Headline
CVE-2021-21641: Jenkins Security Advisory 2021-04-07
A cross-site request forgery (CSRF) vulnerability in Jenkins promoted builds Plugin 3.9 and earlier allows attackers to to promote builds.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Jenkins (core)
- OpenText Application Automation Tools Plugin
- promoted builds Plugin
Descriptions****Lack of type validation in agent related REST API
SECURITY-1721 / CVE-2021-21639
Severity (CVSS): Low
Description:
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node.
This allows attackers with Computer/Configure permission to replace a node with one of a different type.
Jenkins 2.287, LTS 2.277.2 validates the type of object created and rejects objects of unexpected types.
View name validation bypass
SECURITY-1871 / CVE-2021-21640
Severity (CVSS): Medium
Description:
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value.
This allows attackers with View/Create permission to create views with invalid or already-used names.
Jenkins 2.287, LTS 2.277.2 uses the same submitted value for validation and view creation.
CSRF vulnerability in promoted builds Plugin
SECURITY-2293 / CVE-2021-21641
Severity (CVSS): Medium
Affected plugin: promoted-builds
Description:
promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to promote builds.
promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.
A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.
CSRF vulnerability and missing permission checks in OpenText Application Automation Tools Plugin
SECURITY-2132 / CVE-2021-22512 (CSRF), CVE-2021-22513 (permission check)
Severity (CVSS): Medium
Affected plugin: hp-application-automation-tools-plugin
Description:
OpenText Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
OpenText Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.
Reflected XSS vulnerability in OpenText Application Automation Tools Plugin
SECURITY-2175 / CVE-2021-22510
Severity (CVSS): High
Affected plugin: hp-application-automation-tools-plugin
Description:
OpenText Application Automation Tools Plugin 6.7 and earlier does not escape user input in a form validation response.
This results in a reflected cross-site scripting (XSS) vulnerability.
OpenText Application Automation Tools Plugin 6.8 escapes user input in the affected form validation response.
A security hardening since Jenkins 2.275 and LTS 2.263.2 prevents exploitation of this vulnerability.
SSL/TLS certificate validation unconditionally disabled by OpenText Application Automation Tools Plugin
SECURITY-2176 / CVE-2021-22511
Severity (CVSS): Medium
Affected plugin: hp-application-automation-tools-plugin
Description:
OpenText Application Automation Tools Plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers.
OpenText Application Automation Tools Plugin 6.8 no longer disables SSL/TLS certificate validation unconditionally by default. It provides an option to disable SSL/TLS certification validation for connections to Service Virtualization servers.
Severity
- SECURITY-1721: Low
- SECURITY-1871: Medium
- SECURITY-2132: Medium
- SECURITY-2175: High
- SECURITY-2176: Medium
- SECURITY-2293: Medium
Affected Versions
- Jenkins weekly up to and including 2.286
- Jenkins LTS up to and including 2.277.1
- OpenText Application Automation Tools Plugin up to and including 6.7
- promoted builds Plugin up to and including 3.9
Fix
- Jenkins weekly should be updated to version 2.287
- Jenkins LTS should be updated to version 2.277.2
- OpenText Application Automation Tools Plugin should be updated to version 6.8
- promoted builds Plugin should be updated to version 3.9.1
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Ildefonso Montero Pérez, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for SECURITY-2293
- Jeff Thompson, CloudBees, Inc. for SECURITY-1721
- Long Nguyen, Viettel Cyber Security for SECURITY-2132
- Wadeck Follonier, CloudBees, Inc. for SECURITY-2175, SECURITY-2176
Related news
Red Hat Security Advisory 2022-6133-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.30. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2022-6133-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.30. Issues addressed include a code execution vulnerability.
Red Hat OpenShift Container Platform release 4.10.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: ...
Red Hat OpenShift Container Platform release 4.10.30 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: ...
Red Hat Advanced Cluster Management for Kubernetes 2.3.3 General Availability release images, which fix bugs, provide security fixes, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3805: nodejs-object-path: prototype pollution vulnerability * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-23434: object-path: Type confusion vulnerability can lead to a bypass of C...
Red Hat Advanced Cluster Management for Kubernetes 2.3.3 General Availability release images, which fix bugs, provide security fixes, and update container images. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3805: nodejs-object-path: prototype pollution vulnerability * CVE-2021-23017: nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name * CVE-2021-23434: object-path: Type confusion vulnerability can lead to a bypass of C...