Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   Compuware Common Configuration Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in Compuware Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Compuware Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in build-publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in build-publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Path traversal vulnerability in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   Jenkins weekly up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **build-publisher Plugin** up to and including 1.22
*   **Compuware Common Configuration Plugin** up to and including 1.0.14
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   Jenkins weekly should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **Compuware Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41233: Jenkins Security Advisory 2022-09-21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   BMC AMI Common Configuration Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable tooltip contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in BMC AMI Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

BMC AMI Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

BMC AMI Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in build-publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in build-publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Agent-to-controller security bypass in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **BMC AMI Common Configuration Plugin** up to and including 1.0.14
*   **build-publisher Plugin** up to and including 1.22
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   **Jenkins weekly** should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **BMC AMI Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41234: Jenkins Security Advisory 2022-09-21

By Habiba Rashid
The US military seeks public help in securing its critical cyber infrastructure with "Hack the Pentagon 3.0" bug bounty program.
This is a post from HackRead.com Read the original post: Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back

Can you hack the Pentagon for good? Then it is your chance to participate in the third chapter of Hack the Pentagon 3.0, backed by the government of the United States.

The U.S. Department of Defense (DOD) has announced the third iteration of its “Hack the Pentagon” bug bounty program, which was **first launched in 2016**.

The initiative allows cybersecurity researchers to find vulnerabilities in the government’s Facility Related Controls System (FRCS) network which is used to monitor and control equipment and systems related to real property facilities. These include heating, ventilation, and air conditioning (HVAC), utility, physical security systems, and fire and safety systems.

The performance work statement (PWS) of the Hack the Pentagon 3.0 program on the **Sam.Gov website** states, “The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture.”

The Department of Defense is searching for skilled and trusted researchers from private organizations that have a diverse skill set and will be able to perform source code analysis, reverse engineering, and network and system analysis exploitation.

“The contractor shall provide all labour, material, equipment, hardware, software and training required to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” reads the draft.

However, it is also clarified that the 72-hour in-person critical bounty program will be limited to the “unclassified Information Systems and operational technology continued within the Pentagon FRCS Network.”

*   A 17-years-old kid hacks the US air force for the good
*   Bug bounty: Hack Tesla Model 3 to win your own Model 3
*   Hack the US Army with ‘Hack The Army’ bug bounty program
*   Homeland Security Offering $5,000 Bug Bounty to Hack DHS
*   Google Starts Bug Bounty Program for Open-Source Software

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back


SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.



**Impact**

High

**Details**

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-3039

SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.

7.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Proprietary Code CVEs

Description

CVSS Base Score

CVSS Vector String

CVE-2023-3039

SD ROM Utility, versions prior to 1.0.2.0 contain an Improper Access Control vulnerability. A low-privileged malicious user may potentially exploit this vulnerability to perform arbitrary code execution with limited access.

7.3

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

SD ROM Utility

Software

Versions prior to 1.0.2.0

1.0.2.0 or later

https://www.dell.com/support/home/drivers/driversdetails?driverid=HC20P

Product

Software/Firmware

Affected Versions

Remediated Versions

Link

SD ROM Utility

Software

Versions prior to 1.0.2.0

1.0.2.0 or later

https://www.dell.com/support/home/drivers/driversdetails?driverid=HC20P

**Workarounds and Mitigations**

None.

**Revision History**

Revision

Date

Description

1.0

2023-09-11

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Update Packages, 5820 XL Tower, 7820 XL Tower, 7920 XL Tower, Precision 7520, Precision 7720, Precision 5820 Tower, Precision 7820 Tower, Precision 7920 Tower

CVE-2023-3039: DSA-2023-274: Security Update for an SD ROM Utility Vulnerability

Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Scriptler Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

**Descriptions****Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2219 / CVE-2021-21699**

Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.7 escapes references to parameter names.

**Stored XSS vulnerability in Scriptler Plugin**

**SECURITY-2406 / CVE-2021-21700**

Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.

Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.

**XXE vulnerability in Performance Plugin**

**SECURITY-2394 / CVE-2021-21701**

Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in pom2config Plugin**

**SECURITY-2415 / CVE-2021-43576**

pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**XXE vulnerability in OWASP Dependency-Check Plugin**

**SECURITY-2488 / CVE-2021-43577**

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Squash TM Publisher (Squash4Jenkins) Plugin**

**SECURITY-2525 / CVE-2021-43578**

Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input.

This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-2219: High
*   SECURITY-2394: High
*   SECURITY-2406: High
*   SECURITY-2415: High
*   SECURITY-2488: High
*   SECURITY-2525: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.5.6
*   **OWASP Dependency-Check Plugin** up to and including 5.1.1
*   **Performance Plugin** up to and including 3.20
*   **pom2config Plugin** up to and including 1.2
*   **Scriptler Plugin** up to and including 3.3
*   **Squash TM Publisher (Squash4Jenkins) Plugin** up to and including 1.0.0

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5.7
*   **Scriptler Plugin** should be updated to version 3.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   OWASP Dependency-Check Plugin
*   Performance Plugin
*   pom2config Plugin
*   Squash TM Publisher (Squash4Jenkins) Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar working with Trend Micro Zero Day Initiative** for SECURITY-2394, SECURITY-2415
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2525
*   **Guy Lederfein of Trend Micro** for SECURITY-2406
*   **Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro** for SECURITY-2219

CVE-2021-21700: Jenkins Security Advisory 2021-11-12

Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2021-21699: Jenkins Security Advisory 2021-11-12

Jenkins Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input, allowing attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.

CVE-2021-43578: Jenkins Security Advisory 2021-11-12

Jenkins pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVE-2021-43576: Jenkins Security Advisory 2021-11-12

Jenkins Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2021-21701: Jenkins Security Advisory 2021-11-12

By Waqas
Nitrokod crypto miner mines Monero (XMR) coin on infected devices and so far it has targeted 111,000 unsuspecting users in 11 countries.
This is a post from HackRead.com Read the original post: Nitrokod Crypto Miner Hiding in Fake Microsoft and Google Translate Apps

Check Point researchers have shared details of a new campaign in which the cybercriminals are distributing **cryptocurrency-mining malware**. This malware is hard to detect by unsuspecting users because it is distributed through fake and malicious Google Translate and other popular apps.

According to researchers, the malware is spread via third-party websites hosted on platforms like Uptodown and Softpedia and offer free software downloads. These websites can be accessed through a simple **Google search**.

Fake malicious apps spreading the Nitrokod crypto miner (Image via CheckPoint)

**Campaign Analysis**

The cryptocurrency mining Trojan is called Nitrokod. It is spread disguised as a clean Windows application. The malware keeps its execution on hold for several days or weeks and launches its **Monero mining** code when it deems safe.

This malware is readily available, and anyone can use it, stated Check Point’s vice president of research, Maya Horowitz. The list of victims is pretty diverse as they are spread across the following countries:

1.  Israel
2.  Turkey
3.  Cyprus
4.  Greece
5.  Poland
6.  Germany
7.  Australia
8.  Mongolia
9.  Sri Lanka
10.  United States
11.  United Kingdom

Malware analyst at Check Point Moshe Marelus stated that the malware drops around one month after the infection, and dropping files is a multi-stage process, which makes it rather complicated to track its initial stages.

**Attack Tactics**

The attack is a **multi-stage sequence** where each dropper paves the way for another dropper until the actual malware is dropped. The app runs as expected when the user downloads and installs the software loaded with Nitrokod malware while the malicious trojan sneakily works in the background. It fetches and stores several executables and schedules one .exe file to run every day once they are unpacked.

When the files are run, another executable file is extracted, which establishes a connection to a C2 server, obtains device configuration settings for the **Monero miner** code, and the mining process starts. The generated coins are sent to the attackers’ wallets. At some point, all initial stage files self-delete, and the next stage of the infection chain starts after fifteen days through the Windows utility schtasks.exe.

> “This way, the first stages of the campaign are separated from the ones that follow, making it very hard to trace the source of the infection chain and block the initial infected applications.”
> 
> Moshe Marelus – Check Point

The malware also inspects for known virtual machine processes and installed security products. If detected, the program stalls and exits. 

One stage also checks for known virtual-machine processes and security products. If found, the program exits. If not, it continues. Cybercriminals use **RAR encrypted, password-protected files** throughout the stages to make them hard to detect.

Infection chain

**Who Are the Attackers?**

CheckPoint’s **research** suggests that a Turkish-speaking group of hackers dubbed Nitrokod is behind this campaign revealed Check Point Research’s team. It has been active since 2019. This campaign was discovered in July 2022, and so far, it has affected 111,000 users in 11 countries.

The modus operandi used to trap users is by offering desktop versions of legit apps that don’t have their desktop versions. Nitrokod programmers wait patiently before launching the malware, and their attacks entail multiple stages.

**Software Exploited **

Apart from Google Translate, Nitrokod leveraged other translation apps, e.g., YouTube Music, Microsoft Translator Desktop and MP3 downloader programs. The malicious apps claim to be 100% clean but contain a crypto miner.

1.  Google ReCaptcha flaw lets bots bypass audio captcha challenge
2.  Fake Brave browser website dropped malware, thanks to Google Ads
3.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
4.  Google shares details of unpatched Windows AppContainer vulnerability
5.  Google Drive accounted for 50% of malicious Office document downloads

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Search

lenovo warranty check/lookup | check warranty status | lenovo support us