CloudBees Security Advisory 2024-10-02

SECURITY-3451 / CVE-2024-47803
Severity (CVSS): Medium
Description:

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

SECURITY-3448 / CVE-2024-47804
Severity (CVSS): Medium
Description:

Jenkins provides APIs for fine-grained control of item creation:

• Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2).

• Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.

SECURITY-3373 / CVE-2024-47805
Severity (CVSS): Medium
Affected plugin: credentials
Description:

Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.

This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.

Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.

SECURITY-3441 (1) / CVE-2024-47806
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

SECURITY-3441 (2) / CVE-2024-47807
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

• SECURITY-3373: Medium

• SECURITY-3441 (1): High

• SECURITY-3441 (2): High

• SECURITY-3448: Medium

• SECURITY-3451: Medium

• CloudBees Traditional Platforms should be upgraded to 2.462.3.3

• CloudBees Cloud Platforms should be upgraded to 2.462.3.3

• OpenId Connect Authentication Plugin should be updated to version 4.355.v3a_fb_fca_b_96d4