Headline
CVE-2022-46688: Jenkins Security Advisory 2022-12-07
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
This advisory announces vulnerabilities in the following Jenkins deliverables:
- Checkmarx Plugin
- Custom Build Properties Plugin
- Gitea Plugin
- Google Login Plugin
- Plot Plugin
- Sonar Gerrit Plugin
- Spring Config Plugin
Descriptions****XXE vulnerability in Plot Plugin
SECURITY-2940 / CVE-2022-46682
Severity (CVSS): High
Affected plugin: plot
Description:
Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control XML input files for the ‘Plot build data’ build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Plot Plugin 2.1.12 disables external entity resolution for its XML parser.
Open redirect vulnerability in Google Login Plugin
SECURITY-2967 / CVE-2022-46683
Severity (CVSS): Medium
Affected plugin: google-login
Description:
Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.
Stored XSS vulnerability in Checkmarx Plugin
SECURITY-2869 / CVE-2022-46684
Severity (CVSS): High
Affected plugin: checkmarx
Description:
Checkmarx Plugin processes Checkmarx service API responses and generates HTML reports from them for rendering on the Jenkins UI.
Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This results in a stored cross-site scripting (XSS) vulnerability.
While Jenkins users without Overall/Administer permission are not allowed to configure the URL to the Checkmarx service, this could still be exploited via man-in-the-middle attacks.
Checkmarx Plugin 2022.4.3 escapes values returned from the Checkmarx service API before inserting them into HTML reports.
Improper credentials masking in Gitea Plugin
SECURITY-2661 / CVE-2022-46685
Severity (CVSS): Medium
Affected plugin: gitea
Description:
Gitea Plugin support authentication with Gitea personal access tokens.
In Gitea Plugin 1.4.4 and earlier, the implementation of these tokens did not support credentials masking. This can expose Gitea personal access tokens in the build log, e.g., when printed as part of repository URLs.
Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.
Administrators unable to update are advised to use SSH checkout instead.
Stored XSS vulnerability in Custom Build Properties Plugin
SECURITY-2810 / CVE-2022-46686
Severity (CVSS): High
Affected plugin: custom-build-properties
Description:
Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.
Stored XSS vulnerability in Spring Config Plugin
SECURITY-2814 / CVE-2022-46687
Severity (CVSS): High
Affected plugin: spring-config
Description:
Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.
CSRF vulnerability in Sonar Gerrit Plugin
SECURITY-1002 / CVE-2022-46688
Severity (CVSS): Medium
Affected plugin: sonar-gerrit
Description:
Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
Severity
- SECURITY-1002: Medium
- SECURITY-2661: Medium
- SECURITY-2810: High
- SECURITY-2814: High
- SECURITY-2869: High
- SECURITY-2940: High
- SECURITY-2967: Medium
Affected Versions
- Checkmarx Plugin up to and including 2022.3.3
- Custom Build Properties Plugin up to and including 2.79.vc095ccc85094
- Gitea Plugin up to and including 1.4.4
- Google Login Plugin up to and including 1.6
- Plot Plugin up to and including 2.1.11
- Sonar Gerrit Plugin up to and including 377.v8f3808963dc5
- Spring Config Plugin up to and including 2.0.0
Fix
- Checkmarx Plugin should be updated to version 2022.4.3
- Custom Build Properties Plugin should be updated to version 2.82.v16d5b_d3590c7
- Gitea Plugin should be updated to version 1.4.5
- Google Login Plugin should be updated to version 1.7
- Plot Plugin should be updated to version 2.1.12
- Spring Config Plugin should be updated to version 2.0.1
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
- Sonar Gerrit Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:
- Asi Greenholts of Cider Security for SECURITY-2661
- CC Bomber, Kitri BoB for SECURITY-2940
- Kevin Guerroudj, CloudBees, Inc. and Valdes Che Zogou, CloudBees, Inc. for SECURITY-2810, SECURITY-2869
- Oleg Nenashev, CloudBees, Inc. for SECURITY-1002
- Valdes Che Zogou, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2814
- Wadeck Follonier, CloudBees, Inc. for SECURITY-2967
Related news
A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens. Administrators unable to update are advised to use SSH checkout instead.
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values. Custom Build Properties Plugin 2.82.v16d5b_d3590c7 escapes property values and build display names on the Custom Build Properties and Build Summary pages.
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control XML input files for the 'Plot build data' build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Plot Plugin 2.1.12 disables external entity resolution for its XML parser.
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins. Google Login Plugin 1.7 only redirects to relative (Jenkins) URLs.
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names. Spring Config Plugin 2.0.1 escapes build display names shown on the Spring Config view.
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
Jenkins Plot Plugin 2.1.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.