Security Advisories

CloudBees Security Advisory2023-03-21

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

CloudBees Jenkins Platform

Incorrect permission checks in Role-based Authorization Strategy Plugin

SECURITY-3053 / CVE-2023-28668

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:role-strategy|https://plugins.jenkins.io/role-strategy]

Description:

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

  1. A permission is granted to attackers directly or through groups.
  2. The permission is disabled, e.g., through the script console.

Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.

Stored XSS vulnerability in JaCoCo Plugin

SECURITY-3061 / CVE-2023-28669

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:jacoco|https://plugins.jenkins.io/jacoco]

Description:

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

Stored XSS vulnerability in Pipeline Aggregator View Plugin

SECURITY-2885 / CVE-2023-28670

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:pipeline-aggregator-view|https://plugins.jenkins.io/pipeline-aggregator-view]

Description:

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

CSRF vulnerability in OctoPerf Load Testing Plugin Plugin

SECURITY-3067 (1) / CVE-2023-28671

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N]

Affected plugin: [pill:octoperf|https://plugins.jenkins.io/octoperf]

Description:

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

Missing permission check in OctoPerf Load Testing Plugin Plugin

SECURITY-3067 (2) / CVE-2023-28672

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:octoperf|https://plugins.jenkins.io/octoperf]

Description:

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs

SECURITY-3067 (3) / CVE-2023-28673

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:octoperf|https://plugins.jenkins.io/octoperf]

Description:

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin

SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N]

Affected plugin: [pill:octoperf|https://plugins.jenkins.io/octoperf]

Description:

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

CSRF vulnerability in Convert To Pipeline Plugin results in RCE

SECURITY-2963 / CVE-2023-28676

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:convert-to-pipeline|https://plugins.jenkins.io/convert-to-pipeline]

Description:

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

As of publication of this advisory, there is no fix.

Command injection vulnerability in Convert To Pipeline Plugin results in RCE

SECURITY-2966 / CVE-2023-28677

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:convert-to-pipeline|https://plugins.jenkins.io/convert-to-pipeline]

Description:

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a convertion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Cppcheck Plugin

SECURITY-2809 / CVE-2023-28678

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:cppcheck|https://plugins.jenkins.io/cppcheck]

Description:

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Mashup Portlets Plugin

SECURITY-2813 / CVE-2023-28679

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:mashup-portlets-plugin|https://plugins.jenkins.io/mashup-portlets-plugin]

Description:

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

As of publication of this advisory, there is no fix.

XXE vulnerability in Crap4J Plugin

SECURITY-2925 / CVE-2023-28680

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:crap4j|https://plugins.jenkins.io/crap4j]

Description:

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in Visual Studio Code Metrics Plugin

SECURITY-2926 / CVE-2023-28681

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:vs-code-metrics|https://plugins.jenkins.io/vs-code-metrics]

Description:

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in Performance Publisher Plugin

SECURITY-2928 / CVE-2023-28682

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:perfpublisher|https://plugins.jenkins.io/perfpublisher]

Description:

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in Phabricator Differential Plugin

SECURITY-2942 / CVE-2023-28683

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:phabricator-plugin|https://plugins.jenkins.io/phabricator-plugin]

Description:

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in remote-jobs-view-plugin Plugin

SECURITY-2956 / CVE-2023-28684

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:remote-jobs-view-plugin|https://plugins.jenkins.io/remote-jobs-view-plugin]

Description:

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in AbsInt a³ Plugin

SECURITY-2930 / CVE-2023-28685

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N]

Affected plugin: [pill:absint-a3|https://plugins.jenkins.io/absint-a3]

Description:

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.387.1.3
  • CloudBees Cloud Platforms should be upgraded to 2.387.1.3
  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.12

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed