In Veritas NetBackup, an attacker with unprivileged local access to a NetBackup Client may send specific commands to escalate their privileges. This affects 8.0 through 8.1.2, 8.2, 8.3 through 8.3.0.2, 9.x through 9.0.0.1, and 9.1.x through 9.1.0.1.

**Revision History**

*   1.0: July 18, 2022: Initial Release

**Summary**

Veritas has addressed two vulnerabilities affecting NetBackup Clients.

**Issues******Issue #1: Arbitrary Command Execution**  
**

The NetBackup Client allows arbitrary command execution from any remote host that has access to a valid host-id NetBackup certificate/private key from the same domain.

*   CVE ID: TBA
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
*   Affected Versions: 9.0.x, 9.1.x
*   Recommended action:
    *   Upgrade NBU Client to 10.0 – no HotFix needed, or
    *   Upgrade NBU Client to 9.1.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.1.0.1 Clients (Etrack 4066508), or
    *   Or upgrade NBU Client to 9.0.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.0.0.1 Clients (Etrack 4067247), or
    *   For NBU Client versions 8.3.x and earlier – Not Vulnerable - Not Applicable  
        

****Issue #2: Escalation of Privileges****

An attacker with unprivileged local access to a NetBackup Client may send specific commands to escalate their privileges.

*   CVE ID: TBA
*   Severity: High
*   CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
*   Affected Versions: 9.1.x, 9.0.x, 8.3.x, 8.2 and earlier
*   Recommended Actions:
    *   Upgrade NBU Client to 10.0 – no HotFix needed, or
    *   Upgrade NBU Client to 9.1.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.1.0.1 Clients (Etrack 4066508), or
    *   Upgrade NBU Client to 9.0.0.1 and apply VTS22-008 - HotFix for Security Advisory impacting NetBackup 9.0.0.1 Clients (Etrack 4067247), or
    *   Upgrade NBU Client to 8.3.0.2 and apply VTS22-008 - HotFix Security Advisory impacting NetBackup 8.3.0.2 Clients (Etrack 4066512), or
    *   For NBU Client version 8.2 apply VTS22-008 - Hotfix for Security Advisory impacting NetBackup 8.2 Clients (Etrack 4068828)
    *   For NBU Client version 8.1.2 apply VTS22-008 - Hotfix for Security Advisory impacting NetBackup 8.1.2 Clients (Etrack-4071637)

**Notes**

Related Primary and Media Server fixes for these vulnerabilities have already been addressed in Security Advisory portion for VTS22-004.

**Acknowledgement**

Veritas would like to thank the following Airbus Security Team members for notifying us about Issue #2: Mouad Abouhali, Benoit Camredon, Nicholas Devillers, Anais Gantet, and Jean-Romain Garnier.

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC 2625

Augustine Drive

Santa Clara, CA 95054

CVE-2022-36955: VTS22-008 - HotFix for Security Advisory Impacting NetBackup Client

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.

**Revision History**

*   1.0: End of September 2022 – Initial Public Release

**Summary**

Veritas has addressed vulnerabilities affecting NetBackup servers and clients.Issue.

**Issues**

**Issue #1: Arbitrary file delete**

An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx\_exchange registration code.

*   CVE ID: TBA
*   Severity: Critical
*   CVSS v3.1 Base Score: 9.0 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action:
    *   NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    *   Flex Scale: Not impacted.

**Issue #2: Denial of service**

An attacker with local access can send a specially crafted packet to pbx\_exchange during registration and cause a null-pointer exception effectively crashing the pbx\_exchange process.

*   CVE ID: TBA
*   Severity: Medium
*   CVSS v3.1 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
*   Affected Versions: 8.2 and earlier
*   Recommended action:
    *   NetBackup Servers: upgrade to 8.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Clients: upgrade to 8.2 or 8.1.2 and apply appropriate Hotfix OR upgrade to 8.3.x or later.
    *   NetBackup Appliance: upgrade to 3.2 and apply appropriate Hotfix OR upgrade to 3.3.x or later.
    *   Flex Appliance: Please apply the NetBackup Hotfix corresponding to the NetBackup Container version on Flex appliances
    *   Flex Scale: Not impacted.

**Notes**

This Security Advisory, VTS22-010, also addresses the issues identified in VTS22-008, which was released earlier. If you have not already applied VTS22-008, it is not necessary to apply it prior to installing this advisory. If you have already applied VTS22-008 you can safely apply VTS22-010 on top of it.

**Questions**

For questions or problems regarding this vulnerability please contact Veritas Technical Support (https://www.veritas.com/support)

**Acknowledgement**

Veritas would like to thank the following Airbus Security Team members for notifying us about these issues:    
Mouad Abouhali, Benoît Camredon, Nicholas Devillers, Anaïs Gantet, and Jean-Romain Garnier.

**Disclaimer**

THE SECURITY ADVISORY IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. VERITAS TECHNOLOGIES LLC SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

Veritas Technologies LLC  
2625 Augustine Drive  
Santa Clara, CA 95054

CVE-2022-42306: Hotfix for Security Advisory Impacting NetBackup Clients and Servers

An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can delete arbitrary files by leveraging a path traversal in the pbx_exchange registration code.

CVE-2022-42308: Hotfix for Security Advisory Impacting NetBackup Clients and Servers

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

CVE-2023-24427: Jenkins Security Advisory 2023-01-24

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24444: Jenkins Security Advisory 2023-01-24

A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   AWS CodeCommit Trigger Plugin
*   Checkmarx Plugin
*   Digital.ai App Management Publisher Plugin
*   Dimensions Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Team Concert Plugin
*   Template Workflows Plugin

**Descriptions****CSRF protection bypass vulnerability**

**SECURITY-3135 / CVE-2023-35141**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

**SSL/TLS certificate validation disabled by default in Checkmarx Plugin**

**SECURITY-2870 / CVE-2023-35142**  
**Severity (CVSS):** Medium  
**Affected plugin: checkmarx**  
**Description:**

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

**Missing permission checks in Team Concert Plugin**

**SECURITY-2932 / CVE pending**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

**Missing permission check in Dimensions Plugin allows enumerating credentials IDs**

**SECURITY-3138 / CVE-2023-32261**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

**Exposure of system-scoped credentials in Dimensions Plugin**

**SECURITY-3143 / CVE-2023-32262**  
**Severity (CVSS):** Medium  
**Affected plugin: dimensionsscm**  
**Description:**

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-3156 / CVE-2023-35143**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

**Stored XSS vulnerability in Maven Repository Server Plugin**

**SECURITY-2951 / CVE-2023-35144**  
**Severity (CVSS):** High  
**Affected plugin: repository**  
**Description:**

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

**Stored XSS vulnerability in Sonargraph Integration Plugin**

**SECURITY-3155 / CVE-2023-35145**  
**Severity (CVSS):** High  
**Affected plugin: sonargraph-integration**  
**Description:**

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Template Workflows Plugin**

**SECURITY-3166 / CVE-2023-35146**  
**Severity (CVSS):** High  
**Affected plugin: template-workflows**  
**Description:**

Template Workflows Plugin 41.v32d86a\_313b\_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

**Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin**

**SECURITY-3099 / CVE-2023-35147**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-codecommit-trigger**  
**Description:**

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

**CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin**

**SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ease-plugin**  
**Description:**

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2870: Medium
*   SECURITY-2911: Medium
*   SECURITY-2932: Medium
*   SECURITY-2951: High
*   SECURITY-3099: Medium
*   SECURITY-3135: High
*   SECURITY-3138: Medium
*   SECURITY-3143: Medium
*   SECURITY-3155: High
*   SECURITY-3156: High
*   SECURITY-3166: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.399
*   **Jenkins LTS** up to and including 2.387.3
*   **AWS CodeCommit Trigger Plugin** up to and including 3.0.12
*   **Checkmarx Plugin** up to and including 2022.4.3
*   **Digital.ai App Management Publisher Plugin** up to and including 2.6
*   **Dimensions Plugin** up to and including 0.9.3
*   **Maven Repository Server Plugin** up to and including 1.10
*   **Sonargraph Integration Plugin** up to and including 5.0.1
*   **Team Concert Plugin** up to and including 2.4.1
*   **Template Workflows Plugin** up to and including 41.v32d86a\_313b\_4a

**Fix**

*   **Jenkins weekly** should be updated to version 2.400
*   **Jenkins LTS** should be updated to version 2.401.1
*   **Checkmarx Plugin** should be updated to version 2023.2.6
*   **Dimensions Plugin** should be updated to version 0.9.3.1
*   **Team Concert Plugin** should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AWS CodeCommit Trigger Plugin
*   Digital.ai App Management Publisher Plugin
*   Maven Repository Server Plugin
*   Sonargraph Integration Plugin
*   Template Workflows Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3143, SECURITY-3155, SECURITY-3156, SECURITY-3166
*   **CC Bomber, Kitri BoB** for SECURITY-2951
*   **Daniel Beck, CloudBees Inc.** for SECURITY-2870
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2932
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3135, SECURITY-3138
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2911
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3099

CVE-2023-35149: Jenkins Security Advisory 2023-06-14

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Directory Plugin
*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   Datadog Plugin
*   ElasticBox CI Plugin
*   External Monitor Job Type Plugin
*   mabl Plugin
*   MathWorks Polyspace Plugin
*   OpenShift Login Plugin
*   Oracle Cloud Infrastructure Compute Plugin
*   Orka by MacStadium Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   SAML Single Sign On(SSO) Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

**Descriptions****XXE vulnerability in External Monitor Job Type Plugin**

**SECURITY-3133 / CVE-2023-37942**  
**Severity (CVSS):** High  
**Affected plugin: external-monitor-job**  
**Description:**

External Monitor Job Type Plugin 206.v9a\_94ff0b\_4a\_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

External Monitor Job Type Plugin 207.v98a\_a\_37a\_85525 disables external entity resolution for its XML parser.

**Password transmitted in plain text by Active Directory Plugin**

**SECURITY-3059 / CVE-2023-37943**  
**Severity (CVSS):** Low  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled.

Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

**Missing permission check in Datadog Plugin allows capturing credentials**

**SECURITY-3130 / CVE-2023-37944**  
**Severity (CVSS):** Medium  
**Affected plugin: datadog**  
**Description:**

Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in SAML Single Sign On(SSO) Plugin**

**SECURITY-3164 / CVE-2023-37945**  
**Severity (CVSS):** Medium  
**Affected plugin: miniorange-saml-sp**  
**Description:**

SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java Object#toString()), which potentially includes sensitive information.

SAML Single Sign On(SSO) Plugin 2.3.1 requires Overall/Administer permission to access the affected HTTP endpoint, and only allows downloading a string representation if the current security realm is this plugin’s.

**Session fixation vulnerability in OpenShift Login Plugin**

**SECURITY-2998 / CVE-2023-37946**  
**Severity (CVSS):** High  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 invalidates the existing session on login.

**Open redirect vulnerability in OpenShift Login Plugin**

**SECURITY-2999 / CVE-2023-37947**  
**Severity (CVSS):** Medium  
**Affected plugin: openshift-login**  
**Description:**

OpenShift Login Plugin 1.1.0.227.v27e08dfb\_1a\_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

OpenShift Login Plugin 1.1.0.230.v5d7030b\_f5432 only redirects to relative (Jenkins) URLs.

**Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin**

**SECURITY-3044 / CVE-2023-37948**  
**Severity (CVSS):** Medium  
**Affected plugin: oracle-cloud-infrastructure-compute**  
**Description:**

Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.

Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.

The Jenkins security team has been unable to confirm the exploitability and resolution of this vulnerability.

**Missing permission check in Orka by MacStadium Plugin allows capturing credentials**

**SECURITY-3128 / CVE-2023-37949**  
**Severity (CVSS):** Medium  
**Affected plugin: macstadium-orka**  
**Description:**

Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint.

**Missing permission check in mabl Plugin allows enumerating credentials IDs**

**SECURITY-3137 (1) / CVE-2023-37950**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in mabl Plugin 0.0.47 requires the appropriate permissions.

**Exposure of system-scoped credentials in mabl Plugin**

**SECURITY-3137 (2) / CVE-2023-37951**  
**Severity (CVSS):** Medium  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

mabl Plugin 0.0.47 defines the appropriate context for credentials lookup.

**CSRF vulnerability and missing permission checks in mabl Plugin allow capturing credentials**

**SECURITY-3127 / CVE-2023-37952 (CSRF), CVE-2023-37953 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: mabl-integration**  
**Description:**

mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

mabl Plugin 0.0.47 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Rebuilder Plugin**

**SECURITY-3033 / CVE-2023-37954**  
**Severity (CVSS):** Medium  
**Affected plugin: rebuild**  
**Description:**

Rebuilder Plugin 320.v5a\_0933a\_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a previous build.

**CSRF vulnerability and missing permission check in Test Results Aggregator Plugin**

**SECURITY-3122 / CVE-2023-37955 (CSRF), CVE-2023-37956 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: test-results-aggregator**  
**Description:**

Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability in Pipeline restFul API Plugin**

**SECURITY-3126 / CVE-2023-37957**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-restful-api**  
**Description:**

Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.

**CSRF vulnerability and missing permission checks in Sumologic Publisher Plugin**

**SECURITY-3117 / CVE-2023-37958 (CSRF), CVE-2023-37959 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: sumologic-publisher**  
**Description:**

Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Arbitrary file read vulnerability in MathWorks Polyspace Plugin**

**SECURITY-3124 / CVE-2023-37960**  
**Severity (CVSS):** Medium  
**Affected plugin: mathworks-polyspace**  
**Description:**

MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

**CSRF vulnerability in Assembla Auth Plugin**

**SECURITY-2988 / CVE-2023-37961**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-auth**  
**Description:**

Assembla Auth Plugin 1.14 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

**CSRF vulnerability and missing permission checks in Benchmark Evaluator Plugin**

**SECURITY-3119 / CVE-2023-37962 (CSRF), CVE-2023-37963 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: benchmark-evaluator**  
**Description:**

Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**CSRF vulnerability and missing permission checks in ElasticBox CI Plugin allow capturing credentials**

**SECURITY-3131 / CVE-2023-37964 (CSRF), CVE-2023-37965 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: elasticbox**  
**Description:**

ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2988: Medium
*   SECURITY-2998: High
*   SECURITY-2999: Medium
*   SECURITY-3033: Medium
*   SECURITY-3044: Medium
*   SECURITY-3059: Low
*   SECURITY-3117: Medium
*   SECURITY-3119: Medium
*   SECURITY-3122: Medium
*   SECURITY-3124: Medium
*   SECURITY-3126: High
*   SECURITY-3127: High
*   SECURITY-3128: Medium
*   SECURITY-3130: Medium
*   SECURITY-3131: Medium
*   SECURITY-3133: High
*   SECURITY-3137 (1): Medium
*   SECURITY-3137 (2): Medium
*   SECURITY-3164: Medium

**Affected Versions**

*   **Active Directory Plugin** up to and including 2.30
*   **Assembla Auth Plugin** up to and including 1.14
*   **Benchmark Evaluator Plugin** up to and including 1.0.1
*   **Datadog Plugin** up to and including 5.4.1
*   **ElasticBox CI Plugin** up to and including 5.0.1
*   **External Monitor Job Type Plugin** up to and including 206.v9a\_94ff0b\_4a\_10
*   **mabl Plugin** up to and including 0.0.46
*   **MathWorks Polyspace Plugin** up to and including 1.0.5
*   **OpenShift Login Plugin** up to and including 1.1.0.227.v27e08dfb\_1a\_20
*   **Oracle Cloud Infrastructure Compute Plugin** up to and including 1.0.16
*   **Orka by MacStadium Plugin** up to and including 1.33
*   **Pipeline restFul API Plugin** up to and including 0.11
*   **Rebuilder Plugin** up to and including 320.v5a\_0933a\_e7d61
*   **SAML Single Sign On(SSO) Plugin** up to and including 2.3.0
*   **Sumologic Publisher Plugin** up to and including 2.2.1
*   **Test Results Aggregator Plugin** up to and including 1.2.13

**Fix**

*   **Active Directory Plugin** should be updated to version 2.30.1
*   **Datadog Plugin** should be updated to version 5.4.2
*   **External Monitor Job Type Plugin** should be updated to version 207.v98a\_a\_37a\_85525
*   **mabl Plugin** should be updated to version 0.0.47
*   **OpenShift Login Plugin** should be updated to version 1.1.0.230.v5d7030b\_f5432
*   **Oracle Cloud Infrastructure Compute Plugin** should be updated to version 1.0.17
*   **Orka by MacStadium Plugin** should be updated to version 1.34
*   **SAML Single Sign On(SSO) Plugin** should be updated to version 2.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla Auth Plugin
*   Benchmark Evaluator Plugin
*   ElasticBox CI Plugin
*   MathWorks Polyspace Plugin
*   Pipeline restFul API Plugin
*   Rebuilder Plugin
*   Sumologic Publisher Plugin
*   Test Results Aggregator Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3117, SECURITY-3119, SECURITY-3122, SECURITY-3126, SECURITY-3127, SECURITY-3128, SECURITY-3130, SECURITY-3131
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-3164
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2988, SECURITY-3033, SECURITY-3137 (1)
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2998, SECURITY-2999
*   **Tony Torralba (@atorralba), GitHub Security Lab** for SECURITY-3124, SECURITY-3133
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3044, SECURITY-3137 (2)

CVE-2023-37945: Jenkins Security Advisory 2023-07-12

Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

CVE-2023-37951: Jenkins Security Advisory 2023-07-12

Improper conditions check in the Intel(R) IPP Crypto library before version 2021.2 may allow an authenticated user to potentially enable information disclosure via local access.

**Select Your Region**

The browser version you are using is not recommended for this site.  
Please consider upgrading to the latest version of your browser by clicking one of the following links.

*   Safari
*   Chrome
*   Edge
*   Firefox

**Intel® IPP Cryptography Advisory**

**Summary: **

A potential security vulnerability in the Intel® Integrated Performance Primitives (IPP) Cryptography software library may allow information disclosure.  Intel is releasing software updates to mitigate this potential vulnerability.

**Vulnerability Details:**

CVEID: CVE-2021-33147

Description: Improper conditions check in the Intel(R) IPP Crypto library before version 2021.2 may allow an authenticated user to potentially enable information disclosure via local access.

CVSS Base Score: 2.5 Medium

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

**Affected Products:**

Intel® IPP Crypto library before version 2021.2.

**Recommendations:**

Intel recommends updating Intel® IPP Crypto library to version 2021.2 or later.

Updates are available for download at this location: https://github.com/intel/ipp-crypto

**Acknowledgements:**

This issue was found internally by Intel employees.

Intel, and nearly the entire technology industry, follows a disclosure practice called Coordinated Disclosure, under which a cybersecurity vulnerability is generally publicly disclosed only after mitigations are available.

**Revision History**

Revision

Date

Description

1.0

02/08/2022

Initial Release

**Legal Notices and Disclaimers**

Intel provides these materials as-is, with no express or implied warranties.

All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.

Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.

Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No product or component can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.

Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.

Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.

\*Other names and brands may be claimed as the property of others.  
Copyright © Intel Corporation 2022

**Report a Vulnerability**

If you have information about a security issue or vulnerability with an **Intel branded product or technology**, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

*   The products and versions affected
*   Detailed description of the vulnerability
*   Information on known exploits

A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

*   Vulnerability handling guidelines

For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.

**Need product support?**

If you...

*   Have questions about the security features of an Intel product
*   Require technical support
*   Want product updates or patches

  
Please visit Support & Downloads.

*   Report a Vulnerability
*   Product Support

Search

lenovo warranty check/lookup | check warranty status | lenovo support us