Security Advisories

CloudBees Security Advisory2024-10-02

This advisory announces vulnerabilities in 

,

and

CloudBees CI

,

and

CloudBees Jenkins Platform

,

and

Jenkins

Exposure of multi-line secrets through error messages in Jenkins

SECURITY-3451 / CVE-2024-47803

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Description:

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

[!NOTE]

This issue is similar to SECURITY-765 in the 2018-10-10 security advisory.

[/]

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

Item creation restriction bypass vulnerability in Jenkins

SECURITY-3448 / CVE-2024-47804

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N]

Description:

Jenkins provides APIs for fine-grained control of item creation:

  • Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2).
  • Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.

Encrypted values of credentials revealed to users with Extended Read permission in Credentials Plugin

SECURITY-3373 / CVE-2024-47805

Severity (CVSS): [pill:Medium|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N]

Affected plugin: [pill:credentials|https://plugins.jenkins.io/credentials]

Description:

Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.

This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.

[!NOTE]

This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the Secret type used for inline secrets and some credentials types.

[/]

Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.

[!WARNING]

This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.

[/]

Lack of audience claim validation in OpenId Connect Authentication Plugin

SECURITY-3441 (1) / CVE-2024-47806

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H]

Affected plugin: [pill:oic-auth|https://plugins.jenkins.io/oic-auth]

Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

Lack of issuer claim validation in OpenId Connect Authentication Plugin

SECURITY-3441 (2) / CVE-2024-47807

Severity (CVSS): [pill:High|https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H]

Affected plugin: [pill:oic-auth|https://plugins.jenkins.io/oic-auth]

Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

[!WARNING]

When using the "Manual entry" configuration mode, the new "Issuer" field must be populated after updating to protect from this issue. When using "Discovery via well-known endpoint", the Issuer will be set automatically.

[/]

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.462.3.3
  • CloudBees Cloud Platforms should be upgraded to 2.462.3.3
  • OpenId Connect Authentication Plugin should be updated to version 4.355.v3a_fb_fca_b_96d4

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed