Headline
CVE-2023-39156: Jenkins Security Advisory 2023-07-26
A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Jenkins (core)
- Bazaar Plugin
- Chef Identity Plugin
- GitLab Authentication Plugin
- Gradle Plugin
- Qualys Web App Scanning Connector Plugin
- ServiceNow DevOps Plugin
Descriptions****Stored XSS vulnerability
SECURITY-3188 / CVE-2023-39151
Severity (CVSS): High
Description:
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.
Incorrect control flow in Gradle Plugin breaks credentials masking in the build log
SECURITY-3208 / CVE-2023-39152
Severity (CVSS): Medium
Affected plugin: gradle
Description:
Gradle Plugin 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception.
As a result, credentials may not be masked (i.e., replaced with asterisks) in the build log in some circumstances.
Gradle Plugin 2.8.1 improves the control flow and handles the exception, so that credentials masking is not affected.
An improvement in Pipeline: API 1232.v1679fa_2f0f76 prevents issues like this from affecting credentials masking in the future. As of the publication of this advisory, the Jenkins security team is not aware of other plugins with a similar issue.
CSRF vulnerability in GitLab Authentication Plugin
SECURITY-2696 / CVE-2023-39153
Severity (CVSS): Medium
Affected plugin: gitlab-oauth
Description:
GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.
This vulnerability allows attackers to trick users into logging in to the attacker’s account.
GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.
CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials
SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)
Severity (CVSS): Medium
Affected plugin: servicenow-devops
Description:
ServiceNow DevOps Plugin 1.38.0 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
ServiceNow DevOps Plugin 1.38.1 requires POST requests and Overall/Administer permission for the affected form validation method.
Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials
SECURITY-3012 / CVE-2023-39154
Severity (CVSS): Medium
Affected plugin: qualys-was
Description:
Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.
Secret displayed without masking by Chef Identity Plugin
SECURITY-3192 / CVE-2023-39155
Severity (CVSS): Low
Affected plugin: chef-identity
Description:
Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.
While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
CSRF vulnerability in Bazaar Plugin
SECURITY-3095 / CVE-2023-39156
Severity (CVSS): Medium
Affected plugin: bazaar
Description:
Bazaar Plugin 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete previously created Bazaar SCM tags.
Severity
- SECURITY-2696: Medium
- SECURITY-3012: Medium
- SECURITY-3095: Medium
- SECURITY-3129: Medium
- SECURITY-3188: High
- SECURITY-3192: Low
- SECURITY-3208: Medium
Affected Versions
- Jenkins weekly up to and including 2.415
- Jenkins LTS up to and including 2.401.2
- Bazaar Plugin up to and including 1.22
- Chef Identity Plugin up to and including 2.0.3
- GitLab Authentication Plugin up to and including 1.17.1
- Gradle Plugin up to and including 2.8
- Qualys Web App Scanning Connector Plugin up to and including 2.0.10
- ServiceNow DevOps Plugin up to and including 1.38.0
Fix
- Jenkins weekly should be updated to version 2.416
- Jenkins LTS should be updated to version 2.401.3
- GitLab Authentication Plugin should be updated to version 1.18
- Gradle Plugin should be updated to version 2.8.1
- Qualys Web App Scanning Connector Plugin should be updated to version 2.0.11
- ServiceNow DevOps Plugin should be updated to version 1.38.1
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- Bazaar Plugin
- Chef Identity Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Alvaro Muñoz (@pwntester), GitHub Security Lab for SECURITY-3129
- Andrea Chiera, CloudBees, Inc. for SECURITY-3192
- Kevin Guerroudj, CloudBees, Inc. for SECURITY-3095
- Kevin Guerroudj, CloudBees, Inc. and Devin Nusbaum, CloudBees, Inc. for SECURITY-3188
- Wadeck Follonier, CloudBees Inc. for SECURITY-2696
- Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3012
Related news
A missing authorization vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
A cross-site request forgery vulnerability exists in versions of the Jenkins Plug-in for ServiceNow DevOps prior to 1.38.1 that, if exploited successfully, could cause the unwanted exposure of sensitive information. To address this issue, apply the 1.38.1 version of the Jenkins plug-in for ServiceNow DevOps on your Jenkins server. No changes are required on your instances of the Now Platform.
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker’s account. GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.
Chef Identity Plugin stores the user.pem key in its global configuration file `io.chef.jenkins.ChefIdentityBuildWrapper.xml` on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.
Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.
Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked (i.e., replaced with asterisks) in the build log in some circumstances.
A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Authentication Plugin 1.17.1 and earlier allows attackers to trick users into logging in to the attacker's account.
Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.