Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Recently reported VMware bugs are being used by hackers who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability.

Security researchers at Barracuda discovered that attempts were made to exploit the recent vulnerabilities CVE-2022-22954 and CVE-2022-22960, both reported last month.

“Barracuda researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960” reported by Barracuda.

VMware published an advisory on April 6, 2022, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954 with a CVSS score of 9.8, the bug allows an attacker with network access to perform remote code execution via server-side template injection on VMware Workspace ONE Access and Identity Manager Solutions.

The other bug involved CVE-2022-22960 (CVSS score 7.8), is a local privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. According to the advisory by VMware, the bug arises due to improper permission in support scripts allowing an attacker with local access to gain root privileges.

The VMware Workspace One is an intelligent-drive workspace platform that helps to manage any app on any device in a secure and simpler manner. The Identity manager handles the authentication to the platform and vRealize Automation is a DevOps-based infrastructure management platform for config of IT resources and automating the delivery of container-based applications.

****Exploitation Occurred After PoC Release****

The Barracuda researchers noted that the previous flaws are chained together for a potential full exploitation vector.

After the bug was disclosed by VMware in April, a proof-of-concept (PoC) was released on Github and shared via Twitter.

“Barracuda researchers started seeing probes and exploit attempts for this vulnerability soon after the release of the advisory and the initial release of the proof of concept on GitHub,” reported Barracuda.

After the release of PoC, the spike in attempts is noticed by the researcher, they classified it as a probe rather than actual attempts to exploit.

“The attacks have been consistent over time, barring a few spikes, and the vast majority of them are what would be classified as probes rather than actual exploit attempts,” they added.

The researchers at Barracuda also revealed that most of the exploit attempts are primarily from botnet operators, the IPs discovered still seem to host variants of the Mirai distributed-denial-of-service (DDoS) botnet malware, along with some Log4Shell exploits and low levels of EnemyBot (a type of DDoS botnet) attempts.

The majority of the attacks (76 percent) originated from the U.S. geographically, with most of them coming from data centers and cloud providers. The researcher added that there is a spike in IP addresses from the UK and Russia and about (6 percent) of the attacks emanate from these locations.

The researchers noted, “there are also consistent background attempts from known bad IPs in Russia.”

“Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes,” researchers explained

According to Barracuda “the interest levels on these vulnerabilities have stabilized” after the initial spike in April, the researcher expected to analyze low-level scanning and attempts for some time.

The best way to protect the systems is to apply the patches immediately, especially if the system is internet-facing, and to place a Web application firewall (WAF) in front of such systems “will add to defense in depth against zero-day attacks and other vulnerabilities, including Log4Shell,” advised by Barracuda.

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

Recently uncovered VMware vulnerabilities continue to anchor an ongoing wave of cyberattacks bent on dropping various payloads. In the latest spate of activity, nefarious types are going in with the ultimate goal of infecting targets with various botnets or establishing a backdoor via Log4Shell.

That's according to Barracuda researchers, who found that attackers are particularly probing for the critical vulnerability tracked as CVE-2022-22954 in droves, with swaths of actual exploitation attempts in the mix as well.

The security vulnerability carries a CVSS score of 9.8 and affects the VMware Workspace ONE Access and Identity Manager. Workspace ONE is VMware's platform for delivering corporate applications to any device (a sort of juiced-up mobile device management solution), and the identity manager handles authentication to the platform. The bug allows remote code execution (RCE) via server-side template injection for attackers that have network access.

"A server-side template-injection issue may allow an unauthenticated user with access to the Web interface to execute any arbitrary shell command as the VMware user," Mike Goldgof, Barracuda's senior director of product marketing for data protection, network, and application security, tells Dark Reading. "In effect, a hacker can bring down the system, extract data, inject ransomware, etc."

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," Goldgof noted. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets." 

The activity sometimes involves a second bug (CVE-2022-22960, CVSS score of 7.8), which is a local privilege escalation (LPE) vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation (a platform for creating private clouds). The bug arises because of improper permissions in support scripts, according to VMware's advisory, and could allow attackers with local access to achieve root privileges. 

In this case, it's being chained with the previous flaw for a full exploitation vector, Barracuda noted.

VMware disclosed the bugs in April, and soon thereafter, a proof-of-concept (PoC) exploit was released on GitHub and tweeted out to the world. Unsurprisingly, researchers from multiple security firms started seeing probes and exploit attempts very soon thereafter — and the hits just keep coming. 

"Any serious vulnerability in a broadly used platform or application is cause for concern. Threat actors are always looking for an opportunity to hit multiple targets with minimal effort," Mike Parkin, senior technical engineer at Vulcan Cyber, tells Dark Reading. "VMware is one of the most popular virtualization platforms around, and often runs on powerful iron with multiple applications running on top of it. This gives an attacker multiple reasons to go after VMware servers."

**VMware Payloads du Jour**  
Barracuda researchers noticed that most of the probing in its telemetry now is for the VMware RCE vulnerability, using the PoC code from GitHub. Most of the actual exploit attempts meanwhile are now primarily from botnet operators, especially IPs hosting variants of the Mirai distributed denial-of-service (DDoS) botnet malware, along with a few EnemyBot samples (another DDoS baddie).

Otherwise, "some Log4Shell exploit attempts were also seen in the data," researchers noted.

As for who's behind the attacks, most originate in the US (76%), mostly emanating from data centers and cloud providers. However, the researchers also found "consistent background attempts" from Russian IP addresses that are well known to be affiliated with opportunistic cybercrime cartels.

"Some of these IPs perform scans for specific vulnerabilities at regular intervals, and it looks like the VMware vulnerabilities have been added to their usual rotating list of Laravel/Drupal/PHP probes," the researchers explained.

In April, another set of attacks was flagged, with a very different aim. An Iranian cyber-espionage group known as Rocket Kitten was seen exploiting the CVE-2022-22954 RCE to deliver the Core Impact penetration testing tool on vulnerable systems. And in another batch of April activity, cryptominers reportedly made their way into the exploitation-palooza lineup.

After several initial spikes in April, the interest levels in triggering these vulnerabilities have been holding steady, according to Barracuda, and the firm expects the scanning and exploitation attempts to continue for some time.

The best defense against this spate of attacks (and most botnet and Log4Shell activity) is Security 101 — i.e., patching. Defenders can also build in an extra layer of protection with a Web application firewall (WAF), adding "defense in depth against zero-day attacks and other vulnerabilities," according to Barracuda's Tuesday writeup.

It's important for companies to hop on patches for popular platforms as soon as vendor disclosures come out, Goldgof notes.

"Cybercriminals are constantly scanning for these types of advisories and jump on them ASAP to attempt to exploit targets before they get a chance to download a patch," he says. "\[And\] VMware infrastructure is widely deployed in both data center and cloud environments, providing a large population of attractive hacking targets."

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

By Deeba Ahmed
Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft…
This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems.

The Microsoft Security Intelligence team posted a series of tweets on their official Twitter handle (@MsftSecIntel) to reveal startling details on the new variant of the notorious Sysrv botnet dubbed Sysrv-K.

According to the thread, the new variant exploits vulnerabilities recently identified in the Spring Framework’s API gateway called the Spring Cloud Gateway and WordPress and deploys cryptocurrency miners on Windows and Linux systems.

**How does the Botnet work?**

According to Microsoft, the botnet first scans the web to identify vulnerable servers and installs itself. The vulnerabilities it looks for include remote file disclosure, remote code execution, path traversal, and arbitrary file download.

The tech giant noted that Sysrv-K exploits numerous old flaws, particularly those identified in WordPress, as well as new vulnerabilities like CVE-2022-22947, which has a CVSS score of 10 and affects the Spring Cloud Gateway and Oracle’s Communications Cloud-Native Core Network Exposure Function.

The vulnerability exposes apps to code injection attacks and allows unauthorized attackers to carry out remote code execution. Interestingly, all these vulnerabilities have patches.

**Details of Sysrv and Sysrv-K**

The Sysrv botnet has been active since late 2020 and exploits known security flaws in access interfaces to install a Monero crypto miner on compromised Windows and Linux systems. The older version of the botnet targeted databases and web apps, such as Confluence, Jira, MongoDB, Oracle WebLogic, ThinkPHP, Mongo-Express, Drupal, Apache Struts, and Salt-API, reported Juniper in 2021.

The new version comes with a range of new features. Such as it can scan for WordPress configuration files and their backups to extract database credentials. The botnet uses the information to control the webserver.

Additionally, it boasts advanced communication features, including using a Telegram bot. It can scan for SSH keys, hostnames, and IP addresses and spread its copies across the network to infect the entire network and make it a part of its botnet army.

Microsoft Security Intelligence team on Twitter

**More Linux and Windows Botnet News**

1.  Old crypto-malware makes come back, hits Windows, Linux devices
2.  Kraken botnet bypasses Windows Defender to steal crypto wallet data
3.  HolesWarm crypto-malware hits unpatched Linux and Windows servers
4.  Beware; Adwind RAT infecting Windows, OS X, Linux and Android Devices
5.  Linux & Windows hit with disk wiper, ransomware & crypto Xbash malware

**How to Stay Safe?**

Microsoft suggests that organizations using internet-exposed Linux or Windows systems must install security updates immediately as it is imperative to secure these systems. They must ensure “building credential hygiene” and timely apply security updates.

New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer

Remote Code Execution (RCE) in Alexander Stokmann's Code Snippets Extended plugin <= 1.4.7 on WordPress via Cross-Site Request Forgery.

**code-snippets-extended**

**Software**

**Code Snippets Extended**

**Vulnerable Versions**

**<= 1.4.7**

**Fixed in version**

**CVE**

**CVE-2022-29429**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-05-04**

**CVSS 3.0 score**

**Plugin does not exist, is not supported or discontinued.**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability discovered by Rasi Afeef (Patchstack Alliance) in WordPress Code Snippets Extended plugin (versions <= 1.4.7).**

**Solution**

**No patched version is available. No reply from the vendor.**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-29429: WordPress Code Snippets Extended plugin <= 1.4.7 - Cross-Site Request Forgery (CSRF) leading to Remote Code Execution (RCE) vulnerability - Patchstack

A widespread attack is underway to exploit known RCE flaw in Tatsu Builder WordPress plug-in, according to a new report.

A no-code page builder WordPress plug-in, Tatsu Builder, has a known remote code execution (RCE) flaw that's under active attack, researchers report, exposing as many as 50,000 sites to takeover. 

The Wordfence threat intelligence team is raising the alarm over what it calls a "widespread" attack attempting to exploit CVE-2021-25094, publicly disclosed on March 24. The vulnerability impacts both the premium and free versions of Tatsu Builder. 

Because it's not listed on Wordpress.org, the team says it doesn't know exactly how many installations the plug-in has, but they estimate it's anywhere from 20,000 to 50,000 sites. 

The Wordfence report says the Wordpress plug-in attacks first popped up on May 10, and by May 14 threat actors had already launched 5.9 million attacks against 1.4 million sites running Tatsu Builder. 

“When it comes to cybersecurity, most organizations give little thought to their websites," Chris Olson, CEO of the Media Trust, said in a statement in reaction to the attacks. "The Tatsu vulnerability shows us why this is a mistake: websites — which play a key role in marketing and revenue generation — are increasingly targeted by hackers, making them a source of risk to customers and casual visitors." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Widespread Attack on WordPress Sites Targets Tatsu Builder Plug-in

OpenCart So Listing Tabs component versions 2.2.0 and below suffer from a deserialization vulnerability that can allow for arbitrary file writes.

    [-] Affected Versions:Version 2.2.0 is affected, and prior versions are likely affected too.[-] Vulnerabilities Description:Vulnerable component is switching to another tab. To exploitvulnerability, an attacker may send a POST request (withapplication/x-www-form-urlencoded content-type) to AJAX endpoint(usually "/index.php") with "is_ajax_listing_tabs" parameter set to"1" and "setting" parameter containing a PHP-serialized object,which would be deserialized at server-side. Gadget-chains based on PHPserver-side code can be used to gain remote code execution, filewrite, DOS, etc.So Listing Tabs is an Opencart plugin, so the Opencart PHP classes areavailable in webapp lifecycle. In source code of Opencart there is a PHPgadget-chain which allows to write a file to the server.Using this gadget, an attacker can write .php files with PHP code insideapp's web root and then execute it via requesting them, thus gainingremote codeexecution, which makes insecure deserialization in So Listing Tabsespecially dangerous. Ability to write files can also be used to DOS thesystem by writing large files and exhausting disk space, it can be used toperform XSS attacks by creating HTML files inside web root.Here is an example of request which will write PHP file on serverin /tmp directory:---POST /index.php HTTP/2Host: 0.0.0.0Content-Length: 3870Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://0.0.0.0/is_ajax_listing_tabs=1&ajax_reslisting_start=0&categoryid=p_date_added&setting=a%3a74%3a{s%3a6%3a"action"%3bs%3a9%3a"save_edit"%3b......s%3a2%3a"aa"%3bO%3A9%3A%22DB%5CMySQLi%22%3A1%3A%7Bs%3A21%3A%22%00DB%5CMySQLi%00connection%22%3BO%3A7%3A%22Session%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00adaptor%22%3BO%3A21%3A%22Twig_Cache_Filesystem%22%3A2%3A%7Bs%3A32%3A%22%00Twig_Cache_Filesystem%00directory%22%3BN%3Bs%3A30%3A%22%00Twig_Cache_Filesystem%00options%22%3BN%3B%7Ds%3A13%3A%22%00%2A%00session_id%22%3Bs%3A11%3A%22%2Ftmp%2Fff.php%22%3Bs%3A4%3A%22data%22%3Bs%3A24%3A%22%3C%3Fphp+system%28%22ls+%2F%22%29%3B+%3F%3E%22%3B%7D%7D}&lbmoduleid=157---[-] Solution:No official solution is currently available.[-] Disclosure Timeline:[28/01/2022] - CVE number assigned[31/01/2022] - Vendor contacted[02/02/2022] - Vendor asked for description of vulnerability[02/02/2022] - Send report to vendor[11/02/2022] - Vendor contacted for asking about updates[11/02/2022] - Vendor answered that did not get the report[11/02/2022] - Send report again[16/02/2022] - Vendor contacted to ask about receiving the report[17/02/2022] - Automatic generated answer about overloaded system[07/04/2022] - Vendor contacted again asking for updates[15/05/2022] - Vendor contacted to notify about public disclosure[16/05/2022] - Vendor contacted to notify about public disclosure toenother email[16/05/2022] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the id CVE-2022-24108 to these vulnerabilities.[-] Credits:Vulnerability discovered by    Denis Mironov (SolidSoft LLC),    Alexey Smirnov (SolidSoft LLC),    Daniil Sigalov (SolidSoft LLC),    Dmitry Pavlov (SolidSoft LLC),    Maxim Malkov (SolidSoft LLC)

OpenCart So Listing Tabs 2.2.0 Unsafe Deserialization

WordPress Tatsu Builder plugin versions prior to 3.3.13 suffer from an unauthenticated remote code execution vulnerability.

Description: Unauthenticated Remote Code Execution

Affected Plugin: Tatsu Builder

Plugin Slug: tatsu

Plugin Developer: BrandExponents

Affected Versions: < 3.3.13

CVE ID: CVE-2021-25094

CVSS Score: 8.1 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Vincent Michel (darkpills)

Fully Patched Version: 3.3.13

Indicators of Attack

Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin.

These may appear in your logs with the following URL:

/wp-admin/admin-ajax.php?action=add_custom_font

The vast majority of attacks are the work of just a few IP addresses.

The top 3 attacking IP addresses have each attacked over 1 million sites:

148.251.183.254

176.9.117.218

217.160.145.62

An additional 15 IP addresses have each attacked over 100,000 sites:

65.108.104.19

62.197.136.102

51.38.41.15

31.210.20.170

31.210.20.101

85.202.169.175

85.202.169.71

85.202.169.86

85.202.169.36

85.202.169.83

85.202.169.92

194.233.87.7

2.56.56.203

85.202.169.129

135.181.0.188

Indicators of Compromise

The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd.

The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.

This file is detected by the Wordfence scanner.

What Should I do?

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.

If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

WordPress Tatsu Builder Remote Code Execution

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote code execution because of deserialization of untrusted data.

**So Listing Tabs – A powerful Responsive OpenCart 3.0.x & OpenCart 2.x module for professionally product listing**

So Listing Tabs OpenCart module arranges your products according to categories or product’s attributes: name, price, quantity, added date…And you are free to choose what categories, attributes to display. Each tabs is available with title and tab icon. You can choose whether to show the icon or not; set the width/height for the icon as well. Besides, the module support over 10 amazing effects for items appearing with ability of setting duration/delay time for the animation.

The friendly user interface of So Listing Tabs allows you totally manage all parameters of the module. You can set which categories or item’s fields to show. Besides, you are able to manage the way to display the items in the listing tabs with many useful options: title, description, created date… It can works well on any OpenCart themes.

**Note**: This module has been updated with new installation method, view more at: New Way to Install OpenCart Module

Are you interested in SO Listing Tabs module? Let’s preview the Demo now!

**MAIN FEATURES**

*   Support Opencart 2.0.x, 2.1.x, 2.2.x, 2.3.0.x & OC 3.x
*   Fully compatible with IE9+, Firefox 2+, Flock 0.7+, Netscape, Safari, Opera 9.5 and Chrome
*   Support Responsive layout
*   Support to open link in Same Window and New Window
*   Support Multi-Module in the same page
*   Allow to set number of column for each screen resolution
*   Allow to choose listing tabs as categories or item’s attributes
*   Allow to choose categories which you want to show
*   Allow to include or exclude products from child categories
*   Allow to set the number of child category levels to return
*   Allow to select ordering direction: Ascending/Descending.
*   Allow to set the number of products to display
*   Allow to choose Products Field which you want to show tabs
*   Allow to display tab All OR not
*   Allow to set the max length for category title
*   Allow to display category’s icon OR not
*   Allow to order category Name/Odering/Random
*   Allow to set width/height of category’s icon
*   Allow to display item attributes or not: title, description, created date
*   Allow to set the max length of item’s description can be showed
*   Allow to show/hide Product Image
*   Allow to set width/height of item’s image
*   Allow to select effect for item appearing
*   Allow to set how long animation will run
*   Allow to set a timer to delay the excution of the next item in the queue
*   Allow to set the content to show at the top and at the end of module

**CHANGELOG**

VERSION 2.2.3 for OC3 - Update - Released on October 04, 2019  

\[Update\] Add URL for Heading title of Module

\[Update\] Get demo data when configure the module without available data

  

Version 2.2.0: Updated on 20 July, 2017-----------
\[+\] Compatible with OpenCart 3.0.x

VERSION 2.1.0-Update - Released on Sep 16, 2016
+ Support RTL for Opencart version 2.3.0.x 

VERSION 2.1.0 - Released on Aug 16, 2016
+ Support Opencart version 2.3.0.x

VERSION 2.0.2 - Released on Jun 21, 2016 
+ Added Cache function 

VERSION 2.0.1 - Released on Apr 11, 2016
+ Fixed errors related to duplicate file and CSS style and 
+ Fixed error when using animate.css style 

VERSION 2.0.0 - Released on Mar 28, 2016
+ Support Opencart version 2.2.x

VERSION 1.0.7 - Released on Mar 8, 2016
- Updated structural display on the front-end
- Added post-text and pre-text 

VERSION 1.0.6 - Released on Dec 28, 2015
- Updated with js and module notification

VERSION 1.0.5 - Released on Dec 16, 2015
- Added more functions

VERSION 1.0.4 - Released on Dec 10, 2015
- Updated to directly upload the package in the admin panel

VERSION 1.0.3 - Released on Dec 05, 2015
- Upgraded to OpenCart 2.1 
- Added more functions

VERSION 1.0.1 -Released on Aug 22, 2015
+ Added more params: Show Title of Module, Module Class Suffix, Type Show, Row
+ Changed tab Effect Options

VERSION 1.0.0 -Released on Aug 05, 2015
- Initial release

CVE-2022-24108: Responsive OpenCart 3.0.x & OpenCart 2.x Module - So Listing Tabs

Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Application Detector Plugin
*   Autocomplete Parameter Plugin
*   Blue Ocean Plugin
*   Git Plugin
*   GitLab Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Mercurial Plugin
*   Multiselect parameter Plugin
*   Pipeline SCM API for Blue Ocean Plugin
*   Pipeline: Groovy Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   REPO Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin
*   WMI Windows Agents Plugin

**Descriptions****Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin**

**SECURITY-359 / CVE-2022-30945**

Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a\_31b\_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

Note

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b\_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.

**CSRF vulnerability in Script Security Plugin**

**SECURITY-2116 / CVE-2022-30946**

Script Security Plugin 1158.v7c1b\_73a\_69a\_08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

This form validation method no longer sends HTTP requests in Script Security Plugin 1172.v35f6a\_0b\_8207e.

**Multiple SCM plugins can check out from the controller file system**

**SECURITY-2478 / CVE-2022-30947 (Git), CVE-2022-30948 (Mercurial), CVE-2022-30949 (REPO)**

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents. The following Jenkins plugins are known to be affected:

*   Git 4.11.1 and earlier
    
*   Mercurial 2.16 and earlier
    
*   REPO 1.14.0 and earlier
    

Affected plugins have been updated to reject local file paths being checked out on the controller:

*   Git 4.11.2
    
*   Mercurial 2.16.1
    
*   REPO 1.15.0
    

**Multiple vulnerabilities in Windows Remote Command library in WMI Windows Agents Plugin**

**SECURITY-2604 / CVE-2022-30950 (buffer overflow), CVE-2022-30951 (access control)**

WMI Windows Agents Plugin 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it.

This library has a buffer overflow vulnerability that may allow users able to connect to a named pipe to execute commands on the Windows agent machine.

Additionally, while the processes are started as the user who connects to the named pipe, no access control takes place, potentially allowing users to start processes even if they’re not allowed to log in.

WMI Windows Agents Plugin 1.8.1 no longer includes the Windows Remote Command library. A Java runtime is expected to be available on agent machines and WMI Windows Agents Plugin 1.8.1 does not install a JDK automatically otherwise.

Note

WMI Windows Agents Plugin is the only Jenkins project deliverable the Jenkins project security team is aware of that includes the Windows Remote Command library.

**User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin**

**SECURITY-714 / CVE-2022-30952**

When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.

As a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user’s private credentials store.

Pipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.

Note

This also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.

Administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See this help page on cloudbees.com to learn more.

To re-enable the Blue Ocean Credentials Provider, set the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled to true. Doing so is discouraged, as that will restore the unsafe behavior.

Note

While Credentials Plugin provides the _Configure Credential Providers_ UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.

Administrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at _Manage Jenkins » Configure Credential Providers_ and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.

**CSRF vulnerability and missing permission checks in Blue Ocean Plugin**

**SECURITY-2502 / CVE-2022-30953 (CSRF), CVE-2022-30954 (permission check)**

Blue Ocean Plugin 1.25.3 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to send requests to an attacker-specified URL.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Blue Ocean Plugin 1.25.4 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Missing permission check in GitLab Plugin allows enumerating credentials IDs**

**SECURITY-2753 / CVE-2022-30955**

GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate permissions.

**Stored XSS vulnerability in Rundeck Plugin**

**SECURITY-2600 / CVE-2022-30956**

Rundeck Plugin 3.6.10 and earlier does not restrict URL schemes in Rundeck webhook submissions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Rundeck webhook payloads.

Rundeck Plugin 3.6.11 sanitizes URLs submitted in Rundeck webhook payloads.

**Missing permission check in SSH Plugin allows enumerating credentials IDs**

**SECURITY-2315 / CVE-2022-30957**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in SSH Plugin allow capturing credentials**

**SECURITY-2093 / CVE-2022-30958 (CSRF), CVE-2022-30959 (permission check)**

SSH Plugin 2.6.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerabilities in multiple plugins providing additional parameter types**

**SECURITY-2717 / CVE-2022-30960 (Application Detector), CVE-2022-30961 (Autocomplete Parameter), CVE-2022-30962 (Global Variable String Parameter), CVE-2022-30963 (JDK Parameter), CVE-2022-30964 (Multiselect parameter), CVE-2022-30965 (Promoted Builds (Simple)), CVE-2022-30966 (Random String Parameter), CVE-2022-30967 (Selection tasks), CVE-2022-30968 (vboxwrapper)**

Multiple plugins do not escape the name and description of the parameter types they provide:

*   Application Detector Plugin 1.0.8 and earlier (SECURITY-2732 / CVE-2022-30960)
    
*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Multiselect parameter Plugin 1.3 and earlier (SECURITY-2726 / CVE-2022-30964)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

This results in stored cross-site scripting (XSS) vulnerabilites exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

*   Application Detector Plugin 1.0.9
    
*   Multiselect parameter Plugin 1.4
    

As of publication of this advisory, there is no fix available for the following plugins:

*   Autocomplete Parameter Plugin 1.1 and earlier (SECURITY-2729 / CVE-2022-30961)
    
*   Global Variable String Parameter Plugin 1.2 and earlier (SECURITY-2715 / CVE-2022-30962)
    
*   JDK Parameter Plugin 1.0 and earlier (SECURITY-2713 / CVE-2022-30963)
    
*   Promoted Builds (Simple) Plugin 1.9 and earlier (SECURITY-2720 / CVE-2022-30965)
    
*   Random String Parameter Plugin 1.0 and earlier (SECURITY-2722 / CVE-2022-30966)
    
*   Selection tasks Plugin 1.0 and earlier (SECURITY-2728 / CVE-2022-30967)
    
*   vboxwrapper Plugin 1.3 and earlier (SECURITY-2734 / CVE-2022-30968)
    

**CSRF vulnerability in Autocomplete Parameter Plugin results in RCE**

**SECURITY-2322 / CVE-2022-30969**

Autocomplete Parameter Plugin 1.1 and earlier does not require POST requests for a form validation endpoint executing a provided Groovy script, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Autocomplete Parameter Plugin**

**SECURITY-2267 / CVE-2022-30970**

Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Note

While this looks similar to SECURITY-2729, this is an independent problem and exploitable even on views rendering parameters that otherwise attempt to prevent XSS vulnerabilities in parameter names.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Storable Configs Plugin**

**SECURITY-1969 / CVE-2022-30971 (XXE), CVE-2022-30972 (CSRF)**

Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, the HTTP endpoint calling the XML parser does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-359: High
*   SECURITY-714: Medium
*   SECURITY-1969: High
*   SECURITY-2093: High
*   SECURITY-2116: Medium
*   SECURITY-2267: High
*   SECURITY-2315: Medium
*   SECURITY-2322: High
*   SECURITY-2478: Low
*   SECURITY-2502: Medium
*   SECURITY-2600: High
*   SECURITY-2604: Medium
*   SECURITY-2717: High
*   SECURITY-2753: Medium

**Affected Versions**

*   **Application Detector Plugin** up to and including 1.0.8
*   **Autocomplete Parameter Plugin** up to and including 1.1
*   **Blue Ocean Plugin** up to and including 1.25.3
*   **Git Plugin** up to and including 4.11.1
*   **GitLab Plugin** up to and including 1.5.31
*   **Global Variable String Parameter Plugin** up to and including 1.2
*   **JDK Parameter Plugin** up to and including 1.0
*   **Mercurial Plugin** up to and including 2.16
*   **Multiselect parameter Plugin** up to and including 1.3
*   **Pipeline SCM API for Blue Ocean Plugin** up to and including 1.25.3
*   **Pipeline: Groovy Plugin** up to and including 2689.v434009a\_31b\_f1
*   **Promoted Builds (Simple) Plugin** up to and including 1.9
*   **Random String Parameter Plugin** up to and including 1.0
*   **REPO Plugin** up to and including 1.14.0
*   **Rundeck Plugin** up to and including 3.6.10
*   **Script Security Plugin** up to and including 1158.v7c1b\_73a\_69a\_08
*   **Selection tasks Plugin** up to and including 1.0
*   **SSH Plugin** up to and including 2.6.1
*   **Storable Configs Plugin** up to and including 1.0
*   **vboxwrapper Plugin** up to and including 1.3
*   **WMI Windows Agents Plugin** up to and including 1.8

**Fix**

*   **Application Detector Plugin** should be updated to version 1.0.9
*   **Blue Ocean Plugin** should be updated to version 1.25.4
*   **Git Plugin** should be updated to version 4.11.2
*   **GitLab Plugin** should be updated to version 1.5.32
*   **Mercurial Plugin** should be updated to version 2.16.1
*   **Multiselect parameter Plugin** should be updated to version 1.4
*   **Pipeline SCM API for Blue Ocean Plugin** should be updated to version 1.25.4
*   **Pipeline: Groovy Plugin** should be updated to version 2692.v76b\_089ccd026
*   **REPO Plugin** should be updated to version 1.14.1
*   **Rundeck Plugin** should be updated to version 3.6.11
*   **Script Security Plugin** should be updated to version 1172.v35f6a\_0b\_8207e
*   **WMI Windows Agents Plugin** should be updated to version 1.8.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Autocomplete Parameter Plugin
*   Global Variable String Parameter Plugin
*   JDK Parameter Plugin
*   Promoted Builds (Simple) Plugin
*   Random String Parameter Plugin
*   Selection tasks Plugin
*   SSH Plugin
*   Storable Configs Plugin
*   vboxwrapper Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1969, SECURITY-2478
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-359
*   **Kalle Niemitalo, Procomp Solutions Oy** for SECURITY-2604
*   **Kevin Guerroudj** for SECURITY-2267
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2600, SECURITY-2753
*   **Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc.** for SECURITY-2717
*   **Kevin Guerroudj, Justin Philip, Marc Heyries, Wadeck Follonier, CloudBees, Inc.** for SECURITY-2322
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2093
*   **Tanner Emek from Tinder Security Labs** for SECURITY-2502
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2315

CVE-2022-30963: Jenkins Security Advisory 2022-05-17

Jenkins Storable Configs Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

Tag

#rce