Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.1461 Jenkins Security Advisory 2024-03-06 7 March 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Plugins Publisher: jenkins Operating System: UNIX Windows Resolution: Patch/Upgrade CVE Names: CVE-2023-48795 CVE-2024-28162 CVE-2024-28161 CVE-2024-28160 CVE-2024-28159 CVE-2024-28158 CVE-2024-28157 CVE-2024-28156 CVE-2024-28155 CVE-2024-28154 CVE-2024-28153 CVE-2024-28152 CVE-2024-28151 CVE-2024-28150 CVE-2024-28149 CVE-2024-2216 CVE-2024-2215 Original Bulletin: https://www.jenkins.io/security/advisory/2024-03-06/ Comment: CVSS (Max): 8.0* CVE-2024-28150 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Jenkins Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H * Not all CVSS available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2024-03-06 This advisory announces vulnerabilities in the following Jenkins deliverables: o AppSpider Plugin o Bitbucket Branch Source Plugin o Build Monitor View Plugin o Delphix Plugin o Delphix Plugin o docker-build-step Plugin o GitBucket Plugin o HTML Publisher Plugin o iceScrum Plugin o MQ Notifier Plugin o OWASP Dependency-Check Plugin o Subversion Partial Release Manager Plugin o Trilead API Plugin Descriptions Terrapin SSH vulnerability in Trilead API Plugin SECURITY-3333 / CVE-2023-48795 Severity (CVSS): Medium Affected plugin: trilead-api Description: Trilead API Plugin bundles the Jenkins project's fork of the Trilead SSH2 library for use by other plugins. Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except 2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to CVE-2023-48795 (Terrapin). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection. Trilead API Plugin 2.141.v284120fd0c46 updates the bundled Jenkins/Trilead SSH2 library to version build-217-jenkins-274.276.v58da_75159cb_7, which by default removes the affected ciphers and encryption modes. Improper input sanitization in HTML Publisher Plugin SECURITY-3301 / CVE-2024-28149 Severity (CVSS): High Affected plugin: htmlpublisher Description: SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in HTML Publisher Plugin 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback. In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this fallback for reports created in HTML Publisher Plugin 1.15 and earlier does not properly sanitize input. This allows attackers with Item/Configure permission to do the following: o Implement stored cross-site scripting (XSS) attacks. o Determine whether a path on the Jenkins controller file system exists, without being able to access it. HTML Publisher Plugin 1.32.1 removes support for reports created before HTML Publisher Plugin 1.15. Those reports are retained on disk, but may no longer be accessible through the Jenkins UI. Stored XSS vulnerability in HTML Publisher Plugin SECURITY-3302 / CVE-2024-28150 Severity (CVSS): High Affected plugin: htmlpublisher Description: HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports created in earlier releases for the presence of unsafe characters in the report frame, and refuses to show these frames if unsafe characters are identified. Path traversal vulnerability in HTML Publisher Plugin SECURITY-3303 / CVE-2024-28151 Severity (CVSS): Medium Affected plugin: htmlpublisher Description: HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it. HTML Publisher Plugin 1.32.1 does not archive symbolic links. Incorrect trust policy behavior for pull requests from forks in Bitbucket Branch Source Plugin SECURITY-3300 / CVE-2024-28152 Severity (CVSS): Medium Affected plugin: cloudbees-bitbucket-branch-source Description: Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default. In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. This allows attackers able to submit pull requests from forks to change the Pipeline behavior. In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in the same account" trust policy does not extend trust to Jenkinsfiles modified by users without write access to the project. Pipelines using Bitbucket Cloud are unaffected by this issue. Stored XSS vulnerability in OWASP Dependency-Check Plugin SECURITY-3344 / CVE-2024-28153 Severity (CVSS): High Affected plugin: dependency-check-jenkins-plugin Description: OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control workspace contents or CVE metadata. OWASP Dependency-Check Plugin 5.4.6 escapes vulnerability metadata from Dependency-Check reports. Sensitive information exposure in build logs by MQ Notifier Plugin SECURITY-3180 / CVE-2024-28154 Severity (CVSS): Medium Affected plugin: mq-notifier Description: MQ Notifier Plugin has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of sensitive information in build logs. MQ Notifier Plugin 1.4.1 disables the global option to log the JSON payload it sends to RabbitMQ by default. This option is disabled when updating from a previous release and needs to be re-enabled by administrators who want to use this feature. Missing permission checks in AppSpider Plugin SECURITY-3144 / CVE-2024-28155 Severity (CVSS): Medium Affected plugin: jenkinsci-appspider-plugin Description: AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. AppSpider Plugin 1.0.17 requires Item/Configure permission for the affected HTTP endpoints. SSL/TLS certificate validation disabled by default in Delphix Plugin SECURITY-3215 / CVE-2024-28161 Severity (CVSS): Medium Affected plugin: delphix Description: Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections. In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS certificate validation by default. In Delphix Plugin 3.0.2 this option is set to enable SSL/TLS certificate validation by default. Delphix Plugin 3.0.2 inverts the semantics of the existing option. Administrators who update from version 3.0.1 to 3.0.2 will need to toggle this option to have the previously configured behavior. Improper SSL/TLS certificate validation in Delphix Plugin SECURITY-3330 / CVE-2024-28162 Severity (CVSS): Medium Affected plugin: delphix Description: Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections. In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option change from disabled validation to enabled validation fails to take effect until Jenkins is restarted. Delphix Plugin 3.1.1 applies the configuration change immediately when switching from disabled validation to enabled validation. CSRF vulnerability and missing permission check in docker-build-step Plugin SECURITY-3200 / CVE-2024-2215 (CSRF), CVE-2024-2216 (permission check) Severity (CVSS): Medium Affected plugin: docker-build-step Description: docker-build-step Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided connection test parameters, affecting future build step executions. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. Stored XSS vulnerability in Build Monitor View Plugin SECURITY-3280 / CVE-2024-28156 Severity (CVSS): High Affected plugin: build-monitor-plugin Description: Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we announce this. Stored XSS vulnerability in GitBucket Plugin SECURITY-3249 / CVE-2024-28157 Severity (CVSS): High Affected plugin: gitbucket Description: GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this. CSRF vulnerability and missing permission checks in Subversion Partial Release Manager Plugin SECURITY-3325 / CVE-2024-28158 (CSRF), CVE-2024-28159 (permission check) Severity (CVSS): Medium Affected plugin: svn-partial-release-mgr Description: Subversion Partial Release Manager Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to trigger a build. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix. Learn why we announce this. Stored XSS vulnerability in iceScrum Plugin SECURITY-3248 / CVE-2024-28160 Severity (CVSS): High Affected plugin: icescrum Description: iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this. Severity o SECURITY-3144: Medium o SECURITY-3180: Medium o SECURITY-3200: Medium o SECURITY-3215: Medium o SECURITY-3248: High o SECURITY-3249: High o SECURITY-3280: High o SECURITY-3300: Medium o SECURITY-3301: High o SECURITY-3302: High o SECURITY-3303: Medium o SECURITY-3325: Medium o SECURITY-3330: Medium o SECURITY-3333: Medium o SECURITY-3344: High Affected Versions o AppSpider Plugin up to and including 1.0.16 o Bitbucket Branch Source Plugin up to and including 866.vdea_7dcd3008e o Build Monitor View Plugin up to and including 1.14-860.vd06ef2568b_3f o Delphix Plugin up to and including 3.0.1 o Delphix Plugin up to and including 3.1.0 o docker-build-step Plugin up to and including 2.11 o GitBucket Plugin up to and including 0.8 o HTML Publisher Plugin up to and including 1.32 o iceScrum Plugin up to and including 1.1.6 o MQ Notifier Plugin up to and including 1.4.0 o OWASP Dependency-Check Plugin up to and including 5.4.5 o Subversion Partial Release Manager Plugin up to and including 1.0.1 o Trilead API Plugin up to and including 2.133.vfb_8a_7b_9c5dd1 Fix o AppSpider Plugin should be updated to version 1.0.17 o Bitbucket Branch Source Plugin should be updated to version 871.v28d74e8b_4226 o Delphix Plugin should be updated to version 3.0.2 o Delphix Plugin should be updated to version 3.1.1 o HTML Publisher Plugin should be updated to version 1.32.1 o MQ Notifier Plugin should be updated to version 1.4.1 o OWASP Dependency-Check Plugin should be updated to version 5.4.6 o Trilead API Plugin should be updated to version 2.141.v284120fd0c46 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: o Build Monitor View Plugin o docker-build-step Plugin o GitBucket Plugin o iceScrum Plugin o Subversion Partial Release Manager Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Anders Hammar for SECURITY-3300 o Andrea Chiera, CloudBees, Inc. for SECURITY-3200 o Daniel Beck, CloudBees, Inc. for SECURITY-3215, SECURITY-3280 o Kevin Guerroudj, CloudBees, Inc. for SECURITY-3144, SECURITY-3301, SECURITY-3302, SECURITY-3303 o Wadeck Follonier, CloudBees, Inc. for SECURITY-3325 o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3248, SECURITY-3249, SECURITY-3330 o tkmwrbl for SECURITY-3344 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================