Authentication bypass vulnerability in "Single sign-on via Operations Center" security realm
BEE-43186
Severity (CVSS): Critical
Description:
The security realm "Single sign-on via Operations Center" allows client controllers and managed controllers to delegate authentication to the operations center and its security realm.
In Operations Center Client Plugin 3.0.7 through 3.0.50 (both inclusive), included in CloudBees CI 2.401.1.3 through 2.426.1.3 (both inclusive), authentication claims were accepted without validation by the "Single sign-on via Operations Center" security realm. This allows unauthenticated attackers to locally log in to controllers using this security realm using any username and any password, including usernames that do not exist in the underlying security realm.
Sessions created this way do not have any additional authorities, i.e., memberships in groups defined in the underlying user directory. Even the "authenticated" group membership is absent. The impact of successfully creating a session this way depends on the authorization strategy and how it is configured. Commonly used authorization strategies behave as described below:
The authorization strategy "Logged-in users can do anything" determines that users who logged in this way are not the anonymous user, and are granted Overall/Administer permission.
The authorization strategy "Role-based matrix authorization strategy" (CloudBees Role-Based Access Control Plugin) grants attackers permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically pre-dating version 5.65 of the plugin), or through the user’s membership in groups defined in CloudBees CI. Permissions that would be granted through groups defined in the underlying user directory (e.g., LDAP, Active Directory, SAML) would not be granted.
The authorization strategies "Matrix-based security" and "Project-based Matrix Authorization Strategy" provided by Matrix Authorization Strategy Plugin grant permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically predating version 3.0 of the plugin). Permissions that would be granted through groups defined in the underlying user directory (e.g., LDAP, Active Directory, SAML) are not granted.
The "Single sign-on via Operations Center" security realm in Operations Center Client Plugin 3.0.51 and newer, included from CloudBees CI 2.426.2.2 onwards, validates authentication claims as part of the BEE-43186 fix addressing the lack of group memberships when directly authenticating with the affected client controller or managed controller. As a result, CloudBees CI 2.426.2.2 and later are not affected by this vulnerability.
Administrators of affected systems unable to immediately upgrade are strongly advised to install CloudBees SSO Authentication Bypass Workaround Plugin on controllers that use the affected security realm. This plugin prevents exploitation of this vulnerability in affected configurations. Please refer to the knowledge base article about the vulnerability for more information.
Thanks Naveli Shah and Steve Marlowe of Cisco ASIG for reporting this vulnerability through our HackerOne bug bounty program.
Authentication bypass vulnerability in "Single sign-on via CloudBees Software Delivery Automation" security realm
BEE-53106
Severity (CVSS): Critical
Description:
The security realm "Single sign-on via CloudBees Software Delivery Automation" allows controllers and operations centers to delegate authentication to CloudBees Software Delivery Automation.
In CloudBees Platform Common Plugin 1.399 and earlier, included in CloudBees CI 2.277.1.1 through CloudBees CI 2.479.1.3 (both inclusive), authentication claims were accepted without validation by the "Single sign-on via CloudBees Software Delivery Automation" security realm. This allows unauthenticated attackers to locally log in to controllers using this security realm using any username and any password, including usernames that do not exist in the underlying security realm.
Sessions created this way do not have any additional authorities, i.e., memberships in groups defined in the underlying user directory. Even the "authenticated" group membership is absent. The impact of successfully creating a session this way depends on the authorization strategy and how it is configured. Commonly used authorization strategies behave as described below:
The authorization strategy "Logged-in users can do anything" determines that users who logged in this way are not the anonymous user, and are granted Overall/Administer permission.
The authorization strategy "Role-based matrix authorization strategy" (CloudBees Role-Based Access Control Plugin) grants attackers permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically pre-dating version 5.65 of the plugin), or through the user’s membership in groups defined in CloudBees CI. Permissions that would be granted through groups defined in the underlying user directory (e.g., LDAP, Active Directory, SAML) would not be granted.
The authorization strategies "Matrix-based security" and "Project-based Matrix Authorization Strategy" provided by Matrix Authorization Strategy Plugin grant permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically predating version 3.0 of the plugin). Permissions that would be granted through groups defined in the underlying user directory (e.g., LDAP, Active Directory, SAML) are not granted.
The "Single sign-on via CloudBees Software Delivery Automation" security realm in CloudBees Platform Common Plugin 1.407 and newer, included in CloudBees CI 2.479.1.4, rejects all unconfirmed authentication claims.
Administrators of affected systems unable to immediately upgrade are strongly advised to install CloudBees SSO Authentication Bypass Workaround Plugin on controllers that use the affected security realm. This plugin prevents exploitation of this vulnerability in affected configurations. Please refer to the knowledge base article about the vulnerability for more information.
Confidential information disclosure via aggregated node list in High Availability (HA) controllers
BEE-53014
Severity (CVSS): Medium
Affected plugin: cloudbees-replication
Description:
The REST API endpoint for listing agents on High Availability (HA) controllers was mistakenly accessible to anonymous users. Some users with limited permissions could also see confidential job-related information they should not have seen. This has been fixed and permission checks now work as expected.
Missing permission check in Script Security Plugin
SECURITY-3447 / CVE-2024-52549
Severity (CVSS): Medium
Affected plugin: script-security
Description:
Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to check for the existence of files on the controller file system.
Script Security Plugin 1368.vb_b_402e3547e7 requires Overall/Administer permission for the affected form validation method.
Rebuilding a run with revoked script approval allowed by Pipeline: Groovy Plugin
SECURITY-3362 / CVE-2024-52550
Severity (CVSS): High
Affected plugin: workflow-cps
Description:
Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main (Jenkinsfile) script for a rebuilt build is approved.
This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved.
This does not apply to builds whose (Jenkinsfile) script was never approved, but only to builds whose (Jenkinsfile) script got its approval revoked.
Pipeline: Groovy Plugin 3993.v3e20a_37282f8 refuses to rebuild a build whose main (Jenkinsfile) script is unapproved.
Restarting a run with revoked script approval allowed by Pipeline: Declarative Plugin
SECURITY-3361 / CVE-2024-52551
Severity (CVSS): High
Affected plugin: pipeline-model-definition
Description:
Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved.
This allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved.
This does not apply to builds whose (Jenkinsfile) script was never approved, but only to builds whose (Jenkinsfile) script got its approval revoked.
Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72 refuses to restart a build whose main (Jenkinsfile) script is unapproved.
Stored XSS vulnerability in Authorize Project Plugin
SECURITY-3010 / CVE-2024-52552
Severity (CVSS): High
Affected plugin: authorize-project
Description:
Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Authorize Project Plugin 1.8.0 no longer evaluates a string containing the job name with JavaScript on the Authorization view.
Session fixation vulnerability in OpenId Connect Authentication Plugin
SECURITY-3473 / CVE-2024-52553
Severity (CVSS): High
Affected plugin: oic-auth
Description:
OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.
XXE vulnerability in IvyTrigger Plugin
SECURITY-2954 / CVE-2022-46751
Severity (CVSS): High
Affected plugin: ivytrigger
Description:
IvyTrigger Plugin 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751.
This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
IvyTrigger Plugin 1.02 updates the bundled Apache Ivy version to 2.5.2, which is unaffected by this issue.
Script security bypass vulnerability in Shared Library Version Override Plugin
SECURITY-3466 / CVE-2024-52554
Severity (CVSS): High
Affected plugin: shared-library-version-override
Description:
Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they’re not executed in the Script Security sandbox.
This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection.
Shared Library Version Override Plugin 19.v3a_c975738d4a_ declares folder-scoped library overrides as untrusted, so that they’re executed in the Script Security sandbox.