CloudBees Security Advisory 2021-02-24

This advisory announces vulnerabilities in Jenkins, Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

Missing Permission Checks in RegistrationHandler

BEE-172

RegistrationHandler does not implement permission checks or similar protections on the web methods it implements.

Web methods in RegistrationHandler now require Overall/Administer permissions

Support bundles can include user session IDs in Support Core Plugin 

SECURITY-2150 / CVE-2021-21621

Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).

In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.

Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.

As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.

Stored XSS vulnerability in Active Choices Plugin 

SECURITY-2192 / CVE-2021-21616

Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.3 escapes reference parameter values.

CSRF vulnerability in Configuration Slicing Plugin 

SECURITY-2003 / CVE-2021-21617

Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs.

Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.

Stored XSS vulnerability in Repository Connector Plugin 

SECURITY-2183 / CVE-2021-21618

Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.

XSS vulnerability in Claim Plugin 

SECURITY-2188 (1) / CVE-2021-21619

Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

NOTE: Everyone with a Jenkins account can change their own display name.

Claim Plugin 2.18.2 escapes the user display name shown in claims.

CSRF vulnerability in Claim Plugin 

SECURITY-2188 (2) / CVE-2021-21620

Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to change claims.

Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.

Stored XSS vulnerability in Artifact Repository Parameter Plugin 

SECURITY-2168 / CVE-2021-21622

Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Artifact Repository Parameter Plugin 1.0.1 escapes parameter names and descriptions.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to version 2.263.4.1 rev2

  • CloudBees Cloud Platforms should be upgraded to version 2.263.4.1 rev2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to version 2.263.4.1 rev2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.263.4.1 rev2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 2.249.30.0.2 rev3

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.43.0.2 rev3

  • CloudBees Jenkins Distribution should be upgraded to version 2.263.4.1 rev2