CloudBees Security Advisory 2021-08-31

SECURITY-2469 / CVE-2021-21678

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

Due to the nature of this vulnerability, CloudBees recommends you to apply the mitigation from this Knowledge Base article.

SECURITY-2376 / CVE-2021-21677

Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

SECURITY-2470 / CVE-2021-21679

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

SECURITY-2411 / CVE-2021-21680

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

SECURITY-2396 / CVE-2021-21681

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

• SECURITY-2376: High

• SECURITY-2396: Low

• SECURITY-2411: High

• SECURITY-2469: High

• SECURITY-2470: High

• CloudBees Traditional Platforms should be upgraded to 2.303.1.6

• CloudBees Cloud Platforms should be upgraded to 2.303.1.6

• CloudBees Jenkins Enterprise should be upgraded to 2.303.1.6 the Managed Masters and Operations Center

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.303.1.6 version

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.277.x.0.z)) should be upgraded to 2.277.41.0.2 version

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.249.x.0.z)) should be upgraded to 2.249.32.0.2 version