Security Advisories

CloudBees Security Advisory2023-10-25

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

Jenkins

Descriptions

Stored XSS vulnerability in GitHub Plugin

SECURITY-3246 / CVE-2023-46650

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:github|https://plugins.jenkins.io/github]

Description:

GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page when showing changes.

Exposure of system-scoped credentials in Warnings Plugin

SECURITY-3265 / CVE-2023-46651

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:warnings-ng|https://plugins.jenkins.io/warnings-ng]

Description:

Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Warnings Plugin 10.5.1 defines the appropriate context for credentials lookup.

Missing permission check in lambdatest-automation Plugin allows enumerating credentials IDs

SECURITY-3222 / CVE-2023-46652

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:lambdatest-automation|https://plugins.jenkins.io/lambdatest-automation]

Description:

lambdatest-automation Plugin 1.20.9 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in lambdatest-automation Plugin 1.20.10 requires Overall/Administer permission.

Exposure of token through logs in lambdatest-automation Plugin

SECURITY-3202 / CVE-2023-46653

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:lambdatest-automation|https://plugins.jenkins.io/lambdatest-automation]

Description:

lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level.

This can result in accidental exposure of the token through the default system log.

lambdatest-automation Plugin 1.21.0 no longer logs LAMBDATEST Credentials access token.

Arbitrary file deletion vulnerability in CloudBees CD Plugin

SECURITY-3237 / CVE-2023-46654

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:electricflow|https://plugins.jenkins.io/electricflow]

Description:

In CloudBees CD Plugin, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup process.

This allows attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

CloudBees CD Plugin 1.1.33 deletes symbolic links without following them.

Arbitrary file read vulnerability in CloudBees CD Plugin

SECURITY-3238 / CVE-2023-46655

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N]

Affected plugin: [pill:electricflow|https://plugins.jenkins.io/electricflow]

Description:

CloudBees CD Plugin temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller when collecting the list of files to publish.

This allows attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.

CloudBees CD Plugin 1.1.33 ensures that only files located within the expected directory are published.

Non-constant time webhook token comparison in Multibranch Scan Webhook Trigger Plugin

SECURITY-2875 / CVE-2023-46656

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:multibranch-scan-webhook-trigger|https://plugins.jenkins.io/multibranch-scan-webhook-trigger]

Description:

Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn why we announce this.

Non-constant time webhook token comparison in Gogs Plugin

SECURITY-2896 / CVE-2023-46657

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:gogs-webhook|https://plugins.jenkins.io/gogs-webhook]

Description:

Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn why we announce this.

Non-constant time webhook token comparison in MSTeams Webhook Trigger Plugin

SECURITY-2876 / CVE-2023-46658

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:teams-webhook-trigger|https://plugins.jenkins.io/teams-webhook-trigger]

Description:

MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Edgewall Trac Plugin

SECURITY-3247 / CVE-2023-46659

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H]

Affected plugin: [pill:trac|https://plugins.jenkins.io/trac]

Description:

Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.

Non-constant time webhook token hash comparison in Zanata Plugin

SECURITY-2879 / CVE-2023-46660

Severity (CVSS): [pill:Low|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:zanata|https://plugins.jenkins.io/zanata]

Description:

Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.414.3.8
  • CloudBees Cloud Platforms should be upgraded to 2.414.3.8
  • CloudBees CD Plugin should be updated to version 1.1.33
  • GitHub Plugin should be updated to version 1.37.3.1
  • lambdatest-automation Plugin should be updated to version 1.20.10
  • lambdatest-automation Plugin should be updated to version 1.21.0
  • Warnings Plugin should be updated to version 10.5.1

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed