CVE-2023-32988: Jenkins Security Advisory 2023-05-16

This advisory announces vulnerabilities in the following Jenkins deliverables:

• Ansible Plugin
• AppSpider Plugin
• Azure VM Agents Plugin
• CAS Plugin
• Code Dx Plugin
• Email Extension Plugin
• File Parameter Plugin
• HashiCorp Vault Plugin
• LDAP Plugin
• LoadComplete support Plugin
• NS-ND Integration Performance Publisher Plugin
• Pipeline Utility Steps Plugin
• Pipeline: Job Plugin
• Reverse Proxy Auth Plugin
• SAML Single Sign On(SSO) Plugin
• SAML Single Sign On(SSO) Plugin
• SAML Single Sign On(SSO) Plugin
• Sidebar Link Plugin
• Tag Profiler Plugin
• TestComplete support Plugin
• TestNG Results Plugin
• WSO2 Oauth Plugin

Descriptions****Stored XSS vulnerability in Pipeline: Job Plugin

SECURITY-3042 / CVE-2023-32977
Severity (CVSS): High
Affected plugin: workflow-job
Description:

Pipeline: Job Plugin 1292.v27d8cc3e2602 and earlier does not escape the display name of the build that caused an earlier build to be aborted, when “Do not allow concurrent builds” is set.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set build display names immediately.

The Jenkins security team is not aware of any plugins that allow the exploitation of this vulnerability, as the build name must be set before the build starts.

Pipeline: Job Plugin 1295.v395eb_7400005 escapes the display name of the build that caused an earlier build to be aborted.

CSRF vulnerability in LDAP Plugin

SECURITY-3046 / CVE-2023-32978
Severity (CVSS): Medium
Affected plugin: ldap
Description:

LDAP Plugin 673.v034ec70ec2b_b_ and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

LDAP Plugin 676.vfa_64cf6b_b_002 requires POST requests for the affected form validation method.

Missing permission check in Email Extension Plugin

SECURITY-3088 (1) / CVE-2023-32979
Severity (CVSS): Medium
Affected plugin: email-ext
Description:

Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.

This form validation method requires the appropriate permission in Email Extension Plugin 2.96.1.

CSRF vulnerability in Email Extension Plugin

SECURITY-3088 (2) / CVE-2023-32980
Severity (CVSS): Medium
Affected plugin: email-ext
Description:

Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to make another user stop watching an attacker-specified job.

Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.

Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin

SECURITY-2196 / CVE-2023-32981
Severity (CVSS): Medium
Affected plugin: pipeline-utility-steps
Description:

Pipeline Utility Steps Plugin provides the untar and unzip Pipeline steps to extract archives into job workspaces.

Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit file paths of files contained within these archives.

This allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.

Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in tar and zip archives that would be placed outside the expected destination directory.

Secrets stored and displayed in plain text by Ansible Plugin

SECURITY-3017 / CVE-2023-32982 (storage), CVE-2023-32983 (masking)
Severity (CVSS): Medium
Affected plugin: ansible
Description:

Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets.

Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

Stored XSS vulnerability in TestNG Results Plugin

SECURITY-3047 / CVE-2023-32984
Severity (CVSS): High
Affected plugin: testng-plugin
Description:

TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin’s test information pages.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.

TestNG Results Plugin 730.732.v959a_3a_a_eb_a_72 escapes the affected values that are parsed from TestNG report files.

Path traversal vulnerability in Sidebar Link Plugin

SECURITY-3125 / CVE-2023-32985
Severity (CVSS): Medium
Affected plugin: sidebar-link
Description:

Sidebar Link Plugin allows specifying files in the userContent/ directory for use as link icons.

Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Sidebar Link Plugin 2.2.2 ensures that only files located within the expected userContent/ directory can be accessed.

Arbitrary file write vulnerability in File Parameter Plugin

SECURITY-3123 / CVE-2023-32986
Severity (CVSS): High
Affected plugin: file-parameters
Description:

File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.

This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.

CSRF vulnerability in Reverse Proxy Auth Plugin

SECURITY-3002 / CVE-2023-32987
Severity (CVSS): Medium
Affected plugin: reverse-proxy-auth-plugin
Description:

Reverse Proxy Auth Plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

Reverse Proxy Auth Plugin 1.7.5 requires POST requests for the affected form validation method.

Missing permission check in Azure VM Agents Plugin allows enumerating credentials IDs

SECURITY-2855 (1) / CVE-2023-32988
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:

Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Azure VM Agents Plugin 853.v4a_1a_dd947520 requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in Azure VM Agents Plugin

SECURITY-2855 (2) / CVE-2023-32989 (CSRF), CVE-2023-32990 (missing permission check)
Severity (CVSS): Medium
Affected plugin: azure-vm-agents
Description:

Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

CSRF vulnerability and missing permission checks in SAML Single Sign On(SSO) Plugin allow XXE

SECURITY-2993 / CVE-2023-32991 (CSRF), CVE-2023-32992 (missing permission check)
Severity (CVSS): High
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML.

As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

SAML Single Sign On(SSO) Plugin 2.1.0 requires POST requests and Overall/Administer permission for the affected HTTP endpoints.

Missing hostname validation in SAML Single Sign On(SSO) Plugin

SECURITY-3001 (1) / CVE-2023-32993
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

SSL/TLS certificate validation unconditionally disabled by SAML Single Sign On(SSO) Plugin

SECURITY-3001 (2) / CVE-2023-32994
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

CSRF vulnerability and missing permission check in SAML Single Sign On(SSO) Plugin

SECURITY-2994 / CVE-2023-32995 (CSRF), CVE-2023-32996 (missing permission check)
Severity (CVSS): Medium
Affected plugin: miniorange-saml-sp
Description:

SAML Single Sign On(SSO) Plugin 2.0.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange’s API for sending emails.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

SAML Single Sign On(SSO) Plugin 2.0.1 removes the affected HTTP endpoint.

Session fixation vulnerability in CAS Plugin

SECURITY-3000 / CVE-2023-32997
Severity (CVSS): High
Affected plugin: cas-plugin
Description:

CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

CAS Plugin 1.6.3 invalidates the existing session on login.

CSRF vulnerability and missing permission checks in Code Dx Plugin

SECURITY-3118 / CVE-2023-2195 (CSRF), CVE-2023-2631 (missing permission check)
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Missing permission checks in Code Dx Plugin

SECURITY-3145 / CVE-2023-2196
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

Code Dx Plugin 4.0.0 requires Item/Configure permission for this form validation method and ensures that only files located within the workspace can be checked.

API keys stored and displayed in plain text by Code Dx Plugin

SECURITY-3146 / CVE-2023-2632 (storage), CVE-2023-2633 (masking)
Severity (CVSS): Medium
Affected plugin: codedx
Description:

Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.

CSRF vulnerability and missing permission check in AppSpider Plugin

SECURITY-3121 / CVE-2023-32998 (CSRF), CVE-2023-32999 (missing permission check)
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:

AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.

Credentials displayed without masking by NS-ND Integration Performance Publisher Plugin

SECURITY-2962 / CVE-2023-33000
Severity (CVSS): Low
Affected plugin: cavisson-ns-nd-integration
Description:

NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.

While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.

Improper masking of credentials in HashiCorp Vault Plugin

SECURITY-3077 / CVE-2023-33001
Severity (CVSS): Medium
Affected plugin: hashicorp-vault-plugin
Description:

HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

• The credentials are printed in build steps executing on an agent (typically inside a node block).

• Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

An improvement in Credentials Binding 523.525.vb_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.

Stored XSS vulnerability in TestComplete support Plugin

SECURITY-2892 / CVE-2023-33002
Severity (CVSS): High
Affected plugin: TestComplete
Description:

TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name in its test result page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CSRF vulnerability and missing permission checks in Tag Profiler Plugin

SECURITY-3083 / CVE-2023-33003 (CSRF), CVE-2023-33004 (missing permission check)
Severity (CVSS): Medium
Affected plugin: tag-profiler
Description:

Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to reset profiler statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Session fixation vulnerability in WSO2 Oauth Plugin

SECURITY-2991 / CVE-2023-33005
Severity (CVSS): High
Affected plugin: wso2id-oauth
Description:

WSO2 Oauth Plugin 1.0 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

CSRF vulnerability in WSO2 Oauth Plugin

SECURITY-2990 / CVE-2023-33006
Severity (CVSS): Medium
Affected plugin: wso2id-oauth
Description:

WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

Stored XSS vulnerability in LoadComplete support Plugin

SECURITY-2903 / CVE-2023-33007
Severity (CVSS): High
Affected plugin: loadcomplete
Description:

LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name in its test result page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Severity

• SECURITY-2196: Medium
• SECURITY-2855 (1): Medium
• SECURITY-2855 (2): Medium
• SECURITY-2892: High
• SECURITY-2903: High
• SECURITY-2962: Low
• SECURITY-2990: Medium
• SECURITY-2991: High
• SECURITY-2993: High
• SECURITY-2994: Medium
• SECURITY-3000: High
• SECURITY-3001 (1): Medium
• SECURITY-3001 (2): Medium
• SECURITY-3002: Medium
• SECURITY-3017: Medium
• SECURITY-3042: High
• SECURITY-3046: Medium
• SECURITY-3047: High
• SECURITY-3077: Medium
• SECURITY-3083: Medium
• SECURITY-3088 (1): Medium
• SECURITY-3088 (2): Medium
• SECURITY-3118: Medium
• SECURITY-3121: Medium
• SECURITY-3123: High
• SECURITY-3125: Medium
• SECURITY-3145: Medium
• SECURITY-3146: Medium

Affected Versions

• Ansible Plugin up to and including 204.v8191fd551eb_f
• AppSpider Plugin up to and including 1.0.15
• Azure VM Agents Plugin up to and including 852.v8d35f0960a_43
• CAS Plugin up to and including 1.6.2
• Code Dx Plugin up to and including 3.1.0
• Email Extension Plugin up to and including 2.96
• File Parameter Plugin up to and including 285.v757c5b_67a_c25
• HashiCorp Vault Plugin up to and including 360.v0a_1c04cf807d
• LDAP Plugin up to and including 673.v034ec70ec2b_b_
• LoadComplete support Plugin up to and including 1.0
• NS-ND Integration Performance Publisher Plugin up to and including 4.8.0.149
• Pipeline Utility Steps Plugin up to and including 2.15.2
• Pipeline: Job Plugin up to and including 1292.v27d8cc3e2602
• Reverse Proxy Auth Plugin up to and including 1.7.4
• SAML Single Sign On(SSO) Plugin up to and including 2.0.2
• SAML Single Sign On(SSO) Plugin up to and including 2.1.0
• SAML Single Sign On(SSO) Plugin up to and including 2.0.0
• Sidebar Link Plugin up to and including 2.2.1
• Tag Profiler Plugin up to and including 0.2
• TestComplete support Plugin up to and including 2.8.1
• TestNG Results Plugin up to and including 730.v4c5283037693
• WSO2 Oauth Plugin up to and including 1.0

Fix

• Ansible Plugin should be updated to version 205.v4cb_c48657c21
• AppSpider Plugin should be updated to version 1.0.16
• Azure VM Agents Plugin should be updated to version 853.v4a_1a_dd947520
• CAS Plugin should be updated to version 1.6.3
• Code Dx Plugin should be updated to version 4.0.0
• Email Extension Plugin should be updated to version 2.96.1
• File Parameter Plugin should be updated to version 285.287.v4b_7b_29d3469d
• LDAP Plugin should be updated to version 676.vfa_64cf6b_b_002
• NS-ND Integration Performance Publisher Plugin should be updated to version 4.11.0.48
• Pipeline Utility Steps Plugin should be updated to version 2.15.3
• Pipeline: Job Plugin should be updated to version 1295.v395eb_7400005
• Reverse Proxy Auth Plugin should be updated to version 1.7.5
• SAML Single Sign On(SSO) Plugin should be updated to version 2.1.0
• SAML Single Sign On(SSO) Plugin should be updated to version 2.2.0
• SAML Single Sign On(SSO) Plugin should be updated to version 2.0.1
• Sidebar Link Plugin should be updated to version 2.2.2
• TestNG Results Plugin should be updated to version 730.732.v959a_3a_a_eb_a_72

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

• HashiCorp Vault Plugin
• LoadComplete support Plugin
• Tag Profiler Plugin
• TestComplete support Plugin
• WSO2 Oauth Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

• Alvaro Muñoz (@pwntester), GitHub Security Lab for SECURITY-3118, SECURITY-3121
• Daniel Beck, CloudBees, Inc. for SECURITY-2962
• Kevin Guerroudj, CloudBees, Inc. for SECURITY-2990, SECURITY-2991, SECURITY-2994, SECURITY-3000, SECURITY-3017, SECURITY-3042, SECURITY-3046, SECURITY-3145
• Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3002
• Kevin Guerroudj, CloudBees, Inc. and, independently, Alvaro Muñoz (@pwntester), GitHub Security Lab for SECURITY-2993
• Tony Torralba (@atorralba), GitHub Security Lab for SECURITY-3123, SECURITY-3125
• Trung Pham, and, independently, Tony Torralba (@atorralba), GitHub Security Lab for SECURITY-2196
• Valdes Che Zogou for SECURITY-3047
• Valdes Che Zogou, CloudBees, Inc. for SECURITY-2855 (1), SECURITY-2855 (2), SECURITY-2892
• Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2903, SECURITY-3001 (1), SECURITY-3001 (2), SECURITY-3083, SECURITY-3146