CloudBees Security Advisory 2024-03-06

SECURITY-3333 / CVE-2023-48795
Severity (CVSS): Medium
Affected plugin: trilead-api
Description:

Trilead API Plugin bundles the Jenkins project’s fork of the Trilead SSH2 library for use by other plugins.

Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except 2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to CVE-2023-48795 (Terrapin). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection.

Trilead API Plugin 2.141.v284120fd0c46 updates the bundled Jenkins/Trilead SSH2 library to version build-217-jenkins-274.276.v58da_75159cb_7, which by default removes the affected ciphers and encryption modes.

SECURITY-3301 / CVE-2024-28149
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:

SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in HTML Publisher Plugin 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback.

In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this fallback for reports created in HTML Publisher Plugin 1.15 and earlier does not properly sanitize input. This allows attackers with Item/Configure permission to do the following:

• Implement stored cross-site scripting (XSS) attacks.

• Determine whether a path on the Jenkins controller file system exists, without being able to access it.

HTML Publisher Plugin 1.32.1 removes support for reports created before HTML Publisher Plugin 1.15. Those reports are retained on disk, but may no longer be accessible through the Jenkins UI.

SECURITY-3302 / CVE-2024-28150
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports created in earlier releases for the presence of unsafe characters in the report frame, and refuses to show these frames if unsafe characters are identified.

SECURITY-3303 / CVE-2024-28151
Severity (CVSS): Medium
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it.

HTML Publisher Plugin 1.32.1 does not archive symbolic links.

SECURITY-3300 / CVE-2024-28152
Severity (CVSS): Medium
Affected plugin: cloudbees-bitbucket-branch-source
Description:

Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default.

In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. This allows attackers able to submit pull requests from forks to change the Pipeline behavior.

In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in the same account" trust policy does not extend trust to Jenkinsfiles modified by users without write access to the project.

SECURITY-3344 / CVE-2024-28153
Severity (CVSS): High
Affected plugin: dependency-check-jenkins-plugin
Description:

OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control workspace contents or CVE metadata.

OWASP Dependency-Check Plugin 5.4.6 escapes vulnerability metadata from Dependency-Check reports.

SECURITY-3180 / CVE-2024-28154
Severity (CVSS): Medium
Affected plugin: mq-notifier
Description:

MQ Notifier Plugin has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked.

In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of sensitive information in build logs.

MQ Notifier Plugin 1.4.1 disables the global option to log the JSON payload it sends to RabbitMQ by default. This option is disabled when updating from a previous release and needs to be re-enabled by administrators who want to use this feature.

SECURITY-3144 / CVE-2024-28155
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:

AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

AppSpider Plugin 1.0.17 requires Item/Configure permission for the affected HTTP endpoints.

SECURITY-3215 / CVE-2024-28161
Severity (CVSS): Medium
Affected plugin: delphix
Description:

Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections.

In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS certificate validation by default.

In Delphix Plugin 3.0.2 this option is set to enable SSL/TLS certificate validation by default.

SECURITY-3330 / CVE-2024-28162
Severity (CVSS): Medium
Affected plugin: delphix
Description:

Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections.

In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option change from disabled validation to enabled validation fails to take effect until Jenkins is restarted.

Delphix Plugin 3.1.1 applies the configuration change immediately when switching from disabled validation to enabled validation.

SECURITY-3200 / CVE-2024-2215 (CSRF), CVE-2024-2216 (permission check)
Severity (CVSS): Medium
Affected plugin: docker-build-step
Description:

docker-build-step Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided connection test parameters, affecting future build step executions.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3280 / CVE-2024-28156
Severity (CVSS): High
Affected plugin: build-monitor-plugin
Description:

Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3249 / CVE-2024-28157
Severity (CVSS): High
Affected plugin: gitbucket
Description:

GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3325 / CVE-2024-28158 (CSRF), CVE-2024-28159 (permission check)
Severity (CVSS): Medium
Affected plugin: svn-partial-release-mgr
Description:

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to trigger a build.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

SECURITY-3248 / CVE-2024-28160
Severity (CVSS): High
Affected plugin: icescrum
Description:

iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix. Learn why we announce this.

• SECURITY-3144: Medium

• SECURITY-3180: Medium

• SECURITY-3200: Medium

• SECURITY-3215: Medium

• SECURITY-3248: High

• SECURITY-3249: High

• SECURITY-3280: High

• SECURITY-3300: Medium

• SECURITY-3301: High

• SECURITY-3302: High

• SECURITY-3303: Medium

• SECURITY-3325: Medium

• SECURITY-3330: Medium

• SECURITY-3333: Medium

• SECURITY-3344: High

• CloudBees Traditional Platforms should be upgraded to 2.440.1.4

• CloudBees Cloud Platforms should be upgraded to 2.440.1.4

• AppSpider Plugin should be updated to version 1.0.17

• Bitbucket Branch Source Plugin should be updated to version 848.850.v6a_a_2a_234a_c81

• Delphix Plugin should be updated to version 3.0.2

• Delphix Plugin should be updated to version 3.1.1

• HTML Publisher Plugin should be updated to version 1.32.1

• MQ Notifier Plugin should be updated to version 1.4.1

• OWASP Dependency-Check Plugin should be updated to version 5.4.6

• Trilead API Plugin should be updated to version 2.84.86.vf9c960e9b_458