CloudBees Security Advisory 2024-11-27

BEE-51984
Severity (CVSS): Low
Description:

CloudBees HashiCorp Vault Plugin allows credentials to be defined that dynamically retrieve secrets from Vault.

Credentials may be defined in Operations Center and made available for use from connected controllers.

Connected controllers maintain a temporary cache of credentials retrieved from Operations Center in case of connection issues.

In CloudBees HashiCorp Vault Plugin 1.472 and earlier, secrets retrieved dynamically from Vault for Vault AWS Credentials, Vault GitHub App credentials, and Vault SSH Private Key credentials were stored in plain text in `OperationsCenterCredentialsProvider.credentials.cache.xml` when the credentials were configured on Operations Center and used by a connected controller. These secrets could be viewed by users with access to the controller file system.

CloudBees HashiCorp Vault Plugin 1.484 now stores cached secrets encrypted in configuration files on disk.

SECURITY-3463 / CVE-2024-47855
Severity (CVSS): High
Description:

Jenkins uses the library org.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project’s fork of net.sf.json-lib:json-lib, which has since been renamed to org.kordamp.json:json-lib-core.

Jenkins LTS 2.479.1 and earlier, 2.486 and earlier bundles org.kohsuke.stapler:json-lib 2.4-jenkins-7 or earlier. These releases are affected by CVE-2024-47855.

In Jenkins (without plugins) this allows attackers with Overall/Read permission to keep HTTP requests handling threads busy indefinitely, using system resources and preventing legitimate users from using Jenkins. Additionally, the Jenkins security team has identified multiple plugins that allow attackers lacking Overall/Read permission to do the same. These plugins include SonarQube Scanner and Bitbucket. Additionally, other features of Jenkins or plugins that process user-provided JSON may be affected, resulting in those features being blocked.

The fix for CVE-2024-47855 in org.kordamp.json:json-lib-core has been backported to org.kohsuke.stapler:json-lib and released in version 2.4-jenkins-8. Jenkins LTS 2.479.2, 2.487 bundles org.kohsuke.stapler:json-lib 2.4-jenkins-8.

SECURITY-3467 / CVE-2024-54003
Severity (CVSS): High
Affected plugin: simple-queue
Description:

Simple Queue Plugin 1.4.4 and earlier does not escape the view name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Create permission.

Simple Queue Plugin 1.4.5 escapes the view name.

SECURITY-3367 / CVE-2024-54004
Severity (CVSS): Medium
Affected plugin: filesystem-list-parameter-plugin
Description:

Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.

This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.

• BEE-51984: Low

• SECURITY-3367: Medium

• SECURITY-3463: High

• SECURITY-3467: High

• CloudBees Traditional Platforms should be upgraded to 2.479.2.3

• CloudBees Cloud Platforms should be upgraded to 2.479.2.3

• Filesystem List Parameter Plugin should be updated to version 0.0.15

• Simple Queue Plugin should be updated to version 1.4.5