CloudBees Security Advisory 2023-06-14

This advisory announces vulnerabilities in Jenkins and CloudBees CI

Descriptions 

CSRF bypass vulnerability 

SECURITY-3135 / CVE-2023-35141
Severity (CVSS): High
Description:

Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs.

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint (e.g., the Script Console) by opening a context menu.

As of publication of this advisory, we are aware of insufficiently escaped context menu URLs for label expressions, allowing attackers with Item/Configure permissions to exploit this vulnerability.

Jenkins 2.400, LTS 2.401.1 sends GET requests to load the list of context actions.

SSL/TLS certificate validation disabled by default in Checkmarx Plugin 

SECURITY-2870 / CVE-2023-35142
Severity (CVSS): Medium
Affected plugin: checkmarx
Description:

Checkmarx Plugin allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. Checkmarx Plugin 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabling potential man-in-the-middle attacks.

Checkmarx Plugin 2023.2.6 enables SSL/TLS validation by default. Administrators who do not want SSL/TLS validation for connections to the Checkmarx server to be disabled are advised to review their configuration.

Missing permission checks in Team Concert Plugin 

SECURITY-2932 / CVE pending
Severity (CVSS): Medium
Affected plugin: teamconcert
Description:

Team Concert Plugin 2.4.1 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Team Concert Plugin 2.4.2 requires Overall/Administer permission for the affected form validation methods.

Missing permission check in Dimensions Plugin allows enumerating credentials IDs 

SECURITY-3138 / CVE-2023-32261
Severity (CVSS): Medium
Affected plugin: dimensionsscm
Description:

Dimensions Plugin 0.9.3 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Dimensions Plugin 0.9.3.1 requires the appropriate permissions.

Exposure of system-scoped credentials in Dimensions Plugin 

SECURITY-3143 / CVE-2023-32262
Severity (CVSS): Medium
Affected plugin: dimensionsscm
Description:

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

Stored XSS vulnerability in Maven Repository Server Plugin 

SECURITY-3156 / CVE-2023-35143
Severity (CVSS): High
Affected plugin: repository
Description:

Maven Repository Server Plugin 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control maven project versions in pom.xml.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Maven Repository Server Plugin 

SECURITY-2951 / CVE-2023-35144
Severity (CVSS): High
Affected plugin: repository
Description:

Maven Repository Server Plugin 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change project or build display names.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Sonargraph Integration Plugin 

SECURITY-3155 / CVE-2023-35145
Severity (CVSS): High
Affected plugin: sonargraph-integration
Description:

Sonargraph Integration Plugin 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

This issue is caused by an incomplete fix of SECURITY-1775.

As of publication of this advisory, there is no fix. Learn why we announce this.

Stored XSS vulnerability in Template Workflows Plugin 

SECURITY-3166 / CVE-2023-35146
Severity (CVSS): High
Affected plugin: template-workflows
Description:

Template Workflows Plugin 41.v32d86a_313b_4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create jobs.

As of publication of this advisory, there is no fix. Learn why we announce this.

Arbitrary file read vulnerability in AWS CodeCommit Trigger Plugin 

SECURITY-3099 / CVE-2023-35147
Severity (CVSS): Medium
Affected plugin: aws-codecommit-trigger
Description:

AWS CodeCommit Trigger Plugin allows downloading activity logs of AWS Simple Queue Service (SQS) queues.

AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the queue name path parameter in the corresponding HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

CSRF vulnerability and missing permission checks in Digital.ai App Management Publisher Plugin 

SECURITY-2911 / CVE-2023-35148 (CSRF), CVE-2023-35149 (missing permission check)
Severity (CVSS): Medium
Affected plugin: ease-plugin
Description:

Digital.ai App Management Publisher Plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Fix

  • CloudBees Traditional Platforms should be upgraded to 2.401.1.3

  • CloudBees Cloud Platforms should be upgraded to 2.401.1.3

  • Jenkins weekly should be updated to version 2.400

  • Jenkins LTS should be updated to version 2.401.1

  • Checkmarx Plugin should be updated to version 2023.2.6

  • Dimensions Plugin should be updated to version 0.9.3.1

  • Team Concert Plugin should be updated to version 2.4.2