Jenkins Security Advisory 2023-06-14

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

CSRF protection bypass vulnerability

SECURITY-3135 / CVE-2023-35141
Severity (CVSS): High
Description:

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

SSL/TLS certificate validation disabled by default in Checkmarx Plugin

SECURITY-2870 / CVE-2023-35142
Severity (CVSS): Medium
Affected plugin: checkmarx
Description:

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

Missing permission checks in Team Concert Plugin

SECURITY-2932 / CVE-2023-3315
Severity (CVSS): Medium
Affected plugin: teamconcert
Description:

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

Missing permission check in Dimensions Plugin allows enumerating credentials IDs

SECURITY-3138 / CVE-2023-32261
Severity (CVSS): Medium
Affected plugin: dimensionsscm
Description:

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

Exposure of system-scoped credentials in Dimensions Plugin

SECURITY-3143 / CVE-2023-32262
Severity (CVSS): Medium
Affected plugin: dimensionsscm
Description:

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

Stored XSS vulnerability in Maven Repository Server Plugin

SECURITY-3156 / CVE-2023-35143
Severity (CVSS): High
Affected plugin: repository
Description:

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Maven Repository Server Plugin

SECURITY-2951 / CVE-2023-35144
Severity (CVSS): High
Affected plugin: repository
Description:

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Sonargraph Integration Plugin

SECURITY-3155 / CVE-2023-35145
Severity (CVSS): High
Affected plugin: sonargraph-integration
Description:

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This issue is caused by an incomplete fix of SECURITY-1775.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Template Workflows Plugin

SECURITY-3166 / CVE-2023-35146
Severity (CVSS): High
Affected plugin: template-workflows
Description:

Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

As of publication of this advisory, there is no fix. Learn why we announce this.

Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin

SECURITY-3099 / CVE-2023-35147
Severity (CVSS): Medium
Affected plugin: aws-codecommit-trigger
Description:

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin

SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)
Severity (CVSS): Medium
Affected plugin: ease-plugin
Description:

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.399
  • Jenkins LTS up to and including 2.387.3
  • AWS CodeCommit Trigger Plugin up to and including 3.0.12
  • Checkmarx Plugin up to and including 2022.4.3
  • Digital.ai App Management Publisher Plugin up to and including 2.6
  • Dimensions Plugin up to and including 0.9.3
  • Maven Repository Server Plugin up to and including 1.10
  • Sonargraph Integration Plugin up to and including 5.0.1
  • Team Concert Plugin up to and including 2.4.1
  • Template Workflows Plugin up to and including 41.v32d86a_313b_4a

Fix

  • Jenkins weekly should be updated to version 2.400
  • Jenkins LTS should be updated to version 2.401.1
  • Checkmarx Plugin should be updated to version 2023.2.6
  • Dimensions Plugin should be updated to version 0.9.3.1
  • Team Concert Plugin should be updated to version 2.4.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • AWS CodeCommit Trigger Plugin
  • Digital.ai App Management Publisher Plugin
  • Maven Repository Server Plugin
  • Sonargraph Integration Plugin
  • Template Workflows Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Alvaro Muñoz (@pwntester), GitHub Security Lab for SECURITY-3143, SECURITY-3155, SECURITY-3156, SECURITY-3166
  • CC Bomber, Kitri BoB for SECURITY-2951
  • Daniel Beck, CloudBees Inc. for SECURITY-2870
  • Daniel Beck, CloudBees, Inc. for SECURITY-2932
  • Kevin Guerroudj, CloudBees, Inc. for SECURITY-3135, SECURITY-3138
  • Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for SECURITY-2911
  • Tony Torralba (@atorralba), GitHub Security Lab for SECURITY-3099