CloudBees Security Advisory 2023-05-16

This advisory announces vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees CI

Stored XSS vulnerability in Pipeline: Job Plugin 

SECURITY-3042 / CVE-2023-32977
Severity (CVSS): High
Affected plugin: workflow-job
Description:

Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when "Do not allow concurrent builds" is set.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts.

Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.

CSRF vulnerability in LDAP Plugin 

SECURITY-3046 / CVE-2023-32978
Severity (CVSS): Medium
Affected plugin: ldap
Description:

LDAP Plugin 673.v034ec70ec2b_b_ and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

LDAP Plugin 676.vfa_64cf6b_b_002 requires POST requests for the affected form validation method.

Missing permission check in Email Extension Plugin 

SECURITY-3088 (1) / CVE-2023-32979
Severity (CVSS): Medium
Affected plugin: email-ext
Description:

Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.

This form validation method requires the appropriate permission in Email Extension Plugin 2.96.1.

CSRF vulnerability in Email Extension Plugin 

SECURITY-3088 (2) / CVE-2023-32980
Severity (CVSS): Medium
Affected plugin: email-ext
Description:

Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to make another user stop watching an attacker-specified job.

Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.

Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin 

SECURITY-2196 / CVE-2023-32981
Severity (CVSS): Medium
Affected plugin: pipeline-utility-steps
Description:

Pipeline Utility Steps Plugin provides the untar and unzip Pipeline steps to extract archives into job workspaces.

Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit file paths of files contained within these archives.

This allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.

Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in tar and zip archives that would be placed outside the expected destination directory.

Secrets stored and displayed in plain text by Ansible Plugin 

SECURITY-3017 / CVE-2023-32982 (storage), CVE-2023-32983 (masking)
Severity (CVSS): Medium
Affected plugin: ansible
Description:

Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.

Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

Stored XSS vulnerability in TestNG Results Plugin 

SECURITY-3047 / CVE-2023-32984
Severity (CVSS): High
Affected plugin: testng-plugin
Description:

TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin’s test information pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.

TestNG Results Plugin 730.732.v959a_3a_a_eb_a_72 escapes the affected values that are parsed from TestNG report files.

SECURITY-3125 / CVE-2023-32985
Severity (CVSS): Medium
Affected plugin: sidebar-link
Description:

Sidebar Link Plugin allows specifying files in the userContent/ directory for use as link icons.

Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Sidebar Link Plugin 2.2.2 ensures that only files located within the expected userContent/ directory can be accessed.

Arbitrary file write vulnerability in File Parameter Plugin 

SECURITY-3123 / CVE-2023-32986
Severity (CVSS): High
Affected plugin: file-parameters
Description:

File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.

This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.

CSRF vulnerability in Reverse Proxy Auth Plugin 

SECURITY-3002 / CVE-2023-32987
Severity (CVSS): Medium
Affected plugin: reverse-proxy-auth-plugin
Description:

Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

Reverse Proxy Auth Plugin 1.7.5 requires POST requests for the affected form validation method.

Missing permission check in Azure VM Agents Plugin allows enumerating credentials IDs 

SECURITY-2855 (1) / CVE-2023-32988
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:

Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Azure VM Agents Plugin 853.v4a_1a_dd947520 requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in Azure VM Agents Plugin 

SECURITY-2855 (2) / CVE-2023-32989 (CSRF), CVE-2023-32990 (missing permission check)
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:

Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

CSRF vulnerability and missing permission checks in SAML Single Sign On(SSO) Plugin allow XXE 

SECURITY-2993 / CVE-2023-32991 (CSRF), CVE-2023-32992 (missing permission check)
Severity (CVSS): High
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

SAML Single Sign On(SSO) Plugin 2.1.0 requires POST requests and Overall/Administer permission for the affected HTTP endpoints.

Missing hostname validation in SAML Single Sign On(SSO) Plugin 

SECURITY-3001 (1) / CVE-2023-32993
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

SSL/TLS certificate validation unconditionally disabled by SAML Single Sign On(SSO) Plugin 

SECURITY-3001 (2) / CVE-2023-32994
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

CSRF vulnerability and missing permission check in SAML Single Sign On(SSO) Plugin 

SECURITY-2994 / CVE-2023-32995 (CSRF), CVE-2023-32996 (missing permission check)
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange’s API for sending emails.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

SAML Single Sign On(SSO) Plugin 2.0.1 removes the affected HTTP endpoint.

Session fixation vulnerability in CAS Plugin 

SECURITY-3000 / CVE-2023-32997
Severity (CVSS): High
Affected plugin: cas-plugin
Description:

CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

CAS Plugin 1.6.3 invalidates the existing session on login.

CSRF vulnerability and missing permission checks in Code Dx Plugin 

SECURITY-3118 / CVE-2023-2195 (CSRF), CVE-2023-2631 (missing permission check)
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Missing permission checks in Code Dx Plugin 

SECURITY-3145 / CVE-2023-2196
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

Code Dx Plugin 4.0.0 requires Item/Configure permission for this form validation method and ensures that only files located within the workspace can be checked.

API keys stored and displayed in plain text by Code Dx Plugin 

SECURITY-3146 / CVE-2023-2632 (storage), CVE-2023-2633 (masking)
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.

CSRF vulnerability and missing permission check in AppSpider Plugin 

SECURITY-3121 / CVE-2023-32998 (CSRF), CVE-2023-32999 (missing permission check)
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:

AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.

Credentials displayed without masking by NS-ND Integration Performance Publisher Plugin 

SECURITY-2962 / CVE-2023-33000
Severity (CVSS): Low
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.

While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.

Improper masking of credentials in HashiCorp Vault Plugin 

SECURITY-3077 / CVE-2023-33001
Severity (CVSS): Medium
Affected plugin: hashicorp-vault-plugin
Description:

HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

  • The credentials are printed in build steps executing on an agent (typically inside a node block).

  • Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

  • An improvement in Credentials Binding 523.525.vb_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in TestComplete support Plugin 

SECURITY-2892 / CVE-2023-33002
Severity (CVSS): High
Affected plugin: TestComplete
Description:

TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name in its test result page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission checks in Tag Profiler Plugin 

SECURITY-3083 / CVE-2023-33003 (CSRF), CVE-2023-33004 (missing permission check)
Severity (CVSS): Medium
Affected plugin: tag-profiler
Description:

Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to reset profiler statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Session fixation vulnerability in WSO2 Oauth Plugin 

SECURITY-2991 / CVE-2023-33005
Severity (CVSS): High
Affected plugin: wso2id-oauth
Description:

WSO2 Oauth Plugin 1.0 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability in WSO2 Oauth Plugin 

SECURITY-2990 / CVE-2023-33006
Severity (CVSS): Medium
Affected plugin: wso2id-oauth
Description:

WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in LoadComplete support Plugin 

SECURITY-2903 / CVE-2023-33007
Severity (CVSS): High
Affected plugin: loadcomplete
Description:

LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name in its test result page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.387.3.5

  • CloudBees Cloud Platforms should be upgraded to 2.387.3.5

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.346.40.0.17