Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.1461
Jenkins Security Advisory 2024-03-06
7 March 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Plugins
Publisher: jenkins
Operating System: UNIX
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-48795 CVE-2024-28162 CVE-2024-28161
CVE-2024-28160 CVE-2024-28159 CVE-2024-28158
CVE-2024-28157 CVE-2024-28156 CVE-2024-28155
CVE-2024-28154 CVE-2024-28153 CVE-2024-28152
CVE-2024-28151 CVE-2024-28150 CVE-2024-28149
CVE-2024-2216 CVE-2024-2215
Original Bulletin:
https://www.jenkins.io/security/advisory/2024-03-06/
Comment: CVSS (Max): 8.0* CVE-2024-28150 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
* Not all CVSS available when published
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2024-03-06
This advisory announces vulnerabilities in the following Jenkins deliverables:
o AppSpider Plugin
o Bitbucket Branch Source Plugin
o Build Monitor View Plugin
o Delphix Plugin
o Delphix Plugin
o docker-build-step Plugin
o GitBucket Plugin
o HTML Publisher Plugin
o iceScrum Plugin
o MQ Notifier Plugin
o OWASP Dependency-Check Plugin
o Subversion Partial Release Manager Plugin
o Trilead API Plugin
Descriptions
Terrapin SSH vulnerability in Trilead API Plugin
SECURITY-3333 / CVE-2023-48795
Severity (CVSS): Medium
Affected plugin: trilead-api
Description:
Trilead API Plugin bundles the Jenkins project's fork of the Trilead SSH2
library for use by other plugins.
Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except
2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are
susceptible to CVE-2023-48795 (Terrapin). This vulnerability allows a
machine-in-the-middle attacker to reduce the security of an SSH connection.
Trilead API Plugin 2.141.v284120fd0c46 updates the bundled Jenkins/Trilead SSH2
library to version build-217-jenkins-274.276.v58da_75159cb_7, which by default
removes the affected ciphers and encryption modes.
Improper input sanitization in HTML Publisher Plugin
SECURITY-3301 / CVE-2024-28149
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:
SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in HTML
Publisher Plugin 1.15 and earlier. The fix for it retained compatibility for
older reports as a fallback.
In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this fallback for
reports created in HTML Publisher Plugin 1.15 and earlier does not properly
sanitize input. This allows attackers with Item/Configure permission to do the
following:
o Implement stored cross-site scripting (XSS) attacks.
o Determine whether a path on the Jenkins controller file system exists,
without being able to access it.
HTML Publisher Plugin 1.32.1 removes support for reports created before HTML
Publisher Plugin 1.15. Those reports are retained on disk, but may no longer be
accessible through the Jenkins UI.
Stored XSS vulnerability in HTML Publisher Plugin
SECURITY-3302 / CVE-2024-28150
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:
HTML Publisher Plugin 1.32 and earlier does not escape job names, report names,
and index page titles shown as part of the report frame.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.
HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page
titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports
created in earlier releases for the presence of unsafe characters in the report
frame, and refuses to show these frames if unsafe characters are identified.
Path traversal vulnerability in HTML Publisher Plugin
SECURITY-3303 / CVE-2024-28151
Severity (CVSS): Medium
Affected plugin: htmlpublisher
Description:
HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in
report directories on agents and recreates them on the controller. Attackers
with Item/Configure permission can use them to determine whether a path on the
Jenkins controller file system exists, without being able to access it.
HTML Publisher Plugin 1.32.1 does not archive symbolic links.
Incorrect trust policy behavior for pull requests from forks in Bitbucket
Branch Source Plugin
SECURITY-3300 / CVE-2024-28152
Severity (CVSS): Medium
Affected plugin: cloudbees-bitbucket-branch-source
Description:
Multibranch Pipelines with Bitbucket branch source can be configured to
discover pull requests from forks. The trust policy is set to "Forks in the
same account" by default.
In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except
848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles
from users without write access to the project when using Bitbucket Server.
This allows attackers able to submit pull requests from forks to change the
Pipeline behavior.
In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in the same
account" trust policy does not extend trust to Jenkinsfiles modified by users
without write access to the project.
Pipelines using Bitbucket Cloud are unaffected by this issue.
Stored XSS vulnerability in OWASP Dependency-Check Plugin
SECURITY-3344 / CVE-2024-28153
Severity (CVSS): High
Affected plugin: dependency-check-jenkins-plugin
Description:
OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability
metadata from Dependency-Check reports on the Jenkins UI.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to control workspace contents or CVE metadata.
OWASP Dependency-Check Plugin 5.4.6 escapes vulnerability metadata from
Dependency-Check reports.
Sensitive information exposure in build logs by MQ Notifier Plugin
SECURITY-3180 / CVE-2024-28154
Severity (CVSS): Medium
Affected plugin: mq-notifier
Description:
MQ Notifier Plugin has a global option to log the JSON payload it sends to
RabbitMQ in the build log. This includes the build parameters, some of which
may be sensitive, and they are not masked.
In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by default.
This results in unwanted exposure of sensitive information in build logs.
MQ Notifier Plugin 1.4.1 disables the global option to log the JSON payload it
sends to RabbitMQ by default. This option is disabled when updating from a
previous release and needs to be re-enabled by administrators who want to use
this feature.
Missing permission checks in AppSpider Plugin
SECURITY-3144 / CVE-2024-28155
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:
AppSpider Plugin 1.0.16 and earlier does not perform permission checks in
several HTTP endpoints.
This allows attackers with Overall/Read permission to obtain information about
available scan config names, engine group names, and client names.
AppSpider Plugin 1.0.17 requires Item/Configure permission for the affected
HTTP endpoints.
SSL/TLS certificate validation disabled by default in Delphix Plugin
SECURITY-3215 / CVE-2024-28161
Severity (CVSS): Medium
Affected plugin: delphix
Description:
Delphix Plugin provides a global option for administrators to enable or disable
SSL/TLS certificate validation for Data Control Tower (DCT) connections.
In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS certificate
validation by default.
In Delphix Plugin 3.0.2 this option is set to enable SSL/TLS certificate
validation by default.
Delphix Plugin 3.0.2 inverts the semantics of the existing option.
Administrators who update from version 3.0.1 to 3.0.2 will need to toggle this
option to have the previously configured behavior.
Improper SSL/TLS certificate validation in Delphix Plugin
SECURITY-3330 / CVE-2024-28162
Severity (CVSS): Medium
Affected plugin: delphix
Description:
Delphix Plugin provides a global option for administrators to enable or disable
SSL/TLS certificate validation for Data Control Tower (DCT) connections.
In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option change from
disabled validation to enabled validation fails to take effect until Jenkins is
restarted.
Delphix Plugin 3.1.1 applies the configuration change immediately when
switching from disabled validation to enabled validation.
CSRF vulnerability and missing permission check in docker-build-step Plugin
SECURITY-3200 / CVE-2024-2215 (CSRF), CVE-2024-2216 (permission check)
Severity (CVSS): Medium
Affected plugin: docker-build-step
Description:
docker-build-step Plugin 2.11 and earlier does not perform a permission check
in an HTTP endpoint implementing a connection test.
This allows attackers with Overall/Read permission to connect to an
attacker-specified TCP or Unix socket URL. Additionally, the plugin
reconfigures itself using the provided connection test parameters, affecting
future build step executions.
Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Stored XSS vulnerability in Build Monitor View Plugin
SECURITY-3280 / CVE-2024-28156
Severity (CVSS): High
Affected plugin: build-monitor-plugin
Description:
Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape
Build Monitor View names.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to configure Build Monitor Views.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Stored XSS vulnerability in GitBucket Plugin
SECURITY-3249 / CVE-2024-28157
Severity (CVSS): High
Affected plugin: gitbucket
Description:
GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build
views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to configure jobs.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission checks in Subversion Partial Release
Manager Plugin
SECURITY-3325 / CVE-2024-28158 (CSRF), CVE-2024-28159 (permission check)
Severity (CVSS): Medium
Affected plugin: svn-partial-release-mgr
Description:
Subversion Partial Release Manager Plugin 1.0.1 and earlier does not perform a
permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to trigger a build.
Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Stored XSS vulnerability in iceScrum Plugin
SECURITY-3248 / CVE-2024-28160
Severity (CVSS): High
Affected plugin: icescrum
Description:
iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on
build views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to configure jobs.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Severity
o SECURITY-3144: Medium
o SECURITY-3180: Medium
o SECURITY-3200: Medium
o SECURITY-3215: Medium
o SECURITY-3248: High
o SECURITY-3249: High
o SECURITY-3280: High
o SECURITY-3300: Medium
o SECURITY-3301: High
o SECURITY-3302: High
o SECURITY-3303: Medium
o SECURITY-3325: Medium
o SECURITY-3330: Medium
o SECURITY-3333: Medium
o SECURITY-3344: High
Affected Versions
o AppSpider Plugin up to and including 1.0.16
o Bitbucket Branch Source Plugin up to and including 866.vdea_7dcd3008e
o Build Monitor View Plugin up to and including 1.14-860.vd06ef2568b_3f
o Delphix Plugin up to and including 3.0.1
o Delphix Plugin up to and including 3.1.0
o docker-build-step Plugin up to and including 2.11
o GitBucket Plugin up to and including 0.8
o HTML Publisher Plugin up to and including 1.32
o iceScrum Plugin up to and including 1.1.6
o MQ Notifier Plugin up to and including 1.4.0
o OWASP Dependency-Check Plugin up to and including 5.4.5
o Subversion Partial Release Manager Plugin up to and including 1.0.1
o Trilead API Plugin up to and including 2.133.vfb_8a_7b_9c5dd1
Fix
o AppSpider Plugin should be updated to version 1.0.17
o Bitbucket Branch Source Plugin should be updated to version
871.v28d74e8b_4226
o Delphix Plugin should be updated to version 3.0.2
o Delphix Plugin should be updated to version 3.1.1
o HTML Publisher Plugin should be updated to version 1.32.1
o MQ Notifier Plugin should be updated to version 1.4.1
o OWASP Dependency-Check Plugin should be updated to version 5.4.6
o Trilead API Plugin should be updated to version 2.141.v284120fd0c46
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o Build Monitor View Plugin
o docker-build-step Plugin
o GitBucket Plugin
o iceScrum Plugin
o Subversion Partial Release Manager Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Anders Hammar for SECURITY-3300
o Andrea Chiera, CloudBees, Inc. for SECURITY-3200
o Daniel Beck, CloudBees, Inc. for SECURITY-3215, SECURITY-3280
o Kevin Guerroudj, CloudBees, Inc. for SECURITY-3144, SECURITY-3301,
SECURITY-3302, SECURITY-3303
o Wadeck Follonier, CloudBees, Inc. for SECURITY-3325
o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3248, SECURITY-3249,
SECURITY-3330
o tkmwrbl for SECURITY-3344
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================