Jenkins Security Advisory 2021-06-30
This advisory announces vulnerabilities in Jenkins
XXE vulnerability in Selenium HTML report Plugin
SECURITY-2329 / CVE-2021-21672
Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.
Open redirect vulnerability in CAS Plugin
SECURITY-2387 / CVE-2021-21673
CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.
Missing permission check in requests-plugin Plugin allows viewing pending requests
SECURITY-1995 / CVE-2021-21674
requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view the list of pending requests.
requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.
NOTE: The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed
CSRF vulnerabilities in requests-plugin Plugin
SECURITY-2136 (1) / CVE-2021-21675
requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.
requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints.
This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.
Missing permission check in requests-plugin Plugin allows sending emails
SECURITY-2136 (2) / CVE-2021-21676
requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.
requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2329
Matt Sicker, CloudBees, Inc. for SECURITY-1995
Wadeck Follonier, CloudBees, Inc. for SECURITY-2387
SECURITY-2136 (1): Medium
SECURITY-2136 (2): Medium
CAS Plugin should be updated to version 1.6.1
requests-plugin Plugin should be updated to version 2.2.13
Selenium HTML report Plugin should be updated to version 1.1
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.