The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

Jenkins Security Advisory 2021-06-30

This advisory announces vulnerabilities in Jenkins

XXE vulnerability in Selenium HTML report Plugin 

SECURITY-2329 / CVE-2021-21672

Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.

Open redirect vulnerability in CAS Plugin 

SECURITY-2387 / CVE-2021-21673

CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.

Missing permission check in requests-plugin Plugin allows viewing pending requests 

SECURITY-1995 / CVE-2021-21674

requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending requests.

requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.

NOTE: The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed

CSRF vulnerabilities in requests-plugin Plugin 

SECURITY-2136 (1) / CVE-2021-21675

requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.

requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints.

This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

Missing permission check in requests-plugin Plugin allows sending emails 

SECURITY-2136 (2) / CVE-2021-21676

requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.

requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails.

Credit 

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2329

  • Matt Sicker, CloudBees, Inc. for SECURITY-1995

  • Wadeck Follonier, CloudBees, Inc. for SECURITY-2387

Severity

Fix

  • CAS Plugin should be updated to version 1.6.1

  • requests-plugin Plugin should be updated to version 2.2.13

  • Selenium HTML report Plugin should be updated to version 1.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.