Headline
CVE-2023-46650: security - Multiple vulnerabilities in Jenkins plugins
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
- Products
- Openwall GNU/*/Linux server OS
- Linux Kernel Runtime Guard
- John the Ripper password cracker
- Free & Open Source for any platform
- in the cloud
- Pro for Linux
- Pro for macOS
- Wordlists for password cracking
- passwdqc policy enforcement
- Free & Open Source for Unix
- Pro for Windows (Active Directory)
- yescrypt KDF & password hashing
- yespower Proof-of-Work (PoW)
- crypt_blowfish password hashing
- phpass ditto in PHP
- tcb better password shadowing
- Pluggable Authentication Modules
- scanlogd port scan detector
- popa3d tiny POP3 daemon
- blists web interface to mailing lists
- msulogin single user mode login
- php_mt_seed mt_rand() cracker
- Services
- Publications
- Articles
- Presentations
- Resources
- Mailing lists
- Community wiki
- Source code repositories (GitHub)
- Source code repositories (CVSweb)
- File archive & mirrors
- How to verify digital signatures
- OVE IDs
- What’s new
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 25 Oct 2023 15:27:24 +0200 From: Daniel Beck <ml@…kweb.net> To: oss-security@…ts.openwall.com Subject: Multiple vulnerabilities in Jenkins plugins
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software.
The following releases contain fixes for security vulnerabilities:
* CloudBees CD Plugin 1.1.33 * GitHub Plugin 1.37.3.1 * lambdatest-automation Plugin 1.20.10 and 1.21.0 * Warnings Plugin 10.5.1
Additionally, we announce unresolved security issues in the following plugins:
* Edgewall Trac Plugin * Gogs Plugin * MSTeams Webhook Trigger Plugin * Multibranch Scan Webhook Trigger Plugin * Zanata Plugin
Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2023-10-25/
We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories
If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities
SECURITY-3246 / CVE-2023-46650 GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
SECURITY-3265 / CVE-2023-46651 Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.
SECURITY-3222 / CVE-2023-46652 lambdatest-automation Plugin 1.20.9 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
SECURITY-3202 / CVE-2023-46653 lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level.
This can result in accidental exposure of the token through the default system log.
SECURITY-3237 / CVE-2023-46654 In CloudBees CD Plugin, artifacts that were previously copied from an agent to the controller are deleted after publishing by the ‘CloudBees CD - Publish Artifact’ post-build step.
CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup process.
This allows attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
SECURITY-3238 / CVE-2023-46655 CloudBees CD Plugin temporarily copies files from an agent workspace to the controller in preparation for publishing them in the ‘CloudBees CD - Publish Artifact’ post-build step.
CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller when collecting the list of files to publish.
This allows attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
SECURITY-2875 / CVE-2023-46656 Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
SECURITY-2896 / CVE-2023-46657 Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
SECURITY-2876 / CVE-2023-46658 MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
SECURITY-3247 / CVE-2023-46659 Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix.
SECURITY-2879 / CVE-2023-46660 Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.
Related news
Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the `CloudBees CD - Publish Artifact` post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac website URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.