CloudBees Security Advisory 2021-04-21

This advisory announces vulnerabilities in Jenkins, Cloudbees, CloudBees Jenkins Distribution and CloudBees Jenkins Platform

XXE vulnerability in Config File Provider Plugin 

SECURITY-2204 / CVE-2021-21642

Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.

Incorrect permission checks in Config File Provider Plugin allow enumerating credentials IDs 

SECURITY-2254 / CVE-2021-21643

Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of system-scoped credentials IDs in Config File Provider Plugin 3.7.1 requires Overall/Administer permission.

CSRF vulnerability in Config File Provider Plugin allows deleting configuration files 

SECURITY-2202 / CVE-2021-21644

Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.

This is due to an incomplete fix of SECURITY-938.

Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

Missing permission checks in Config File Provider Plugin allow enumerating configuration file IDs 

SECURITY-2203 / CVE-2021-21645

Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate configuration file IDs.

An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions.

Remote code execution vulnerability in Templating Engine Plugin 

SECURITY-2311 / CVE-2021-21646

Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.

This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.

Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.

Missing permission check in CloudBees CD Plugin allows scheduling builds 

SECURITY-2309 / CVE-2021-21647

CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.

CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint.

CSRF vulnerability and missing permission check in form validation for CloudBees Software Delivery Automation location (URL) field

BEE-3131

Form validation for the CloudBees Software Delivery Automation location (URL) field was subject to a CSRF vulnerability and missing permission check. After BEE-3131 this validation endpoint now requires POST method and administrator permission.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to version 2.277.3.1-2

  • CloudBees Cloud Platforms should be upgraded to version 2.277.3.1-2

  • CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to version 2.277.3.1-2

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.277.3.1-2

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z) should be upgraded to version 2.249.31.0.1-2

  • CloudBees Jenkins Distribution should be upgraded to version 2.277.3.1-2