CloudBees Security Advisory 2022-04-12

This advisory announces vulnerabilities in CloudBees CI, CloudBees Jenkins Platform and Jenkins

Stored XSS in Operations-Center-Clusterops

BEE-16566

Users with the Item/Configure permission could potentially create a malicious cluster operation with parameters by having a malicious name and/or description as these values are not escaped when rendered.

Private key stored in plain text by Google Compute Engine Plugin

SECURITY-2045/CVE-2022-29052

Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration.

These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system.

Google Compute Engine Plugin 4.3.9 stores private keys encrypted.

Stored XSS vulnerabilities in multiple plugins providing additional parameter types

SECURITY-2617/ CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS), CVE-2022-29038
(Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger),
CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042
(Job Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node
and Label Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046
(Subversion)

Multiple plugins do not escape the name and description of the parameter types they provide:

  • Credentials Plugin 1111.v35a_307992395 and earlier, except 1087.1089.v2f1b_9a_b_040e4,1074.1076.v39c30cecb_0e2 and 2.6.1.1 (SECURITY-2690 / CVE-2022-29036)

  • CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)

  • Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier (SECURITY-2704 / CVE-2022-29038)

  • Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)

  • Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)

  • Jira Plugin 3.7 and earlier, except 3.6.1 (SECURITY-2691 / CVE-2022-29041)

  • Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)

  • Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)

  • Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 / CVE-2022-29044)

  • promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1 (SECURITY-2692 / CVE-2022-29045)

  • Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)

This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are
listed on another page, like the "Build With Parameters" and
"Parameters" pages provided by Jenkins (core), and that those pages are
not hardened to prevent exploitation.
Jenkins (core) has prevented exploitation of vulnerabilities of this
kind on the "Build With Parameters" and "Parameters" pages since 2.44
and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix.
Additionally, the following plugins have been updated to list parameters in a way that prevents exploitation by default.

Older releases of these plugins allow exploitation of the vulnerabilities listed above.

As of publication of this advisory, the following plugins have not
yet been updated to list parameters in a way that prevents exploitation
of these vulnerabilities:

These are not vulnerabilities in these plugins.
Only plugins defining parameter types can be considered to be vulnerable to this issue.

Note
Some plugins both define parameter types and implement a page listing
parameters, so they can appear in multiple lists and may have both a
security fix and a security hardening applied.

The following plugins have been updated to escape the name and
description of the parameter types they provide in the versions
specified:

  • Credentials Plugin 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1

  • CVS Plugin 2.19.1

  • Gerrit Trigger Plugin 2.35.3

  • Git Parameter Plugin 0.9.16

  • Jira Plugin 3.7.1 and 3.6.1

  • Mask Passwords Plugin 3.1

  • Node and Label parameter Plugin 1.10.3.1

  • promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1

  • Subversion Plugin 2.15.4

As of publication of this advisory, there is no fix available for the following plugins:

  • Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)

  • Job Generator (SECURITY-2263 / CVE-2022-29042)


Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy Libraries Plugin


SECURITY-1951/CVE-2022-29047

Multibranch Pipelines by default limit who can change the Pipeline
definition from the Jenkinsfile.
This is useful for SCMs like GitHub:
Jenkins can build content from users without commit access, but who can
submit pull requests, without granting them the ability to modify the
Pipeline definition.
In that case, Jenkins will just use the Pipeline definition in the pull
request’s destination branch instead.

In Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, the same protection does not apply to uses of the library step with a retriever argument pointing to a library in the current build’s repository and branch (e.g., library(…, retriever: legacySCM(scm))).
This allows attackers able to submit pull requests (or equivalent), but
not able to commit directly to the configured SCM, to effectively change
the Pipeline behavior by changing the library behavior in their pull
request, even if the Pipeline is configured to not trust them.

Pipeline: Shared Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts
library retrieval if the library would be retrieved from the same
repository and revision as the current build, and the revision being
built is untrusted.


CSRF vulnerability in Subversion Plugin


SECURITY-2075/CVE-2022-29048

Subversion Plugin 2.15.3 and earlier does not require POST requests
for several form validation methods, resulting in cross-site request
forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified URL.

Subversion Plugin 2.15.4 requires POST requests for the affected form validation methods.


Promotion names in promoted builds Plugin are not validated when using Job DSL


SECURITY-2655/CVE-2022-29049

promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin.

promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL.
This allows attackers with Job/Configure permission to create a promotion with an unsafe name.
As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other config.xml files.

promoted builds Plugin 876.v99d29788b_36b_ validates the name of promotions.


CSRF vulnerability and missing permission checks in Publish Over FTP Plugin


SECURITY-2321/CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission check)

Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials.

Additionally, these form validation methods do not require POST
requests, resulting in a cross-site request forgery (CSRF)
vulnerability.

Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions for the affected form validation methods.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.332.2.6

  • CloudBees Cloud Platforms should be upgraded to 2.332.2.6

  • CloudBees Jenkins Enterprise should be upgraded to 2.332.2.6 the Managed Masters and Operations Center

  • CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z)) should be upgraded to 2.332.2.6 version

  • CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.303.x.0.z)) should be upgraded to 2.303.30.0.10 version