XXE vulnerability in Config File Provider Plugin
SECURITY-2204 / CVE-2021-21642
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
Incorrect permission checks in Config File Provider Plugin allow enumerating credentials IDs
SECURITY-2254 / CVE-2021-21643
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of system-scoped credentials IDs in Config File Provider Plugin 3.7.1 requires Overall/Administer permission.
CSRF vulnerability in Config File Provider Plugin allows deleting configuration files
SECURITY-2202 / CVE-2021-21644
Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.
This is due to an incomplete fix of SECURITY-938.
Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.
Missing permission checks in Config File Provider Plugin allow enumerating configuration file IDs
SECURITY-2203 / CVE-2021-21645
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions.
Remote code execution vulnerability in Templating Engine Plugin
SECURITY-2311 / CVE-2021-21646
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.
Missing permission check in CloudBees CD Plugin allows scheduling builds
SECURITY-2309 / CVE-2021-21647
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint.
CSRF vulnerability and missing permission check in form validation for CloudBees Software Delivery Automation location (URL) field
BEE-3131
Form validation for the CloudBees Software Delivery Automation location (URL) field was subject to a CSRF vulnerability and missing permission check. After BEE-3131 this validation endpoint now requires POST method and administrator permission.