CloudBees Security Advisory2023-06-14
This advisory announces vulnerabilities in
,
and
Jenkins
,
and
CloudBees CI

Descriptions
CSRF bypass vulnerability
SECURITY-3135 / CVE-2023-35141
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]
Description:
Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.
As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.
Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.
SSL/TLS certificate validation disabled by default in Checkmarx Plugin
SECURITY-2870 / CVE-2023-35142
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N]
Affected plugin: [pill:checkmarx|https://plugins.jenkins.io/checkmarx]
Description:
Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.
Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.
Missing permission checks in Team Concert Plugin
SECURITY-2932 / CVE pending
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Affected plugin: [pill:teamconcert|https://plugins.jenkins.io/teamconcert]
Description:
Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.
Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.
Missing permission check in Dimensions Plugin allows enumerating credentials IDs
SECURITY-3138 / CVE-2023-32261
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N]
Affected plugin: [pill:dimensionsscm|https://plugins.jenkins.io/dimensionsscm]
Description:
Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.
Exposure of system-scoped credentials in Dimensions Plugin
SECURITY-3143 / CVE-2023-32262
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]
Affected plugin: [pill:dimensionsscm|https://plugins.jenkins.io/dimensionsscm]
Description:
Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.
Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.
Stored XSS vulnerability in Maven Repository Server Plugin
SECURITY-3156 / CVE-2023-35143
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]
Affected plugin: [pill:repository|https://plugins.jenkins.io/repository]
Description:
Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.
As of publication of this advisory, there is no fix. Learn why we announce this.
Stored XSS vulnerability in Maven Repository Server Plugin
SECURITY-2951 / CVE-2023-35144
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]
Affected plugin: [pill:repository|https://plugins.jenkins.io/repository]
Description:
Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.
As of publication of this advisory, there is no fix. Learn why we announce this.
Stored XSS vulnerability in Sonargraph Integration Plugin
SECURITY-3155 / CVE-2023-35145
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]
Affected plugin: [pill:sonargraph-integration|https://plugins.jenkins.io/sonargraph-integration]
Description:
Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
This issue is caused by an incomplete fix of SECURITY-1775.
As of publication of this advisory, there is no fix. Learn why we announce this.
Stored XSS vulnerability in Template Workflows Plugin
SECURITY-3166 / CVE-2023-35146
Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]
Affected plugin: [pill:template-workflows|https://plugins.jenkins.io/template-workflows]
Description:
Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.
As of publication of this advisory, there is no fix. Learn why we announce this.
Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin
SECURITY-3099 / CVE-2023-35147
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N]
Affected plugin: [pill:aws-codecommit-trigger|https://plugins.jenkins.io/aws-codecommit-trigger]
Description:
AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.
AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce this.
CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin
SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)
Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N]
Affected plugin: [pill:ease-plugin|https://plugins.jenkins.io/ease-plugin]
Description:
Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
Note
Warning
Severity
Fix
- CloudBees Traditional Platforms should be upgraded to 2.401.1.3
- CloudBees Cloud Platforms should be upgraded to 2.401.1.3
- Jenkins weekly should be updated to version 2.400
- Jenkins LTS should be updated to version 2.401.1
- Checkmarx Plugin should be updated to version 2023.2.6
- Dimensions Plugin should be updated to version 0.9.3.1
- Team Concert Plugin should be updated to version 2.4.2