A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

**WDC Tracking Number:** WDC-22002  
**Published:** January 13, 2022

**Last Updated:** January 13, 2022

**Description**

My Cloud OS 5 Firmware 5.19.117 includes updates to help improve the security of your My Cloud OS 5 devices.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

**Advisory Summary**

A flaw was discovered in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to gain potential privilege escalation. Addressed this vulnerability by updating Debian (buster) version to 2:4.9.5+dfsg-5+deb10u2.

A use-after-free vulnerability was found in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code. Addressed this vulnerability by updating the Debian (buster) version to 63.1-6+deb10u2.

**CVE Number:** CVE-2020-21913

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

**CVE Number:** CVE-2022-22991  
Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative

My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues.

**CVE Number:** CVE-2022-22989

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

**CVE Number:** CVE-2022-22990  
Reported By: Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE-2022-22991: WDC-22002 My Cloud OS 5 Firmware 5.19.117 | Western Digital

Cross-site request forgery (CSRF) vulnerabilities in Jenkins batch task Plugin 1.19 and earlier allows attackers with Overall/Read access to retrieve logs, build or delete a batch task.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.329
*   **Jenkins LTS** up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Plugin** up to and including 9.10.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.330
*   **Jenkins LTS** should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-23115: Jenkins Security Advisory 2022-01-12

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Wed, 12 Jan 2022 19:10:44 +0100
From: Wadeck Follonier <wfollonier@...udbees.com>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Jenkins 2.330
\* Jenkins LTS 2.319.2
\* Active Directory Plugin 2.25.1
\* Badge Plugin 1.9.1
\* Bitbucket Branch Source Plugin 746.v350d2781c184
\* Configuration as Code Plugin 1.55.1
\* Credentials Binding Plugin 1.27.1
\* Docker Commons Plugin 1.18
\* HashiCorp Vault Plugin 3.8.0
\* Mailer Plugin 408.vd726a\_1130320
\* Matrix Project Plugin 1.20
\* Metrics Plugin 4.0.2.8.1
\* SSH Agent Plugin 1.23.2
\* Warnings Next Generation Plugin 9.10.3

Additionally, we announce unresolved security issues in the following
plugins:

\* batch task Plugin
\* Conjur Secrets Plugin
\* Debian Package Builder Plugin
\* Publish Over SSH Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-01-12/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2558 / CVE-2022-20612
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST
requests for the HTTP endpoint handling manual build requests when no
security realm is set, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to trigger build of job without
parameters.


SECURITY-2163 / CVE-2022-20613 (CSRF) & CVE-2022-20614 (missing permission
check)
Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a
permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the
Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2017 / CVE-2022-20615
Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters
in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Agent/Configure permission.


SECURITY-2342 / CVE-2022-20616
Credentials Binding Plugin 1.27 and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential
ID refers to a secret file credential and whether it's a zip file.


SECURITY-1878 / CVE-2022-20617
Docker Commons Plugin 1.17 and earlier does not sanitize the name of an
image or a tag.

This results in an OS command execution vulnerability exploitable by
attackers with Item/Configure permission or able to control the contents of
a previously configured job's SCM repository.


SECURITY-2033 / CVE-2022-20618
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-2467 / CVE-2022-20619
Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not
require POST requests for an HTTP endpoint, resulting in a cross-site
request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.


SECURITY-2189 / CVE-2022-20620
SSH Agent Plugin 1.23 and earlier does not perform permission checks in
several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.


SECURITY-1624 / CVE-2022-20621
Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its
global configuration file \`jenkins.metrics.api.MetricsAccessKey.xml\` on the
Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins
controller file system.


SECURITY-1389 / CVE-2022-23105
Active Directory Plugin implements two separate modes: integration with
ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission
of data between the Jenkins controller and Active Directory servers unless
it is configured to use the OS agnostic LDAP mode and the system property
\`hudson.plugins.active\_directory.ActiveDirectorySecurityRealm.forceLdaps\`
is set to \`true\`.

This allows attackers able to capture network traffic between the Jenkins
controller and Active Directory servers to obtain credentials of users
logging into Jenkins, as well as credentials of the manager DN (LDAP mode)
or the Windows/Active Directory user Jenkins is running as (ADSI mode).


SECURITY-2141 / CVE-2022-23106
Configuration as Code Plugin 1.55 and earlier does not use a constant-time
comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain
a valid authentication token.


SECURITY-2090 / CVE-2022-23107
Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the
name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read
specific files with a hard-coded suffix on the Jenkins controller file
system.


SECURITY-2547 / CVE-2022-23108
Badge Plugin allows adding custom build badges with a custom description
and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not
check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.


SECURITY-2213 / CVE-2022-23109
Pipelines display commands executed in their Pipeline step descriptions and
their output in build logs. To mask sensitive output,
Pipeline: Groovy Plugin 2.84 and earlier specified an
allowlist of known non-sensitive variables and masked everything else. This
caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline
steps to explicitly specify that variables are to be treated as sensitive
and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior
and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and
Pipeline step descriptions.


SECURITY-2287 / CVE-2022-23110
Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server
name.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.


SECURITY-2290 / CVE-2022-23111 (CSRF) & CVE-2022-23112 (missing permission
check)
Publish Over SSH Plugin 1.22 and earlier does not perform permission checks
in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an
attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2307 / CVE-2022-23113
Publish Over SSH Plugin 1.22 and earlier performs a validation of the file
name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with
Item/Configure permission to discover the name of the Jenkins controller
files.

As of publication of this advisory, there is no fix.


SECURITY-2291 / CVE-2022-23114
Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its
global configuration file
\`jenkins.plugins.publish\_over\_ssh.BapSshPublisherPlugin.xml\` on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.


SECURITY-1025 / CVE-2022-23115
batch task Plugin 1.19 and earlier does not require POST requests for
several HTTP endpoints, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve
logs, build or delete a batch task.

As of publication of this advisory, there is no fix.


SECURITY-2522 (1) / CVE-2022-23116
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain the plain text of any attacker-provided
encrypted secret.

This allows attackers able to control agent processes to decrypt secrets
stored in Jenkins obtained through another method.

As of publication of this advisory, there is no fix.


SECURITY-2522 (2) / CVE-2022-23117
Conjur Secrets Plugin 1.0.9 and earlier implements functionality that
allows agent processes to obtain all username/password credentials
(Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those
credentials.

As of publication of this advisory, there is no fix.


SECURITY-2546 / CVE-2022-23118
Debian Package Builder Plugin 1.6.11 and earlier implements functionality
that allows agent processes to invoke command-line \`git\` at an
attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary
OS commands on the controller.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2022-23116: security - Multiple vulnerabilities in Jenkins and Jenkins plugins

Jenkins Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agents to invoke command-line `git` at an attacker-specified path on the controller, allowing attackers able to control agent processes to invoke arbitrary OS commands on the controller.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Next Generation Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Next Generation Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.329
*   **Jenkins LTS** up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Next Generation Plugin** up to and including 9.10.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.330
*   **Jenkins LTS** should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Next Generation Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-23118: Jenkins Security Advisory 2022-01-12

A missing permission check in Jenkins Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Active Directory Plugin
*   Badge Plugin
*   batch task Plugin
*   Bitbucket Branch Source Plugin
*   Configuration as Code Plugin
*   Conjur Secrets Plugin
*   Credentials Binding Plugin
*   Debian Package Builder Plugin
*   Docker Commons Plugin
*   HashiCorp Vault Plugin
*   Mailer Plugin
*   Matrix Project Plugin
*   Metrics Plugin
*   Publish Over SSH Plugin
*   SSH Agent Plugin
*   Warnings Next Generation Plugin

**Descriptions****CSRF vulnerability in build triggers**

**SECURITY-2558 / CVE-2022-20612**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

**CSRF vulnerability and missing permission checks in Mailer Plugin**

**SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 391.ve4a\_38c1b\_cf4b\_ and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a\_1130320 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in Matrix Project Plugin**

**SECURITY-2017 / CVE-2022-20615**  
**Severity (CVSS):** High  
**Affected plugin: matrix-project**  
**Description:**

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names, and label descriptions.

**Missing permission check in Credentials Binding Plugin allows validating secret file credentials IDs**

**SECURITY-2342 / CVE-2022-20616**  
**Severity (CVSS):** Low  
**Affected plugin: credentials-binding**  
**Description:**

Credentials Binding Plugin 1.27 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID refers to a secret file credential and whether it’s a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating secret file credentials IDs.

**OS command execution vulnerability in Docker Commons Plugin**

**SECURITY-1878 / CVE-2022-20617**  
**Severity (CVSS):** High  
**Affected plugin: docker-commons**  
**Description:**

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image or a tag.

This results in an OS command execution vulnerability exploitable by attackers with Item/Configure permission or able to control the contents of a previously configured job’s SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

**Missing permission checks in Bitbucket Branch Source Plugin allow enumerating credentials IDs**

**SECURITY-2033 / CVE-2022-20618**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin 746.v350d2781c184 requires the appropriate permissions.

**CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing credentials**

**SECURITY-2467 / CVE-2022-20619**  
**Severity (CVSS):** High  
**Affected plugin: cloudbees-bitbucket-branch-source**  
**Description:**

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the affected HTTP endpoint.

**Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs**

**SECURITY-2189 / CVE-2022-20620**  
**Severity (CVSS):** Medium  
**Affected plugin: ssh-agent**  
**Description:**

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the appropriate permissions.

**Access key stored in plain text by Metrics Plugin**

**SECURITY-1624 / CVE-2022-20621**  
**Severity (CVSS):** Low  
**Affected plugin: metrics**  
**Description:**

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is saved again.

Additionally, the token value is only displayed once when it is generated.

**User passwords transmitted in plain text by Active Directory Plugin**

**SECURITY-1389 / CVE-2022-23105**  
**Severity (CVSS):** Medium  
**Affected plugin: active-directory**  
**Description:**

Active Directory Plugin implements two separate modes: integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers unless it is configured to use the OS agnostic LDAP mode and the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set to true.

This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain credentials of users logging into Jenkins, as well as credentials of the manager DN (LDAP mode) or the Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory. Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set to true.

The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE and hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.

Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.

**Non-constant time token comparison in Configuration as Code Plugin**

**SECURITY-2141 / CVE-2022-23106**  
**Severity (CVSS):** Low  
**Affected plugin: configuration-as-code**  
**Description:**

Configuration as Code Plugin 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when validating authentication tokens.

**Path traversal vulnerability in Warnings Next Generation Plugin**

**SECURITY-2090 / CVE-2022-23107**  
**Severity (CVSS):** Medium  
**Affected plugin: warnings-ng**  
**Description:**

Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited directory separator characters in the custom ID.

**Stored XSS vulnerability in Badge Plugin**

**SECURITY-2547 / CVE-2022-23108**  
**Severity (CVSS):** High  
**Affected plugin: badge**  
**Description:**

Badge Plugin allows adding custom build badges with a custom description and optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when creating a badge.

**Improper credentials masking in HashiCorp Vault Plugin**

**SECURITY-2213 / CVE-2022-23109**  
**Severity (CVSS):** Medium  
**Affected plugin: hashicorp-vault-plugin**  
**Description:**

Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85 and newer expects pipeline steps to explicitly specify that variables are to be treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0 for the presence of Vault credentials.

**Stored XSS vulnerability in Publish Over SSH Plugin**

**SECURITY-2287 / CVE-2022-23110**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**CSRF vulnerability and missing permission checks in Publish Over SSH Plugin**

**SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Path traversal vulnerability in Publish Over SSH Plugin**

**SECURITY-2307 / CVE-2022-23113**  
**Severity (CVSS):** Medium  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

**Password stored in plain text by Publish Over SSH Plugin**

**SECURITY-2291 / CVE-2022-23114**  
**Severity (CVSS):** Low  
**Affected plugin: publish-over-ssh**  
**Description:**

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

**CSRF vulnerability in batch task Plugin**

**SECURITY-1025 / CVE-2022-23115**  
**Severity (CVSS):** Medium  
**Affected plugin: batch-task**  
**Description:**

batch task Plugin 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting secrets**

**SECURITY-2522 (1) / CVE-2022-23116**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret.

This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

**Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving all credentials**

**SECURITY-2522 (2) / CVE-2022-23117**  
**Severity (CVSS):** Medium  
**Affected plugin: conjur-credentials**  
**Description:**

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials (Credentials Plugin) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those credentials.

**Agent-to-controller security bypass in Debian Package Builder Plugin**

**SECURITY-2546 / CVE-2022-23118**  
**Severity (CVSS):** High  
**Affected plugin: debian-package-builder**  
**Description:**

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that allows agent processes to invoke command-line git at an attacker-specified path on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS commands on the controller.

**Severity**

*   SECURITY-1025: Medium
*   SECURITY-1389: Medium
*   SECURITY-1624: Low
*   SECURITY-1878: High
*   SECURITY-2017: High
*   SECURITY-2033: Medium
*   SECURITY-2090: Medium
*   SECURITY-2141: Low
*   SECURITY-2163: Medium
*   SECURITY-2189: Medium
*   SECURITY-2213: Medium
*   SECURITY-2287: Medium
*   SECURITY-2290: Medium
*   SECURITY-2291: Low
*   SECURITY-2307: Medium
*   SECURITY-2342: Low
*   SECURITY-2467: High
*   SECURITY-2522 (1): Medium
*   SECURITY-2522 (2): Medium
*   SECURITY-2546: High
*   SECURITY-2547: High
*   SECURITY-2558: Medium

**Affected Versions**

*   Jenkins weekly up to and including 2.329
*   Jenkins LTS up to and including 2.319.1
*   **Active Directory Plugin** up to and including 2.25
*   **Badge Plugin** up to and including 1.9
*   **batch task Plugin** up to and including 1.19
*   **Bitbucket Branch Source Plugin** up to and including 737.vdf9dc06105be
*   **Configuration as Code Plugin** up to and including 1.55
*   **Conjur Secrets Plugin** up to and including 1.0.9
*   **Credentials Binding Plugin** up to and including 1.27
*   **Debian Package Builder Plugin** up to and including 1.6.11
*   **Docker Commons Plugin** up to and including 1.17
*   **HashiCorp Vault Plugin** up to and including 3.7.0
*   **Mailer Plugin** up to and including 391.ve4a\_38c1b\_cf4b\_
*   **Matrix Project Plugin** up to and including 1.19
*   **Metrics Plugin** up to and including 4.0.2.8
*   **Publish Over SSH Plugin** up to and including 1.22
*   **SSH Agent Plugin** up to and including 1.23
*   **Warnings Next Generation Plugin** up to and including 9.10.2

**Fix**

*   Jenkins weekly should be updated to version 2.330
*   Jenkins LTS should be updated to version 2.319.2
*   **Active Directory Plugin** should be updated to version 2.25.1
*   **Badge Plugin** should be updated to version 1.9.1
*   **Bitbucket Branch Source Plugin** should be updated to version 746.v350d2781c184
*   **Configuration as Code Plugin** should be updated to version 1.55.1
*   **Credentials Binding Plugin** should be updated to version 1.27.1
*   **Docker Commons Plugin** should be updated to version 1.18
*   **HashiCorp Vault Plugin** should be updated to version 3.8.0
*   **Mailer Plugin** should be updated to version 408.vd726a\_1130320
*   **Matrix Project Plugin** should be updated to version 1.20
*   **Metrics Plugin** should be updated to version 4.0.2.8.1
*   **SSH Agent Plugin** should be updated to version 1.23.2
*   **Warnings Next Generation Plugin** should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   batch task Plugin
*   Conjur Secrets Plugin
*   Debian Package Builder Plugin
*   Publish Over SSH Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2033, SECURITY-2522 (1), SECURITY-2522 (2), SECURITY-2546
*   **Devin Nusbaum, CloudBees, Inc.** for SECURITY-2467
*   **James Nord, CloudBees, Inc.** for SECURITY-2141
*   **Jasen Minton** for SECURITY-2213
*   **Kevin Guerroudj** for SECURITY-2287
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2547
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2558
*   **Kevin Guerroudj, Justin Philip and Marc Heyries** for SECURITY-2307
*   **Marc Heyries, Justin Philip and Kevin Guerroudj** for SECURITY-2290, SECURITY-2291
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-2163
*   **Oleg Nenashev** for SECURITY-1025
*   **Tomasz Szuba** for SECURITY-1878
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2017, SECURITY-2090
*   **Wasin Saengow** for SECURITY-1624

CVE-2022-20618: Jenkins Security Advisory 2022-01-12

Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

CVE-2022-20615: Jenkins Security Advisory 2022-01-12

Missing permission checks in Jenkins SSH Agent Plugin 1.23 and earlier allows attackers with Overall/Read access to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2022-20620: Jenkins Security Advisory 2022-01-12

Jenkins Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name specifying whether it is present or not, resulting in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files.

CVE-2022-23113: Jenkins Security Advisory 2022-01-12

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

CVE-2022-23105: Jenkins Security Advisory 2022-01-12

Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Tag

#debian