Headline
CVE-2021-43578: Jenkins Security Advisory 2021-11-12
Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Active Choices Plugin
- OWASP Dependency-Check Plugin
- Performance Plugin
- pom2config Plugin
- Scriptler Plugin
- Squash TM Publisher (Squash4Jenkins) Plugin
Descriptions****Stored XSS vulnerability in Active Choices Plugin
SECURITY-2219 / CVE-2021-21699
Severity (CVSS): High
Affected plugin: uno-choice
Description:
Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5.7 escapes references to parameter names.
Stored XSS vulnerability in Scriptler Plugin
SECURITY-2406 / CVE-2021-21700
Severity (CVSS): High
Affected plugin: scriptler
Description:
Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.
Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.
XXE vulnerability in Performance Plugin
SECURITY-2394 / CVE-2021-21701
Severity (CVSS): High
Affected plugin: performance
Description:
Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
XXE vulnerability in pom2config Plugin
SECURITY-2415 / CVE-2021-43576
Severity (CVSS): High
Affected plugin: pom2config
Description:
pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
XXE vulnerability in OWASP Dependency-Check Plugin
SECURITY-2488 / CVE-2021-43577
Severity (CVSS): High
Affected plugin: dependency-check-jenkins-plugin
Description:
OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
Agent-to-controller security bypass in Squash TM Publisher (Squash4Jenkins) Plugin allows writing arbitrary files
SECURITY-2525 / CVE-2021-43578
Severity (CVSS): High
Affected plugin: squashtm-publisher
Description:
Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input.
This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.
As of publication of this advisory, there is no fix.
Severity
- SECURITY-2219: High
- SECURITY-2394: High
- SECURITY-2406: High
- SECURITY-2415: High
- SECURITY-2488: High
- SECURITY-2525: High
Affected Versions
- Active Choices Plugin up to and including 2.5.6
- OWASP Dependency-Check Plugin up to and including 5.1.1
- Performance Plugin up to and including 3.20
- pom2config Plugin up to and including 1.2
- Scriptler Plugin up to and including 3.3
- Squash TM Publisher (Squash4Jenkins) Plugin up to and including 1.0.0
Fix
- Active Choices Plugin should be updated to version 2.5.7
- Scriptler Plugin should be updated to version 3.4
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- OWASP Dependency-Check Plugin
- Performance Plugin
- pom2config Plugin
- Squash TM Publisher (Squash4Jenkins) Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Adith Sudhakar working with Trend Micro Zero Day Initiative for SECURITY-2394, SECURITY-2415
- Daniel Beck, CloudBees, Inc. for SECURITY-2525
- Guy Lederfein of Trend Micro for SECURITY-2406
- Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro for SECURITY-2219
- haby0 (Duxiaoman Financial Security Team) for SECURITY-2488
Related news
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.
Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.