plugin.
CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin
SECURITY-2880 / CVE-2022-43407
Severity (CVSS): High
Affected plugin: pipeline-input-step
Description:
Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict
or sanitize the optionally specified ID of the input step. This ID is used for
the URLs that process user interactions for the given input step (proceed or
abort) and is not correctly encoded.
This allows attackers able to configure Pipelines to have Jenkins build URLs
from input step IDs that would bypass the CSRF protection of any target URL in
Jenkins when the input step is interacted with.
Pipeline: Input Step Plugin 456.vd8a_957db_5b_e9 limits the characters that can
be used for the ID of input steps in Pipelines to alphanumeric characters and
URL-safe punctuation. Pipelines with input steps having IDs with prohibited
characters will fail with an error.
This includes Pipelines that have already been started but not finished before
Jenkins is restarted to apply this update.
Pipeline: Declarative Plugin provides an input directive that is internally
using the input step, and specifies a non-default ID if not user-defined.
Pipeline: Declarative Plugin 2.2114.v2654ca_721309 and earlier may specify
values incompatible with this new restriction on legal values: input
directives in a stage use the stage name (which may include prohibited
characters) and input directives in a matrix will use a value generated from
the matrix axis values (which always includes prohibited characters).
Administrators are advised to update Pipeline: Input Step Plugin and Pipeline:
Declarative Plugin at the same time, ideally while no Pipelines are running.
CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin
SECURITY-2828 / CVE-2022-43408
Severity (CVSS): High
Affected plugin: pipeline-stage-view
Description:
Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It
also allows users to interact with input steps from Pipeline: Input Step
Plugin.
Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID
of input steps when using it to generate URLs to proceed or abort Pipeline
builds.
This allows attackers able to configure Pipelines to specify input step IDs
resulting in URLs that would bypass the CSRF protection of any target URL in
Jenkins.
Pipeline: Stage View Plugin 2.27 correctly encodes the ID of input steps when
using it to generate URLs to proceed or abort Pipeline builds.
This vulnerability is only exploitable with Pipeline: Input Step Plugin
451.vf1a_a_4f405289 or older due to the fix for SECURITY-2880.
Stored XSS vulnerability in Pipeline: Supporting APIs Plugin
SECURITY-2881 / CVE-2022-43409
Severity (CVSS): High
Affected plugin: workflow-support
Description:
Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that
send POST requests when clicked, to build logs. These links are used by
Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by
Pipeline: Job Plugin to allow users to forcibly terminate the build after
aborting it.
Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not
sanitize or properly encode URLs of these hyperlinks in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to create Pipelines.
Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of
these hyperlinks in build logs.
Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin
SECURITY-2831 / CVE-2022-43410
Severity (CVSS): Medium
Affected plugin: mercurial
Description:
Mercurial Plugin provides a webhook endpoint at /mercurial/notifyCommit that
can be used to notify Jenkins of changes to an SCM repository. This endpoint
receives a repository URL, and Jenkins will schedule polling for all jobs
configured with the specified repository. It can be accessed with GET requests
and without authentication.
In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook
endpoint will provide information about which jobs were triggered or scheduled
for polling, including jobs the user has no permission to access. This allows
attackers with knowledge of Mercurial repository URLs to obtain information
about the existence of jobs configured with this Mercurial repository.
Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for
which polling is triggered unless the user has the appropriate Item/Read
permission.
Non-constant time webhook token comparison in GitLab Plugin
SECURITY-2877 / CVE-2022-43411
Severity (CVSS): Low
Affected plugin: gitlab-plugin
Description:
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when
checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a
valid webhook token.
GitLab Plugin 1.5.36 uses a constant-time comparison when validating the
webhook token.
Non-constant time webhook token comparison in Generic Webhook Trigger Plugin
SECURITY-2874 / CVE-2022-43412
Severity (CVSS): Low
Affected plugin: generic-webhook-trigger
Description:
Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time
comparison when checking whether the provided and expected webhook token are
equal.
This could potentially allow attackers to use statistical methods to obtain a
valid webhook token.
Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when
validating the webhook token.
Missing permission check in Job Import Plugin allows enumerating credentials
IDs
SECURITY-2791 / CVE-2022-43413
Severity (CVSS): Medium
Affected plugin: job-import-plugin
Description:
Job Import Plugin 3.5 and earlier does not perform a permission check in an
HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Job Import Plugin 3.6 requires Job Import/
Import Jobs permission.
Agent-to-controller security bypass vulnerability in NUnit Plugin
SECURITY-2551 / CVE-2022-43414
Severity (CVSS): Medium
Affected plugin: nunit
Description:
NUnit Plugin 0.27 and earlier implements an agent-to-controller message that
parses files inside a user-specified directory as test results.
This allows attackers able to control agent processes to obtain test results
from files in an attacker-specified directory on the Jenkins controller.
NUnit Plugin 0.28 changes the message type from agent-to-controller to
controller-to-agent, preventing execution on the controller.
XXE vulnerability in REPO Plugin
SECURITY-2337 / CVE-2022-43415
Severity (CVSS): High
Affected plugin: repo
Description:
REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML
external entity (XXE) attacks.
This allows attackers able to control which repo binary is executed on agents
to have Jenkins parse a crafted XML document that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.
REPO Plugin 1.16.0 disables external entity resolution for its XML parser.
Agent-to-controller security bypass vulnerability in Katalon Plugin
SECURITY-2844 / CVE-2022-43416
Severity (CVSS): High
Affected plugin: katalon
Description:
Katalon Plugin 1.0.32 and earlier implements an agent/controller message that
does not limit where it can be executed and allows invoking Katalon with
configurable arguments.
It allows attackers able to control agent processes to invoke Katalon on the
Jenkins controller with attacker-controlled version, install location, and
arguments. Attackers additionally able to create files on the Jenkins
controller (e.g., attackers with Item/Configure permission could archive
artifacts) can invoke arbitrary OS commands.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
Katalon Plugin 1.0.33 changes the message type to controller-to-agent,
preventing execution on the controller.
Missing permission checks in Katalon Plugin allow capturing credentials
SECURITY-2845 (1) / CVE-2022-43417
Severity (CVSS): Medium
Affected plugin: katalon
Description:
Katalon Plugin 1.0.32 and earlier does not perform permission checks in several
HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.
Katalon Plugin 1.0.33 properly performs permission checks when accessing the
affected HTTP endpoints.
CSRF vulnerability in Katalon Plugin allows capturing credentials
SECURITY-2845 (2) / CVE-2022-43418
Severity (CVSS): Medium
Affected plugin: katalon
Description:
Katalon Plugin 1.0.33 and earlier does not require POST requests for several
HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
This vulnerability allows attackers to connect to an attacker-specified URL
using attacker-specified credentials IDs obtained through another method,
capturing credentials stored in Jenkins.
Katalon Plugin 1.0.34 requires POST requests for the affected HTTP endpoints.
API keys stored in plain text by Katalon Plugin
SECURITY-2846 / CVE-2022-43419
Severity (CVSS): Medium
Affected plugin: katalon
Description:
Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml
files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.
Katalon Plugin 1.0.33 no longer stores the API keys directly, instead accessing
them through its Credentials Plugin integration, once affected job
configurations are saved again.
Stored XSS vulnerability in Contrast Continuous Application Security Plugin
SECURITY-2836 / CVE-2022-43420
Severity (CVSS): High
Affected plugin: contrast-continuous-application-security
Description:
Contrast Continuous Application Security Plugin 3.9 and earlier does not escape
data returned from the Contrast service when generating a report.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to control or modify Contrast service API responses.
Contrast Continuous Application Security Plugin 3.10 escapes the affected data.
Lack of webhook authentication mechanism in Tuleap Git Branch Source Plugin
SECURITY-2852 / CVE-2022-43421
Severity (CVSS): Medium
Affected plugin: tuleap-git-branch-source
Description:
Tuleap Git Branch Source Plugin provides a webhook endpoint at /tuleap-hook/
that can be used to trigger Tuleap projects configured with a specified
repository.
In Tuleap Git Branch Source Plugin 3.2.4 and earlier, this endpoint can be
accessed without authentication.
This allows unauthenticated attackers to trigger Tuleap projects whose
configured repository matches the attacker-specified value.
Tuleap Git Branch Source Plugin 3.2.5 requires a token to access the webhook
endpoint.
Agent-to-controller security bypass vulnerability in Compuware Topaz Utilities
Plugin
SECURITY-2620 / CVE-2022-43422
Severity (CVSS): Medium
Affected plugin: compuware-topaz-utilities
Description:
Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/
controller message that does not limit where it can be executed.
It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
Compuware Topaz Utilities Plugin 1.0.9 restricts execution of the agent/
controller message to agents.
Agent-to-controller security bypass vulnerability in Compuware Source Code
Download for Endevor, PDS, and ISPW Plugin
SECURITY-2622 / CVE-2022-43423
Severity (CVSS): Medium
Affected plugin: compuware-scm-downloader
Description:
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and
earlier implements an agent/controller message that does not limit where it can
be executed.
It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13
restricts execution of the agent/controller message to agents.
Agent-to-controller security bypass vulnerability in Compuware Xpediter Code
Coverage Plugin
SECURITY-2627 / CVE-2022-43424
Severity (CVSS): Medium
Affected plugin: compuware-xpediter-code-coverage
Description:
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/
controller message that does not limit where it can be executed.
It allows attackers able to control agent processes to obtain the values of
Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
Compuware Xpediter Code Coverage Plugin 1.0.8 restricts execution of the agent/
controller message to agents.
Stored XSS vulnerability in Custom Checkbox Parameter Plugin
SECURITY-2797 / CVE-2022-43425
Severity (CVSS): High
Affected plugin: custom-checkbox-parameter
Description:
Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and
description of the parameter types it provides.
This results in stored cross-site scripting (XSS) vulnerabilites exploitable by
attackers with Item/Configure permission.
Exploitation of this vulnerability requires that parameters are listed on
another page, like the "Build With Parameters" and "Parameters" pages provided
by Jenkins (core), and that those pages are not hardened to prevent
exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of
this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and
LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally,
several plugins have previously been updated to list parameters in a way that
prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security
advisory for a list.
As of publication of this advisory, there is no fix. Learn why we announce
this.
AWS secrets displayed without masking by S3 Explorer Plugin
SECURITY-2480 / CVE-2022-43426
Severity (CVSS): Low
Affected plugin: s3explorer
Description:
S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration
file s3explorer.xml on the Jenkins controller as part of its configuration.
While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and
earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY
form field, increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Missing permission checks in Compuware Topaz for Total Test Plugin allow
enumerating credentials IDs
SECURITY-2623 / CVE-2022-43427
Severity (CVSS): Medium
Affected plugin: compuware-topaz-for-total-test
Description:
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform
permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Agent-to-controller security bypass vulnerabilities in Compuware Topaz for
Total Test Plugin
SECURITY-2624 / CVE-2022-43428 (Java system properties), CVE-2022-43429 (read
files)
Severity (CVSS): High
Affected plugin: compuware-topaz-for-total-test
Description:
Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements two agent/
controller messages that do not limit where they can be executed.
o RemoteSystemProperties allows attackers able to control agent processes to
obtain the values of Java system properties from the Jenkins controller
process (CVE-2022-43428).
o GetRemoteUTF8FileContents allows attackers able to control agent processes
to read arbitrary files on the Jenkins controller file system
(CVE-2022-43429).
These vulnerabilities are only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
As of publication of this advisory, there is no fix. Learn why we announce
this.
XXE vulnerability in Compuware Topaz for Total Test Plugin
SECURITY-2625 / CVE-2022-43430
Severity (CVSS): High
Affected plugin: compuware-topaz-for-total-test
Description:
Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the 'Topaz for Total
Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted
XML document that uses external entities for extraction of secrets from the
Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Missing permission check in Compuware Strobe Measurement Plugin allows
enumerating credentials IDs
SECURITY-2631 / CVE-2022-43431
Severity (CVSS): Medium
Affected plugin: compuware-strobe-measurement
Description:
Compuware Strobe Measurement Plugin 1.0.1 and earlier does not perform a
permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Content-Security-Policy protection for user content disabled by XFramium
Builder Plugin
SECURITY-2863 / CVE-2022-43432
Severity (CVSS): High
Affected plugin: xframium
Description:
Jenkins sets the Content-Security-Policy header to static files served by
Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /
userContent, or archived artifacts, unless a Resource Root URL is specified.
XFramium Builder Plugin 1.0.22 and earlier globally disables the
Content-Security-Policy header for static files served by Jenkins as soon as it
is loaded. This allows cross-site scripting (XSS) attacks by users with the
ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Content-Security-Policy protection for user content disabled by ScreenRecorder
Plugin
SECURITY-2864 / CVE-2022-43433
Severity (CVSS): High
Affected plugin: screenrecorder
Description:
Jenkins sets the Content-Security-Policy header to static files served by
Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /
userContent, or archived artifacts, unless a Resource Root URL is specified.
ScreenRecorder Plugin 0.7 and earlier programmatically updates the Java system
property allowing administrators to customize the Content-Security-Policy
header for static files served by Jenkins to include media-src: 'self'. On a
Jenkins instance with default configuration, this effectively disables all
other directives in the default rule set, including script-src. This allows
cross-site scripting (XSS) attacks by users with the ability to control files
in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Content-Security-Policy protection for user content disabled by NeuVector
Vulnerability Scanner Plugin
SECURITY-2865 / CVE-2022-43434
Severity (CVSS): High
Affected plugin: neuvector-vulnerability-scanner
Description:
Jenkins sets the Content-Security-Policy header to static files served by
Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /
userContent, or archived artifacts, unless a Resource Root URL is specified.
NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the
Content-Security-Policy header for static files served by Jenkins whenever the
'NeuVector Vulnerability Scanner' build step is executed. This allows
cross-site scripting (XSS) attacks by users with the ability to control files
in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Content-Security-Policy protection for user content can be disabled in 360
FireLine Plugin
SECURITY-2866 / CVE-2022-43435
Severity (CVSS): High
Affected plugin: fireline
Description:
Jenkins sets the Content-Security-Policy header to static files served by
Jenkins (specifically DirectoryBrowserSupport), such as workspaces, /
userContent, or archived artifacts, unless a Resource Root URL is specified.
360 FireLine Plugin 1.7.2 and earlier globally disables the
Content-Security-Policy header for static files served by Jenkins whenever the
'Execute FireLine' build step is executed, if the option 'Open access to HTML
with JS or CSS' is checked. This allows cross-site scripting (XSS) attacks by
users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Severity
o SECURITY-2337: High
o SECURITY-2480: Low
o SECURITY-2551: Medium
o SECURITY-2620: Medium
o SECURITY-2622: Medium
o SECURITY-2623: Medium
o SECURITY-2624: High
o SECURITY-2625: High
o SECURITY-2627: Medium
o SECURITY-2631: Medium
o SECURITY-2791: Medium
o SECURITY-2797: High
o SECURITY-2824 (1): High
o SECURITY-2824 (2): High
o SECURITY-2828: High
o SECURITY-2831: Medium
o SECURITY-2836: High
o SECURITY-2844: High
o SECURITY-2845 (1): Medium
o SECURITY-2845 (2): Medium
o SECURITY-2846: Medium
o SECURITY-2852: Medium
o SECURITY-2863: High
o SECURITY-2864: High
o SECURITY-2865: High
o SECURITY-2866: High
o SECURITY-2874: Low
o SECURITY-2877: Low
o SECURITY-2880: High
o SECURITY-2881: High
Affected Versions
o Compuware Source Code Download for Endevor, PDS, and ISPW Plugin up to and
including 2.0.12
o Compuware Strobe Measurement Plugin up to and including 1.0.1
o Compuware Topaz for Total Test Plugin up to and including 2.4.8
o Compuware Topaz Utilities Plugin up to and including 1.0.8
o Compuware Xpediter Code Coverage Plugin up to and including 1.0.7
o Contrast Continuous Application Security Plugin up to and including 3.9
o Custom Checkbox Parameter Plugin up to and including 1.4
o 360 FireLine Plugin up to and including 1.7.2
o Generic Webhook Trigger Plugin up to and including 1.84.1
o GitLab Plugin up to and including 1.5.35
o Job Import Plugin up to and including 3.5
o Katalon Plugin up to and including 1.0.32
o Katalon Plugin up to and including 1.0.33
o Mercurial Plugin up to and including 1251.va_b_121f184902
o NeuVector Vulnerability Scanner Plugin up to and including 1.20
o NUnit Plugin up to and including 0.27
o Pipeline: Deprecated Groovy Libraries Plugin up to and including
583.vf3b_454e43966
o Pipeline: Groovy Plugin up to and including 2802.v5ea_628154b_c2
o Pipeline: Groovy Libraries Plugin up to and including 612.v84da_9c54906d
o Pipeline: Input Step Plugin up to and including 451.vf1a_a_4f405289
o Pipeline: Stage View Plugin up to and including 2.26
o Pipeline: Supporting APIs Plugin up to and including 838.va_3a_087b_4055b
o REPO Plugin up to and including 1.15.0
o S3 Explorer Plugin up to and including 1.0.8
o ScreenRecorder Plugin up to and including 0.7
o Script Security Plugin up to and including 1183.v774b_0b_0a_a_451
o Tuleap Git Branch Source Plugin up to and including 3.2.4
o XFramium Builder Plugin up to and including 1.0.22
Fix
o Compuware Source Code Download for Endevor, PDS, and ISPW Plugin should be
updated to version 2.0.13
o Compuware Topaz Utilities Plugin should be updated to version 1.0.9
o Compuware Xpediter Code Coverage Plugin should be updated to version 1.0.8
o Contrast Continuous Application Security Plugin should be updated to
version 3.10
o Generic Webhook Trigger Plugin should be updated to version 1.84.2
o GitLab Plugin should be updated to version 1.5.36
o Job Import Plugin should be updated to version 3.6
o Katalon Plugin should be updated to version 1.0.33
o Katalon Plugin should be updated to version 1.0.34
o Mercurial Plugin should be updated to version 1260.vdfb_723cdcc81
o NUnit Plugin should be updated to version 0.28
o Pipeline: Deprecated Groovy Libraries Plugin should be updated to version
588.v576c103a_ff86
o Pipeline: Groovy Plugin should be updated to version 2803.v1a_f77ffcc773
o Pipeline: Groovy Libraries Plugin should be updated to version
613.v9c41a_160233f or 612.614.v48dcb_f62a_640
o Pipeline: Input Step Plugin should be updated to version
456.vd8a_957db_5b_e9
o Pipeline: Stage View Plugin should be updated to version 2.27
o Pipeline: Supporting APIs Plugin should be updated to version
839.v35e2736cfd5c
o REPO Plugin should be updated to version 1.16.0
o Script Security Plugin should be updated to version 1184.v85d16b_d851b_3
o Tuleap Git Branch Source Plugin should be updated to version 3.2.5
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Compuware Strobe Measurement Plugin
o Compuware Topaz for Total Test Plugin
o Custom Checkbox Parameter Plugin
o 360 FireLine Plugin
o NeuVector Vulnerability Scanner Plugin
o S3 Explorer Plugin
o ScreenRecorder Plugin
o XFramium Builder Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Bram Mertens, Astadia for SECURITY-2480
o Daniel Beck, CloudBees, Inc. for SECURITY-2551, SECURITY-2828,
SECURITY-2844, SECURITY-2845 (1), SECURITY-2845 (2), SECURITY-2846,
SECURITY-2863, SECURITY-2864, SECURITY-2865, SECURITY-2866
o Devin Nusbaum, CloudBees, Inc. for SECURITY-2824 (2)
o Devin Nusbaum, CloudBees, Inc., and Daniel Beck, CloudBees, Inc. for
SECURITY-2824 (1)
o Jeremy Norris (jeremy.norris@lbnetworks.co) for SECURITY-2831
o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2337, SECURITY-2625,
SECURITY-2852, SECURITY-2880, SECURITY-2881
o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and
Daniel Beck, CloudBees, Inc. for SECURITY-2797
o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2791, SECURITY-2836
o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2874, SECURITY-2877
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY1Dk58kNZI30y1K9AQjM+w//XBvEf+evlluQL15DnrCS2sa3hgJ/nS4t
s3GqW1usok+iT8Y0CHbnA1twxzBYS302BTxR08cETkNdPPHem1cOFuPKa2Qv/TyR
+LXU6hFlovxywFxfSTaoq8FMTI2YOFQVCq2R+1j4ZqMlTPVX8VaFAkP86XdpeKlU
GWghQkA+NNH9h5ZQXNQpHMMs0iG3wRTQ0tZzsRDNxxP/bUmPl1U2VeH0oPyxvbD+
wrlts92k8tnBgxzatZ8xQeRDFVkw7DbRXxJM0IERavVRnVjenjSfSC1AGl41cjmN
x+frp2AwCvdaR9PYbdp3rI/SuYhJarU99OyfQn9tw8Ah8ZeUKLFjzNDg5KDAvyI4
d0EunxoVuvkGojjfLtp+Ao3zCZG+wkY4uDTTauC0qw5s4Lfw4f+0cLA4UBOsiAUa
v7KrwLEVxK4B590o0eFCwxJtIzQRvfOL8dS/yxeGX7zP44MNVEb3xcb4v/tKTd3e
BO1rx5mjns7oLlD0/c5k8n1NQFnVUeuxVh15bU95kQTNgSKz85YkvPP5a9xRiW5C
zjffIi6cLdtThhtA6hZgxvuOIMKvUk5ul3ZTfxG9C60Kni0vI9EX7yRrEuKznHyT
xjvu2A3KatfHslgUH3D+T3Cck8emiGULva7yfkRtnkBrfxMB6YkkH2RF0bF3AJMs
bD2/MxrZcCk=
=6T7T
-----END PGP SIGNATURE-----