A researcher has combined a chain of bugs into an attack method that makes it possible to take over Facebook accounts linked to Gmail.
The post Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed appeared first on Malwarebytes Labs.

A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account.

Youssef Sammouda states it was possible to target **all** Facebook users but that it was more complicated to develop an exploit, and using Gmail was actually enough to demonstrate the impact of his discoveries.

**Linked accounts**

Linked accounts were invented to make logging in easier. You can use one account to log in to other apps, sites and services. The most commonly used is the link between Facebook and Instagram, so we will use that as an example. Log in to one account and you are also practically logged in at the other. All you need to do to access the account is confirm that the account is yours.

Since 2009, Facebook has supported myOpenID, which allows users to login to Facebook with their Gmail credentials. To put it in a simpler way, this means that if you are currently logged in to your Gmail account, the moment you visit Facebook, you will be automatically logged in.

**Sandboxed CAPTCHA**

The first discovery that enabled this takeover method lies in the fact that Facebook uses an extra security mechanism called “Checkpoint” to make sure that any user that logs in is who they claim to be. In some cases Checkpoint present those users with a CAPTCHA challenge to limit the number of tries.

Facebook uses Google CAPTCHA and as an extra security feature the CAPTCHA is put in an iFrame. The iFrame is hosted on a sandboxed domain (fbsbx.com) to avoid adding third-party code from Google into the main domain (facebook.com). An iFrame is a piece of HTML code that allows developers to embed another HTML page on their website.

Now, for some reason, probably for logging purposes, the URL for the iFrame includes the link to the checkpoint as a parameter.

For example, let’s say the current URL is _https://www.facebook.com/checkpoint/CHECKPOINT\_ID/?test=test_. In that case the iframe page would be accessible through this URL: _https://www.fbsbx.com/captcha/recaptcha/iframe/?referer=https%3A%2F%2Fwww.facebook.com%2Fcheckpoint%2FCHECKPOINT\_ID%2F%3Ftest%3Dtest_

The attacker can replace the _referrer_ part in the URL by changing it into a _next_ parameter. This allows the attacker to send the URL including the login parameters to the sandbox domain. Now it is time to find a way to grab it from there, which is where cross-side-scripting (XSS) comes in.

**XSS**

XSS is a type of security vulnerability, and can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attackers can use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy.

The same-origin policy (SOP) is where a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page.

In this case that step was easy, since Facebook allows developers to test certain features and makes it possible for them to upload custom HTML files. The creator can upload these HTML files to the fbsbx.com domain. Which, as we saw earlier, is also in use for the Google CAPTCHA. Which allows the attacker to bypass the same origin policy since the target site and the custom script are on the same domain.

**CSRF**

CSRF is short for cross-site request forgery. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account.

In his attack script, Youssef used undisclosed CRSF attacks to log the target user out and later log them back in through the Checkpoint.

**OAuth**

OAuth is a standard authorization protocol. It allows us to get access to protected data from an application. An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.

In this case, attackers can log out the current user and then log them back in to the attacker account which is in the Checkpoint state. But how does that allow the attacker to take over the Facebook account? By intercepting an OAuth Access Token string.

This is done by targeting a third-party OAuth provider that Facebook uses. One of these providers is Gmail. Gmail sends back the OAuth Access token to www.facebook.com for the logged in user. And since the attacker can steal the URL including the login parameters by sending them to the sandbox domain, they can intercept the OAuth Access Token string and the id\_token of the user.

**Takeover**

Summarized, the attacker can upload a script to the Facebook sandbox and try to trick his target(s) into visiting that page by sending them the URL.

Simplified, the script will:

1.  Log out the user from his current session (CSRF)
2.  Send them to the Checkpoint to log back in (CSRF)
3.  Open a constructed accounts.google.com URL that redirects the target to Facebook.

Once the target has visited the page with the script outlined above, the attacker can start harvesting the strings they need to take over the Facebook account.

1.  The attacker waits for the victim to log in and can later extract the Google OAuth Access Token string and id\_token
2.  Using the email address included in the id\_token they can start a password recovery process
3.  Now the attacker can construct a URL to access the target account with all the data they have gathered

**How to unlink accounts**

Some sites will offer to log you in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

You can check which accounts are linked to your Facebook account by opening the Facebook settings menu. Scroll down and open Settings & Privacy, then open Settings. At the bottom on the left, use the Accounts Center button. Tap Accounts & Profiles. There you can see a list ofthe accounts linked to your Facebook account. You can remove any unwanted linked accounts there.

**Facebook fix**

Youssef says he reported the issue to Facebook in February. It was fixed in March and a $44,625 bounty was awarded earlier this month.

We interviewed this Youssef last year. He told us he’s submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way.

Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed

Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery.

**code-snippets-extended**

**Software**

**Code Snippets Extended**

**Vulnerable Versions**

**<= 1.4.7**

**Fixed in version**

**CVE**

**CVE-2022-29429**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-05-04**

**CVSS 3.0 score**

**Plugin does not exist, is not supported or discontinued.**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability discovered by Rasi Afeef (Patchstack Alliance) in WordPress Code Snippets Extended plugin (versions <= 1.4.7).**

**Solution**

**No patched version is available. No reply from the vendor.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29429: WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability - Patchstack

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 17 May 2022 15:13:45 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins


Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Application Detector Plugin 1.0.9
\* Blue Ocean Plugin 1.25.4
\* Git Plugin 4.11.2
\* GitLab Plugin 1.5.32
\* Mercurial Plugin 2.16.1
\* Multiselect parameter Plugin 1.4
\* Pipeline SCM API for Blue Ocean Plugin 1.25.4
\* Pipeline: Groovy Plugin 2692.v76b\_089ccd026
\* REPO Plugin 1.14.1
\* Rundeck Plugin 3.6.11
\* Script Security Plugin 1172.v35f6a\_0b\_8207e
\* WMI Windows Agents Plugin 1.8.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Autocomplete Parameter Plugin
\* Global Variable String Parameter Plugin
\* JDK Parameter Plugin
\* Promoted Builds (Simple) Plugin
\* Random String Parameter Plugin
\* Selection tasks Plugin
\* SSH Plugin
\* Storable Configs Plugin
\* vboxwrapper Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-05-17/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-359 / CVE-2022-30945
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This
is intended to be used to allow Global Shared Libraries to execute without
sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy
source files bundled with Jenkins core and plugins could be loaded this way
and their methods executed. If a suitable Groovy source file is available
on the classpath of Jenkins, sandbox protections can be bypassed.

NOTE: The Jenkins security team has been unable to identify any Groovy
source files in Jenkins core or plugins that would allow attackers to
execute dangerous code. While the severity of this issue is declared as
High due to the potential impact, successful exploitation is considered
very unlikely.


SECURITY-2116 / CVE-2022-30946
Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require
POST requests for a form validation endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to
an attacker-specific webserver.


SECURITY-2478 / CVE-2022-30947 (Git) & CVE-2022-30948 (Mercurial) & CVE-2022-30949 (REPO)
SCMs support a number of different URL schemes, including local file system
paths (e.g. using \`file:\` URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple
projects share the same agent, there is no expected isolation between
builds besides using different workspaces unless overridden. Some
Pipeline-related features check out SCMs from the Jenkins controller as
well.

This allows attackers able to configure pipelines to check out some SCM
repositories stored on the Jenkins controller's file system using local
paths as SCM URLs, obtaining limited information about other projects' SCM
contents. The following Jenkins plugins are known to be affected:

\* Git 4.11.1 and earlier
\* Mercurial 2.16 and earlier
\* REPO 1.14.0 and earlier


SECURITY-2604 / CVE-2022-30950 (buffer overflow) & CVE-2022-30951 (access control)
WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote
Command library. It provides a general-purpose remote command execution
capability that Jenkins uses to check if Java is available, and if not, to
install it.

This library has a buffer overflow vulnerability that may allow users able
to connect to a named pipe to execute commands on the Windows agent
machine.

Additionally, while the processes are started as the user who connects to
the named pipe, no access control takes place, potentially allowing users
to start processes even if they're not allowed to log in.


SECURITY-714 / CVE-2022-30952
When pipelines are created using the pipeline creation wizard in Blue
Ocean, the credentials used are stored in the per-user credentials store of
the user creating the pipeline. To allow pipelines to use this credential
to scan repositories and checkout from SCM, the Blue Ocean Credentials
Provider allows pipelines to access a specific credential from the per-user
credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and
earlier.

As a result, attackers with Job/Configure permission can rewrite job
configurations in a way that lets them access and capture any
attacker-specified credential from any user's private credentials store.


SECURITY-2502 / CVE-2022-30953 (CSRF) & CVE-2022-30954 (permission check)
Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an
attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.


SECURITY-2753 / CVE-2022-30955
GitLab Plugin 1.5.31 and earlier does not perform a permission check in an
HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.


SECURITY-2600 / CVE-2022-30956
Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck
webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to submit crafted Rundeck webhook payloads.


SECURITY-2315 / CVE-2022-30957
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2093 / CVE-2022-30958 (CSRF) & CVE-2022-30959 (permission check)
SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified SSH server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2717 / CVE-2022-30960 through CVE-2022-30968
Multiple plugins do not escape the name and description of the parameter
types they provide:

\* Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 /
  CVE-2022-30960)
\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 /
  CVE-2022-30964)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)

This results in stored cross-site scripting (XSS) vulnerabilites
exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed
on another page, like the "Build With Parameters" and "Parameters" pages
provided by Jenkins (core), and that those pages are not hardened to
prevent exploitation. Jenkins (core) has prevented exploitation of
vulnerabilities of this kind on the "Build With Parameters" and
"Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 /
CVE-2017-2601 fix. Additionally, several plugins have previously been
updated to list parameters in a way that prevents exploitation by default,
see SECURITY-2617 in the 2022-04-12 security advisory for a list.

As of publication of this advisory, there is no fix available for the
following plugins:

\* Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 /
  CVE-2022-30961)
\* Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 /
  CVE-2022-30962)
\* JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
\* Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 /
  CVE-2022-30965)
\* Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 /
  CVE-2022-30966)
\* Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
\* vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)


SECURITY-2322 / CVE-2022-30969
Autocomplete Parameter Plugin 1.1 and earlier does not require POST
requests for a form validation endpoint executing a provided Groovy script,
resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without
sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.


SECURITY-2267 / CVE-2022-30970
Autocomplete Parameter Plugin 1.1 and earlier references Dropdown
Autocomplete parameter and Auto Complete String parameter names in an
unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

NOTE: While this looks similar to SECURITY-2729, this is an independent
problem and exploitable even on views rendering parameters that otherwise
attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.


SECURITY-1969 / CVE-2022-30971 (XXE) & CVE-2022-30972 (CSRF)
Storable Configs Plugin 1.0 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse
a crafted file that uses external entities for extraction of secrets from
the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require
POST requests, resulting in a cross-site request forgery (CSRF)
vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-30946: security - Multiple vulnerabilities in Jenkins plugins

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Application Detector Plugin
*   Autocomplete Parameter Plugin
*   Blue Ocean Plugin
*   Git Plugin
*   GitLab Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Mercurial Plugin
*   Multiselect parameter Plugin
*   Pipeline SCM API for Blue Ocean Plugin
*   Pipeline: Groovy Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   REPO Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin
*   WMI Windows Agents Plugin

**Descriptions****Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin**

**SECURITY-359 / CVE-2022-30945**

Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

Note

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b\_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.

**CSRF vulnerability in Script Security Plugin**

**SECURITY-2116 / CVE-2022-30946**

Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

This form validation method no longer sends HTTP requests in Script Security Plugin 1172.v35f6a\_0b\_8207e.

**Multiple SCM plugins can check out from the controller file system**

**SECURITY-2478 / CVE-2022-30947 (Git), CVE-2022-30948 (Mercurial), CVE-2022-30949 (REPO)**

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. The following Jenkins plugins are known to be affected:

*   Git 4.11.1 and earlier
    
*   Mercurial 2.16 and earlier
    
*   REPO 1.14.0 and earlier
    

Affected plugins have been updated to reject local file paths being checked out on the controller:

*   Git 4.11.2
    
*   Mercurial 2.16.1
    
*   REPO 1.15.0
    

**Multiple vulnerabilities in Windows Remote Command library in WMI Windows Agents Plugin**

**SECURITY-2604 / CVE-2022-30950 (buffer overflow), CVE-2022-30951 (access control)**

WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it.

This library has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.

Additionally, while the processes are started as the user who connects to the named pipe, no access control takes place, potentially allowing users to start processes even if they’re not allowed to log in.

WMI Windows Agents Plugin 1.8.1 no longer includes the Windows Remote Command library. A Java runtime is expected to be available on agent machines and WMI Windows Agents Plugin 1.8.1 does not install a JDK automatically otherwise.

Note

WMI Windows Agents Plugin is the only Jenkins project deliverable the Jenkins project security team is aware of that includes the Windows Remote Command library.

**User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin**

**SECURITY-714 / CVE-2022-30952**

When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.

As a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user’s private credentials store.

Pipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.

Note

This also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.

Administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See this help page on cloudbees.com to learn more.

To re-enable the Blue Ocean Credentials Provider, set the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled to true. Doing so is discouraged, as that will restore the unsafe behavior.

Note

While Credentials Plugin provides the _Configure Credential Providers_ UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.

Administrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at _Manage Jenkins » Configure Credential Providers_ and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.

**CSRF vulnerability and missing permission checks in Blue Ocean Plugin**

**SECURITY-2502 / CVE-2022-30953 (CSRF), CVE-2022-30954 (permission check)**

Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Missing permission check in GitLab Plugin allows enumerating credentials IDs**

**SECURITY-2753 / CVE-2022-30955**

GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.

**Stored XSS vulnerability in Rundeck Plugin**

**SECURITY-2600 / CVE-2022-30956**

Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

Rundeck Plugin 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads.

**Missing permission check in SSH Plugin allows enumerating credentials IDs**

**SECURITY-2315 / CVE-2022-30957**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in SSH Plugin allow capturing credentials**

**SECURITY-2093 / CVE-2022-30958 (CSRF), CVE-2022-30959 (permission check)**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2717 / CVE-2022-30960 (Application Detector), CVE-2022-30961 (Autocomplete Parameter), CVE-2022-30962 (Global Variable String Parameter), CVE-2022-30963 (JDK Parameter), CVE-2022-30964 (Multiselect parameter), CVE-2022-30965 (Promoted Builds (Simple)), CVE-2022-30966 (Random String Parameter), CVE-2022-30967 (Selection tasks), CVE-2022-30968 (vboxwrapper)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 / CVE-2022-30960)
    
*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 / CVE-2022-30964)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

This results in stored cross-site scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Application Detector Plugin 1.0.9
    
*   Multiselect parameter Plugin 1.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

**CSRF vulnerability in Autocomplete Parameter Plugin results in RCE**

**SECURITY-2322 / CVE-2022-30969**

Autocomplete Parameter Plugin 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Autocomplete Parameter Plugin**

**SECURITY-2267 / CVE-2022-30970**

Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Note

While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Storable Configs Plugin**

**SECURITY-1969 / CVE-2022-30971 (XXE), CVE-2022-30972 (CSRF)**

Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-359: High
*   SECURITY-714: Medium
*   SECURITY-1969: High
*   SECURITY-2093: High
*   SECURITY-2116: Medium
*   SECURITY-2267: High
*   SECURITY-2315: Medium
*   SECURITY-2322: High
*   SECURITY-2478: Low
*   SECURITY-2502: Medium
*   SECURITY-2600: High
*   SECURITY-2604: Medium
*   SECURITY-2717: High
*   SECURITY-2753: Medium

**Affected Versions**

*   **Application Detector Plugin** up to and including 1.0.8
*   **Autocomplete Parameter Plugin** up to and including 1.1
*   **Blue Ocean Plugin** up to and including 1.25.3
*   **Git Plugin** up to and including 4.11.1
*   **GitLab Plugin** up to and including 1.5.31
*   **Global Variable String Parameter Plugin** up to and including 1.2
*   **JDK Parameter Plugin** up to and including 1.0
*   **Mercurial Plugin** up to and including 2.16
*   **Multiselect parameter Plugin** up to and including 1.3
*   **Pipeline SCM API for Blue Ocean Plugin** up to and including 1.25.3
*   **Pipeline: Groovy Plugin** up to and including 2689.v434009a\_31b\_f1
*   **Promoted Builds (Simple) Plugin** up to and including 1.9
*   **Random String Parameter Plugin** up to and including 1.0
*   **REPO Plugin** up to and including 1.14.0
*   **Rundeck Plugin** up to and including 3.6.10
*   **Script Security Plugin** up to and including 1158.v7c1b\_73a\_69a\_08
*   **Selection tasks Plugin** up to and including 1.0
*   **SSH Plugin** up to and including 2.6.1
*   **Storable Configs Plugin** up to and including 1.0
*   **vboxwrapper Plugin** up to and including 1.3
*   **WMI Windows Agents Plugin** up to and including 1.8

**Fix**

*   **Application Detector Plugin** should be updated to version 1.0.9
*   **Blue Ocean Plugin** should be updated to version 1.25.4
*   **Git Plugin** should be updated to version 4.11.2
*   **GitLab Plugin** should be updated to version 1.5.32
*   **Mercurial Plugin** should be updated to version 2.16.1
*   **Multiselect parameter Plugin** should be updated to version 1.4
*   **Pipeline SCM API for Blue Ocean Plugin** should be updated to version 1.25.4
*   **Pipeline: Groovy Plugin** should be updated to version 2692.v76b\_089ccd026
*   **REPO Plugin** should be updated to version 1.14.1
*   **Rundeck Plugin** should be updated to version 3.6.11
*   **Script Security Plugin** should be updated to version 1172.v35f6a\_0b\_8207e
*   **WMI Windows Agents Plugin** should be updated to version 1.8.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Autocomplete Parameter Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1969, SECURITY-2478
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-359
*   **Kalle Niemitalo, Procomp Solutions Oy** for SECURITY-2604
*   **Kevin Guerroudj** for SECURITY-2267
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2600, SECURITY-2753
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2717
*   **Kevin Guerroudj, Justin Philip, Marc Heyries, Wadeck Follonier, CloudBees, Inc.** for SECURITY-2322
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2093
*   **Tanner Emek from Tinder Security Labs** for SECURITY-2502
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2315

CVE-2022-30963: Jenkins Security Advisory 2022-05-17

A cross-site request forgery (CSRF) vulnerability in Jenkins Autocomplete Parameter Plugin 1.1 and earlier allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

CVE-2022-30969: Jenkins Security Advisory 2022-05-17

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2022-30971: Jenkins Security Advisory 2022-05-17

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-30955: Jenkins Security Advisory 2022-05-17

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

CVE-2022-30945: Jenkins Security Advisory 2022-05-17

Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-30970: Jenkins Security Advisory 2022-05-17

Jenkins Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

Tag

#csrf