Headline
CVE-2023-50775: Jenkins Security Advisory 2023-12-13
A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Analysis Model API Plugin
- Deployment Dashboard Plugin
- Dingding JSON Pusher Plugin
- HTMLResource Plugin
- Nexus Platform Plugin
- OpenId Connect Authentication Plugin
- PaaSLane Estimate Plugin
- Scriptler Plugin
Descriptions****DoS vulnerability in Analysis Model API Plugin
SECURITY-3327 / CVE-2023-5072
Severity (CVSS): Medium
Affected plugin: analysis-model-api
Description:
Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.
This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.
As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.
Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.
Arbitrary file deletion vulnerability in Scriptler Plugin
SECURITY-3205 / CVE-2023-50764
Severity (CVSS): High
Affected plugin: scriptler
Description:
Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.
This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
Scriptler Plugin 344.v5a_ddb_5f9e685 ensures that the file being deleted is located in the expected directory.
Missing permission check in Scriptler Plugin
SECURITY-3206 / CVE-2023-50765
Severity (CVSS): Medium
Affected plugin: scriptler
Description:
Scriptler Plugin 342.v6a_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.
Scriptler Plugin 344.v5a_ddb_5f9e685 requires the appropriate permission to read the contents of a Groovy script.
CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE
SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)
Severity (CVSS): High
Affected plugin: nexus-jenkins-plugin
Description:
Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.
Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.
Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.
Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.
CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials
SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)
Severity (CVSS): Medium
Affected plugin: nexus-jenkins-plugin
Description:
Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.
Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.
Password stored in a recoverable format by OpenId Connect Authentication Plugin
SECURITY-3168 / CVE-2023-50770
Severity (CVSS): Medium
Affected plugin: oic-auth
Description:
OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.
In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.
This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
Open redirect vulnerability in OpenId Connect Authentication Plugin
SECURITY-2979 / CVE-2023-50771
Severity (CVSS): Medium
Affected plugin: oic-auth
Description:
OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin
SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)
Severity (CVSS): Medium
Affected plugin: dingding-json-pusher
Description:
Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files
SECURITY-3183 / CVE-2023-50774
Severity (CVSS): High
Affected plugin: htmlresource
Description:
HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.
CSRF vulnerability in Deployment Dashboard Plugin
SECURITY-3092 / CVE-2023-50775
Severity (CVSS): Medium
Affected plugin: ec2-deployment-dashboard
Description:
Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to copy jobs.
Tokens stored and displayed in plain text by PaaSLane Estimate Plugin
SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)
Severity (CVSS): Medium
Affected plugin: paaslane-estimate
Description:
PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.
These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.
CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin
SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)
Severity (CVSS): Medium
Affected plugin: paaslane-estimate
Description:
PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Severity
- SECURITY-2979: Medium
- SECURITY-3092: Medium
- SECURITY-3168: Medium
- SECURITY-3179: Medium
- SECURITY-3182: Medium
- SECURITY-3183: High
- SECURITY-3184: Medium
- SECURITY-3203: Medium
- SECURITY-3204: High
- SECURITY-3205: High
- SECURITY-3206: Medium
- SECURITY-3327: Medium
Affected Versions
- Analysis Model API Plugin up to and including 11.11.0
- Deployment Dashboard Plugin up to and including 1.0.10
- Dingding JSON Pusher Plugin up to and including 2.0
- HTMLResource Plugin up to and including 1.02
- Nexus Platform Plugin up to and including 3.18.0-03
- OpenId Connect Authentication Plugin up to and including 2.6
- PaaSLane Estimate Plugin up to and including 1.0.4
- Scriptler Plugin up to and including 342.v6a_89fd40f466
Fix
- Analysis Model API Plugin should be updated to version 11.13.0
- Nexus Platform Plugin should be updated to version 3.18.1-01
- Scriptler Plugin should be updated to version 344.v5a_ddb_5f9e685
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- Deployment Dashboard Plugin
- Dingding JSON Pusher Plugin
- HTMLResource Plugin
- OpenId Connect Authentication Plugin
- PaaSLane Estimate Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Andrea Chiera, CloudBees, Inc. for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
- Kevin Guerroudj, CloudBees, Inc. for SECURITY-2979, SECURITY-3092
- Steve Marlowe [email protected] of Cisco ASIG for SECURITY-3168
Related news
Red Hat Security Advisory 2024-4271-03 - Red Hat AMQ Broker 7.12.1 is now available from the Red Hat Customer Portal. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-3354-03 - Red Hat Fuse 7.13.0 release is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include HTTP request smuggling, bypass, denial of service, deserialization, and traversal vulnerabilities.
Red Hat Security Advisory 2023-7845-03 - Red Hat Integration Camel for Spring Boot 3.20.4 release and security update is now available.
A cross-site request forgery (CSRF) vulnerability in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified token.
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to copy jobs.
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.
A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.
Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier does not mask PaaSLane authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.
Jenkins Dingding JSON Pusher Plugin 2.0 and earlier does not mask access tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them.
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.
A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.
Red Hat Security Advisory 2023-7705-03 - Red Hat Build of Apache Camel for Quarkus 2.13.3 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.
Red Hat Security Advisory 2023-7617-02 - Red Hat Build of Apache Camel for Quarkus 3.2.0 is now available.
Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Denial of Service in JSON-Java versions prior to 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.