Jenkins Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   JaCoCo Plugin
*   Mashup Portlets Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   OctoPerf Load Testing Plugin Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   Pipeline Aggregator View Plugin
*   remote-jobs-view-plugin Plugin
*   Role-based Authorization Strategy Plugin
*   Visual Studio Code Metrics Plugin

**Descriptions****Incorrect permission checks in Role-based Authorization Strategy Plugin**

**SECURITY-3053 / CVE-2023-28668**  
**Severity (CVSS):** Medium  
**Affected plugin: role-strategy**  
**Description:**

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa\_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

1.  A permission is granted to attackers directly or through groups.
    
2.  The permission is disabled, e.g., through the script console.
    

Role-based Authorization Strategy Plugin 587.588.v850a\_20a\_30162 does not grant disabled permissions.

**Stored XSS vulnerability in JaCoCo Plugin**

**SECURITY-3061 / CVE-2023-28669**  
**Severity (CVSS):** High  
**Affected plugin: jacoco**  
**Description:**

JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

JaCoCo Plugin 3.3.2.1 escapes class and method names shown on the UI.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-2885 / CVE-2023-28670**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current view’s URL in inline JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

Pipeline Aggregator View Plugin 1.14 obtains the current URL in a way not susceptible to XSS.

**CSRF vulnerability in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (1) / CVE-2023-28671**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (2) / CVE-2023-28672**  
**Severity (CVSS):** High  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission check when accessing the affected connection test HTTP endpoint.

**Missing permission check in OctoPerf Load Testing Plugin Plugin allows enumerating credentials IDs**

**SECURITY-3067 (3) / CVE-2023-28673**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3 requires the appropriate permissions.

**CSRF vulnerability and missing permission checks in OctoPerf Load Testing Plugin Plugin**

**SECURITY-3067 (4) / CVE-2023-28674 (CSRF), CVE-2023-28675 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: octoperf**  
**Description:**

OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OctoPerf Load Testing Plugin Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**CSRF vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2963 / CVE-2023-28676**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts.

**Command injection vulnerability in Convert To Pipeline Plugin results in RCE**

**SECURITY-2966 / CVE-2023-28677**  
**Severity (CVSS):** High  
**Affected plugin: convert-to-pipeline**  
**Description:**

Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations.

This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be pre-approved.

**Stored XSS vulnerability in Cppcheck Plugin**

**SECURITY-2809 / CVE-2023-28678**  
**Severity (CVSS):** High  
**Affected plugin: cppcheck**  
**Description:**

Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control report file contents.

**Stored XSS vulnerability in Mashup Portlets Plugin**

**SECURITY-2813 / CVE-2023-28679**  
**Severity (CVSS):** High  
**Affected plugin: mashup-portlets-plugin**  
**Description:**

Mashup Portlets Plugin 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission.

**XXE vulnerability in Crap4J Plugin**

**SECURITY-2925 / CVE-2023-28680**  
**Severity (CVSS):** High  
**Affected plugin: crap4j**  
**Description:**

Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Visual Studio Code Metrics Plugin**

**SECURITY-2926 / CVE-2023-28681**  
**Severity (CVSS):** High  
**Affected plugin: vs-code-metrics**  
**Description:**

Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Performance Publisher Plugin**

**SECURITY-2928 / CVE-2023-28682**  
**Severity (CVSS):** High  
**Affected plugin: perfpublisher**  
**Description:**

Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control PerfPublisher report files to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in Phabricator Differential Plugin**

**SECURITY-2942 / CVE-2023-28683**  
**Severity (CVSS):** High  
**Affected plugin: phabricator-plugin**  
**Description:**

Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control coverage report file contents for the 'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in remote-jobs-view-plugin Plugin**

**SECURITY-2956 / CVE-2023-28684**  
**Severity (CVSS):** High  
**Affected plugin: remote-jobs-view-plugin**  
**Description:**

remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**XXE vulnerability in AbsInt a³ Plugin**

**SECURITY-2930 / CVE-2023-28685**  
**Severity (CVSS):** High  
**Affected plugin: absint-a3**  
**Description:**

AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Severity**

*   SECURITY-2809: High
*   SECURITY-2813: High
*   SECURITY-2885: High
*   SECURITY-2925: High
*   SECURITY-2926: High
*   SECURITY-2928: High
*   SECURITY-2930: High
*   SECURITY-2942: High
*   SECURITY-2956: High
*   SECURITY-2963: High
*   SECURITY-2966: High
*   SECURITY-3053: Medium
*   SECURITY-3061: High
*   SECURITY-3067 (1): Medium
*   SECURITY-3067 (2): High
*   SECURITY-3067 (3): Medium
*   SECURITY-3067 (4): Medium

**Affected Versions**

*   **AbsInt a³ Plugin** up to and including 1.1.0
*   **Convert To Pipeline Plugin** up to and including 1.0
*   **Cppcheck Plugin** up to and including 1.26
*   **Crap4J Plugin** up to and including 0.9
*   **JaCoCo Plugin** up to and including 3.3.2
*   **Mashup Portlets Plugin** up to and including 1.1.2
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.0
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** up to and including 4.5.2
*   **Performance Publisher Plugin** up to and including 8.09
*   **Phabricator Differential Plugin** up to and including 2.1.5
*   **Pipeline Aggregator View Plugin** up to and including 1.13
*   **remote-jobs-view-plugin Plugin** up to and including 0.0.3
*   **Role-based Authorization Strategy Plugin** up to and including 587.v2872c41fa\_e51
*   **Visual Studio Code Metrics Plugin** up to and including 1.7

**Fix**

*   **JaCoCo Plugin** should be updated to version 3.3.2.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.1
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.2
*   **OctoPerf Load Testing Plugin Plugin** should be updated to version 4.5.3
*   **Pipeline Aggregator View Plugin** should be updated to version 1.14
*   **Role-based Authorization Strategy Plugin** should be updated to version 587.588.v850a\_20a\_30162

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   AbsInt a³ Plugin
*   Convert To Pipeline Plugin
*   Cppcheck Plugin
*   Crap4J Plugin
*   Mashup Portlets Plugin
*   Performance Publisher Plugin
*   Phabricator Differential Plugin
*   remote-jobs-view-plugin Plugin
*   Visual Studio Code Metrics Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2925, SECURITY-2926, SECURITY-2928, SECURITY-2930, SECURITY-2942, SECURITY-2963
*   **Daniel Beck, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2809
*   **Daniel Beck, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-3053
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2885, SECURITY-3061
*   **LaNyer640 & Crilwa** for SECURITY-2956
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2813
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2966, SECURITY-3067 (1), SECURITY-3067 (2), SECURITY-3067 (3), SECURITY-3067 (4)

CVE-2023-28679: Jenkins Security Advisory 2023-03-21

A cross-site request forgery (CSRF) vulnerability in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-28671: Jenkins Security Advisory 2023-03-21

Jenkins Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28681: Jenkins Security Advisory 2023-03-21

A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers to connect to a previously configured Octoperf server using attacker-specified credentials.

CVE-2023-28675: Jenkins Security Advisory 2023-03-21

Jenkins Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28680: Jenkins Security Advisory 2023-03-21

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action.

CVE-2023-28669: Jenkins Security Advisory 2023-03-21

Jenkins remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28684: Jenkins Security Advisory 2023-03-21

Jenkins Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-28682: Jenkins Security Advisory 2023-03-21

By Deeba Ahmed
Researchers have noted that attackers are targeting a medium-severity Zimbra vulnerability that the company patched in version 9.0.0 Patch 24, one year ago.
This is a post from HackRead.com Read the original post: Zimbra email platform vulnerability exploited to steal European govt emails

The cybersecurity researchers at Proofpoint have disclosed a new phishing campaign from the Russian APT group known as Winter Vivern, TA473, and UAC-0114. The group has been exploiting a vulnerability in Zimbra Collaboration software to hack the emails of government agencies in different European countries.

Although it is yet unproven which nation-state supports this APT group, security researchers believe that its activities are in alliance with the interests of Belarus and Russia.

For your information, Zimbra Collaboration is a business collaboration and email platform that allows users to send and receive emails, and manage contacts, calendars, and tasks. It can be used on-premise or in the cloud and is used by governments, educational institutions, service providers, and businesses.

**How Does the Group Target Victims?**

Winter Vivern’s modus operandi entails sending out phishing emails impersonating the target organizations or their parent organizations’ employees with political affiliation to the government.

These emails are sent from email IDs having compromised domains or hosted on vulnerable WordPress websites. The email message includes a link to a resource of the target organization’s official website.

The phishing email (Credit: Proofpoint)

However, this is a spoofed link as it redirects the recipient to a payload hosted on the attacker’s domain or a credential-stealing web page. This technique’s efficacy is now enhanced with a cross-site scripting vulnerability found in Zimbra.

**APT Group Exploiting Zimbra Vulnerability**

Zimbra is an open-source, on-premise and Cloud enabled business collaboration and email platform used by “hundreds of millions of mailboxes across 140 countries,” as per its website. The service is used by governments, educational institutions, service providers, and small to medium-sized businesses.

Proofpoint researchers noted that Winter Vivern is targeting the medium severity Zimbra vulnerability tracked as CVE-2022-27926, which Zimbra already patched in version 9.0.0 Patch 24, one year ago. The XSS flaws can allow threat actors to create links with appended code, which execute malware inside the browser when opened.

**Modus Operandi and Possible Dangers**

In the current campaign, the hackers target government agencies through vulnerable Zimbra installations/web interfaces and send phishing emails with links that exploit the XSS flaw and execute encoded JavaScript. When it is executed by the browser, a larger JavaScript payload is fetched from the attackers’ server and executed on the website in what’s called a cross-site request forgery attack. 

Attackers can now steal the victims’ usernames, passwords, and active CSRF tokens obtained from a cookie and transfer the information to their server. After obtaining login credentials and tokens, the malicious JavaScript uses hardcoded URLs to hijack the email portal.

“In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts before delivering phishing emails to organizations,” Proofpoint’s report read.

“These labour-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations,” Proofpoint noted.

**Who Are Vulnerable?**

Organizations that haven’t patched their Zimbra products in the past year are vulnerable to TA473 attacks. To prevent such attacks, it is important to restrict resources on publicly available webmail portals. This would prevent APT groups from engineering customized scripts that can steal credentials and log into the victim’s webmail accounts.

**Winter Vivern’s Past Victims**

The group’s past victims were located in India, Vietnam, Lithuania, Slovakia, and the Vatican. Sentinel Labs reported earlier in March that the group’s recent targets include Italian and Ukrainian Foreign Affairs ministries, Polish government agencies, Indian government officials, and telecommunication firms that support Ukraine in the war.

According to Proofpoint’s previous research, this group targeted elected government representatives in the US and their staffers.

1.  NATO Data Stolen in Cyberattack on Portugal
2.  Smartphones of NATO soldiers hacked by Russia
3.  Vulnerability found in NATO, EU-approved firewall
4.  NATO Probes Top Missile Firm MBDA Data Breach
5.  Russians hide Graphite malware in PowerPoint files

Zimbra email platform vulnerability exploited to steal European govt emails

By Habiba Rashid
CISA's advisory came after the Macedonian cybersecurity firm Zero Science Lab discovered and reported the vulnerabilities to authorities.
This is a post from HackRead.com Read the original post: CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller

The critical set of vulnerabilities allowed attackers to cause significant problems, such as taking control of the device and disrupting the water supply, among other nefarious activities.

Propump and Controls, a US-based company specializing in pumping systems and automated controls, has been found to have vulnerabilities in its Osprey Pump Controller, according to a report by Cybersecurity research firm Zero Science Lab.

The report stated that the vulnerabilities could allow hackers to cause significant problems, such as remotely taking control of the device and disrupting the water supply, among other nefarious activities.

CISA has published an advisory describing the vulnerabilities found by Krstic in the Osprey Pump Controller, and ten individual advisories describing each flaw were also published by Zero Science Lab’s website. The affected product is the Osprey Pump Controller version 1.01, which is used in pumping systems and automated controls. The following vulnerabilities have been discovered:

*   Insufficient entropy CWE-331: A predictable weak session token generation algorithm could aid in authentication and authorization bypass, allowing a threat actor to hijack a session by predicting the session id and gain unauthorized access to the product. CVE-2023-28395 has been assigned to this vulnerability. 

*   Use of GET request method with sensitive query strings CWE-598: An unauthenticated file disclosure could allow cybercriminals to force the affected device to disclose arbitrary files and sensitive system information. CVE-2023-28375 has been assigned to this vulnerability. 

*   Use of hard-coded password CWE-259: The web management interface configuration can be fully accessed through a hidden administrative account that has a hardcoded password. However, this account cannot be seen in the Usernames and Passwords menu of the application, and its password cannot be changed through any regular operation of the device. CVE-2023-28654 has been assigned to this vulnerability. 

*   Improper neutralization of special elements used in an OS command (‘OS command injection’) CWE-78: Vulnerability could allow unauthenticated OS command injection that may lead to an attacker injecting and executing arbitrary shell commands through HTTP POST or GET parameters. CVE-2023-27886 and CVE-2023-27394 have been assigned to these vulnerabilities.

*   Improper neutralization of input during web page generation (‘Cross-site scripting’) CWE-79: Inputs passed to a GET parameter are not properly sanitized before being returned to the user, which could enable attackers to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site. CVE-2023-28648 has been assigned to this vulnerability.

*   Authentication bypass using an alternate path or channel CWE-288: This could enable an unauthorized user to bypass authentication and gain access to the system by creating an account through an alternate path or channel. CVE-2023-28398 has been assigned to this vulnerability.

*   Cross-site request forgery (CSRF) CWE-352: HTTP requests can be used by users to carry out actions without undergoing any verification checks. This may lead to a scenario where an individual without authorization may be able to carry out actions with administrative privileges in the event a logged-in user visits a harmful website. CVE-2023-28718 has been assigned to this vulnerability.

According to Security Week, the founder and chief information security engineer of Zero Science Lab, Gjoko Krstic, attempted to report his findings to the vendor, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE), but the vendor has not responded, and the vulnerabilities likely remain unpatched.

According to Krstic, dozens of controllers are exposed on the internet, including in the case of the client whose network was assessed by Zero Science Lab. This means that attackers can access the controller and manipulate VFDs, change pressure, or cut down the water supply, depending on where the controller is applied.

In conclusion, the discovery of vulnerabilities in ProPump and Controls’ Osprey Pump Controller raises concerns about the security of industrial control systems. Companies need to ensure that their products are secure and that vulnerabilities are addressed in a timely and effective manner to prevent potential attacks that can lead to significant disruptions and damages.

However, as the vendor, in this case, has not responded, users of the Osprey Pump Controller need to take necessary precautions as instructed in the CISA advisory to protect their systems from possible attacks.

1.  Vulnerability that physically damage moving bridges
2.  Russian Building Controllers Can be Remotely Hacked
3.  Industrial Control Systems flaws let hackers unlock doors
4.  Using programmable logic controllers in industrial settings
5.  IoT Devices Hacked to Install Ransomware on OT Networks

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#csrf