Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49653: Jenkins Security Advisory 2023-11-29

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CVE
#csrf#vulnerability#google#ssrf#jira

This advisory announces vulnerabilities in the following Jenkins deliverables:

  • Google Compute Engine Plugin
  • Jira Plugin
  • MATLAB Plugin
  • NeuVector Vulnerability Scanner Plugin

Descriptions****Exposure of system-scoped credentials in Jira Plugin

SECURITY-3225 / CVE-2023-49653
Severity (CVSS): Medium
Affected plugin: jira
Description:

Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Jira Plugin 3.12 defines the appropriate context for credentials lookup.

Incorrect permission checks in Google Compute Engine Plugin

SECURITY-2835 / CVE-2023-49652
Severity (CVSS): Medium
Affected plugin: google-compute-engine
Description:

Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following:

  • Enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

  • Connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects.

Google Compute Engine Plugin 4.551.v5a_4dc98f6962 requires Overall/Administer permission for the affected HTTP endpoints.

CSRF vulnerabilities and missing permission checks in MATLAB Plugin allow XXE

SECURITY-3193 / CVE-2023-49654 (permission checks), CVE-2023-49655 (CSRF), CVE-2023-49656 (XXE)
Severity (CVSS): High
Affected plugin: matlab
Description:

MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory.

MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

CSRF vulnerability and missing permission checks in NeuVector Vulnerability Scanner Plugin

SECURITY-3256 / CVE-2023-49673 (CSRF), CVE-2023-49674 (missing permission check)
Severity (CVSS): Medium
Affected plugin: neuvector-vulnerability-scanner
Description:

NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

Severity

  • SECURITY-2835: Medium
  • SECURITY-3193: High
  • SECURITY-3225: Medium
  • SECURITY-3256: Medium

Affected Versions

  • Google Compute Engine Plugin up to and including 4.550.vb_327fca_3db_11
  • Jira Plugin up to and including 3.11
  • MATLAB Plugin up to and including 2.11.0
  • NeuVector Vulnerability Scanner Plugin up to and including 1.22

Fix

  • Google Compute Engine Plugin should be updated to version 4.551.v5a_4dc98f6962
  • Jira Plugin should be updated to version 3.12
  • MATLAB Plugin should be updated to version 2.11.1
  • NeuVector Vulnerability Scanner Plugin should be updated to version 2.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Andrea Chiera, CloudBees, Inc. for SECURITY-3193, SECURITY-3225
  • James Nord, CloudBees, Inc. for SECURITY-2835
  • Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3256

Related news

GHSA-cv4x-9f34-8rp9: Jenkins MATLAB Plugin missing permission checks

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

GHSA-wpfc-r5qq-7r7p: Jenkins NeuVector Vulnerability Scanner Plugin Cross-Site Request Forgery vulnerability

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

GHSA-qmhq-876f-cr65: Jenkins Jira Plugin vulnerable to exposure of system-scoped credentials

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. Jira Plugin 3.12 defines the appropriate context for credentials lookup.

GHSA-pgpj-83g3-mfr2: Jenkins Google Compute Engine Plugin has incorrect permission checks

Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following: - Enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. - Connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. Google Compute Engine Plugin 4.551.v5a_4dc98f6962 requires Overall/Administer permission for the affected HTTP endpoints.

GHSA-82q9-88m2-4v68: Jenkins MATLAB Plugin XML External Entity vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

GHSA-9f5g-rgcr-8grw: Jenkins MATLAB Plugin cross-site request forgery vulnerability

Jenkins MATLAB Plugin determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. MATLAB Plugin 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to create files on the Jenkins controller file system to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. MATLAB Plugin 2.11.1 configures its XML parser to prevent XML external entity (XXE) attacks. Additionally, POST requests and Item/Configure permission are required for the affected HTTP endpoints.

GHSA-ph87-4x2g-6hp4: Jenkins NeuVector Vulnerability Scanner Plugin missing permission check

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907