This advisory announces vulnerabilities in the following Jenkins deliverables:
external-monitor-job
External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.
active-directory
Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").
Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
| This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled. |
Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.
datadog
Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.
miniorange-saml-sp
SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java Object#toString()), which potentially includes sensitive information.
SAML Single Sign On(SSO) Plugin 2.3.1 requires Overall/Administer permission to access the affected HTTP endpoint, and only allows downloading a string representation if the current security realm is this plugin’s.
openshift-login
OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 invalidates the existing session on login.
openshift-login
OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.
OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 only redirects to relative (Jenkins) URLs.
oracle-cloud-infrastructure-compute
Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds.
Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.
For more information see the plugin documentation.
| The Jenkins security team has been unable to confirm the exploitability and resolution of this vulnerability. |
macstadium-orka
Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint.
mabl-integration
mabl Plugin 0.0.46 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in mabl Plugin 0.0.47 requires the appropriate permissions.
mabl-integration
mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.
mabl Plugin 0.0.47 defines the appropriate context for credentials lookup.
mabl-integration
mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
mabl Plugin 0.0.47 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
rebuild
Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to rebuild a previous build.
As of publication of this advisory, there is no fix. Learn why we announce this.
test-results-aggregator
Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
pipeline-restful-api
Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.
As of publication of this advisory, there is no fix. Learn why we announce this.
sumologic-publisher
Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
mathworks-polyspace
MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.
This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce this.
assembla-auth
Assembla Auth Plugin 1.14 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.
This vulnerability allows attackers to trick users into logging in to the attacker’s account.
As of publication of this advisory, there is no fix. Learn why we announce this.
benchmark-evaluator
Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
elasticbox
ElasticBox CI Plugin 5.0.1 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: