LiquidFiles 3.4.15 has stored XSS through the "send email" functionality when sending a file via email to an administrator. When a file has no extension and contains malicious HTML / JavaScript content (such as SVG with HTML content), the payload is executed upon a click. This is fixed in 3.5.

CVE-2021-30140

Because of a incorrect escaped exec command in MagpieRSS in 0.72 in the /extlib/Snoopy.class.inc file, it is possible to add a extra command to the curl binary. This creates an issue on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page that if you send a specific https url in the RSS URL field, you are able to execute arbitrary commands.

CVE-2021-28940: magpierss/Snoopy.class.inc at 04d2a88b97fdba5813d01dc0d56c772d97360bb5 · kellan/magpierss

A stack overflow was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted text file may lead to arbitrary code execution.

CVE-2021-1772: About the security content of iOS 14.4 and iPadOS 14.4

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

**Impact**

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.

**Workarounds**

The problem can be worked around by compiling the following class:

package org.eclipse.jetty.server.ssl.fix6072;

import java.nio.ByteBuffer;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;

import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.BufferUtil;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.ssl.SslContextFactory;

public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory
{
    public SpaceCheckingSslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol)
    {
        super(factory, nextProtocol);
    }

    @Override
    protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)
    {
        return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())
        {
            @Override
            protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
            {
                SSLEngineResult results = super.unwrap(sslEngine, input, output);

                if ((results.getStatus() == SSLEngineResult.Status.BUFFER\_UNDERFLOW ||
                    results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
                    BufferUtil.space(input) == 0)
                {
                    BufferUtil.clear(input);
                    throw new SSLHandshakeException("Encrypted buffer max length exceeded");
                }
                return results;
            }
        };
    }
}

This class can be deployed by:

*   The resulting class file should be put into a jar file (eg sslfix6072.jar)
*   The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib
*   Copy the file ${jetty.home}/modules/ssl.mod to ${jetty.base}/modules
*   Edit the ${jetty.base}/modules/ssl.mod file to have the following section:

*   Copy the file ${jetty.home}/etc/jetty-https.xml and${jetty.home}/etc/jetty-http2.xml to ${jetty.base}/etc
*   Edit files ${jetty.base}/etc/jetty-https.xml and ${jetty.base}/etc/jetty-http2.xml, changing any reference of org.eclipse.jetty.server.SslConnectionFactory to org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory. For example:

  <Call name\="addIfAbsentConnectionFactory"\>
    <Arg\>
      <New class\="org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory"\>
        <Arg name\="next"\>http/1.1</Arg\>
        <Arg name\="sslContextFactory"\><Ref refid\="sslContextFactory"/></Arg\>
      </New\>
    </Arg\>
  </Call\>

*   Restart Jetty

CVE-2021-28165

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

**Package**

maven org.eclipse.jetty:jetty-webapp (Maven )

**Affected versions**

9.4.37.v20210219, 9.4.38.v20210224

**Description**

Release 9.4.37 introduced a more precise implementation of RFC3986 with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations.

**Impact**

The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

**Workarounds**

The HttpCompliance mode RFC7230\_NO\_AMBIGUOUS\_URIS can be enabled by updating start.d/http.ini to include:

    jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS

CVE-2021-28164

**Package**

maven org.eclipse.jetty:jetty-webapp (Maven)

**Affected versions**

9.4.37.v20210219, 9.4.38.v20210224

**Description**

Release 9.4.37 introduced a more precise implementation of RFC3986 with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations.

**Impact**

The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

**Workarounds**

The HttpCompliance mode RFC7230\_NO\_AMBIGUOUS\_URIS can be enabled by updating start.d/http.ini to include:

    jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

**Package**

maven org.eclipse.jetty:jetty-deploy (Maven )

**Affected versions**

9.4.32-9.4.38, 10.0.0.beta2-10.0.1, 11.0.0.beta2-11.0.1

**Patched versions**

9.4.39, 10.0.2, 11.0.2

**Impact**

If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}:

    demo-base/
    ├── etc
    ├── lib
    ├── resources
    ├── start.d
    ├── deploy
    │   └── async-rest.war
    └── webapps -> deploy
    
    

**Workarounds**

Do not use a symlink

CVE-2021-28163

A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 30 Mar 2021 12:52:09 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

\* Build With Parameters Plugin 1.5.1
\* Cloud Statistics Plugin 0.27
\* Extra Columns Plugin 1.23
\* Jabber (XMPP) notifier and control Plugin 1.42
\* OWASP Dependency-Track Plugin 3.1.1
\* REST List Parameter Plugin 1.3.1

Additionally, we announce unresolved security issues in the following
plugins:

\* Team Foundation Server Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-03-30/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2231 / CVE-2021-21628
Build With Parameters Plugin 1.5 and earlier does not escape parameter
names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.


SECURITY-2257 / CVE-2021-21629
Build With Parameters Plugin 1.5 and earlier does not require POST requests
for its form submission endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to build a project with
attacker-specified parameters.


SECURITY-2222 / CVE-2021-21630
Extra Columns Plugin 1.22 and earlier does not escape parameter values in
the build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission. Additionally, a
view containing such a job needs to be configured with the build parameters
column, or the attacker also needs View/Configure permission.


SECURITY-2246 / CVE-2021-21631
Cloud Statistics Plugin 0.26 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random
activity IDs to view related provisioning exception error messages.


SECURITY-2250 / CVE-2021-21632 (permission check) & CVE-2021-21633 (CSRF)
OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing "Secret text" credentials stored in
Jenkins. If no credentials ID is specified, the globally configured
credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.


SECURITY-2162 / CVE-2021-21634
Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords
unencrypted in its global configuration file
\`hudson.plugins.jabber.im.transport.JabberPublisher.xml\` on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins
controller file system.


SECURITY-2261 / CVE-2021-21635
REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter
name reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.


SECURITY-2283 (1) / CVE-2021-21636
Team Foundation Server Plugin 5.157.1 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials
IDs of credentials stored in Jenkins. Those can be used as part of an
attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.


SECURITY-2283 (2) / CVE-2021-21637 (permission check) & CVE-2021-21638 (CSRF)
Team Foundation Server Plugin 5.157.1 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-21638: security - Multiple vulnerabilities in Jenkins plugins

A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Build With Parameters Plugin
*   Cloud Statistics Plugin
*   Extra Columns Plugin
*   Jabber (XMPP) notifier and control Plugin
*   OWASP Dependency-Track Plugin
*   REST List Parameter Plugin
*   Team Foundation Server Plugin

**Descriptions****Stored XSS vulnerability in Build With Parameters Plugin**

**SECURITY-2231 / CVE-2021-21628**  
**Severity (CVSS):** High  
**Affected plugin: build-with-parameters**  
**Description:**

Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Build With Parameters Plugin 1.5.1 escapes parameter names and descriptions.

**CSRF vulnerability in Build With Parameters Plugin**

**SECURITY-2257 / CVE-2021-21629**  
**Severity (CVSS):** Low  
**Affected plugin: build-with-parameters**  
**Description:**

Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to build a project with attacker-specified parameters.

Build With Parameters Plugin 1.5.1 requires POST requests for the affected HTTP endpoint.

**Stored XSS vulnerability in Extra Columns Plugin**

**SECURITY-2222 / CVE-2021-21630**  
**Severity (CVSS):** High  
**Affected plugin: extra-columns**  
**Description:**

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.

Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.

**Missing permission check in Cloud Statistics Plugin**

**SECURITY-2246 / CVE-2021-21631**  
**Severity (CVSS):** Low  
**Affected plugin: cloud-stats**  
**Description:**

Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

Cloud Statistics Plugin 0.27 requires Overall/Administer permission to access provisioning exception error messages.

**CSRF vulnerability and missing permission checks in OWASP Dependency-Track Plugin allow capturing credentials**

**SECURITY-2250 / CVE-2021-21632 (permission check), CVE-2021-21633 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: dependency-track**  
**Description:**

OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

**Passwords stored in plain text by Jabber (XMPP) notifier and control Plugin**

**SECURITY-2162 / CVE-2021-21634**  
**Severity (CVSS):** Low  
**Affected plugin: jabber**  
**Description:**

Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

**Stored XSS vulnerability in REST List Parameter Plugin**

**SECURITY-2261 / CVE-2021-21635**  
**Severity (CVSS):** High  
**Affected plugin: rest-list-parameter**  
**Description:**

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

REST List Parameter Plugin 1.3.1 no longer identifies a parameter using user-specified content.

**Missing permission check in Team Foundation Server Plugin allows enumerating credentials IDs**

**SECURITY-2283 (1) / CVE-2021-21636**  
**Severity (CVSS):** Medium  
**Affected plugin: tfs**  
**Description:**

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission check in Team Foundation Server Plugin allow capturing credentials**

**SECURITY-2283 (2) / CVE-2021-21637 (permission check), CVE-2021-21638 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: tfs**  
**Description:**

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-2162: Low
*   SECURITY-2222: High
*   SECURITY-2231: High
*   SECURITY-2246: Low
*   SECURITY-2250: Medium
*   SECURITY-2257: Low
*   SECURITY-2261: High
*   SECURITY-2283 (1): Medium
*   SECURITY-2283 (2): High

**Affected Versions**

*   **Build With Parameters Plugin** up to and including 1.5
*   **Cloud Statistics Plugin** up to and including 0.26
*   **Extra Columns Plugin** up to and including 1.22
*   **Jabber (XMPP) notifier and control Plugin** up to and including 1.41
*   **OWASP Dependency-Track Plugin** up to and including 3.1.0
*   **REST List Parameter Plugin** up to and including 1.3.0
*   **Team Foundation Server Plugin** up to and including 5.157.1

**Fix**

*   **Build With Parameters Plugin** should be updated to version 1.5.1
*   **Cloud Statistics Plugin** should be updated to version 0.27
*   **Extra Columns Plugin** should be updated to version 1.23
*   **Jabber (XMPP) notifier and control Plugin** should be updated to version 1.42
*   **OWASP Dependency-Track Plugin** should be updated to version 3.1.1
*   **REST List Parameter Plugin** should be updated to version 1.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Team Foundation Server Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2162, SECURITY-2246, SECURITY-2283 (1), SECURITY-2283 (2)
*   **Justin Philip** for SECURITY-2250
*   **Kevin Guerroudj** for SECURITY-2231, SECURITY-2257, SECURITY-2261
*   **Marc Heyries** for SECURITY-2222

Tag

#java