This advisory announces vulnerabilities in the following Jenkins deliverables:
trilead-api
Trilead API Plugin bundles the Jenkins project’s fork of the Trilead SSH2 library for use by other plugins.
Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except 2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to CVE-2023-48795 (Terrapin). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection.
Trilead API Plugin 2.141.v284120fd0c46 updates the bundled Jenkins/Trilead SSH2 library to version build-217-jenkins-274.276.v58da_75159cb_7, which by default removes the affected ciphers and encryption modes.
htmlpublisher
SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in HTML Publisher Plugin 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback.
In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this fallback for reports created in HTML Publisher Plugin 1.15 and earlier does not properly sanitize input. This allows attackers with Item/Configure permission to do the following:
Implement stored cross-site scripting (XSS) attacks.
Determine whether a path on the Jenkins controller file system exists, without being able to access it.
HTML Publisher Plugin 1.32.1 removes support for reports created before HTML Publisher Plugin 1.15. Those reports are retained on disk, but may no longer be accessible through the Jenkins UI.
htmlpublisher
HTML Publisher Plugin 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
HTML Publisher Plugin 1.32.1 escapes job names, report names, and index page titles when creating a new report. HTML Publisher Plugin 1.32.1 checks reports created in earlier releases for the presence of unsafe characters in the report frame, and refuses to show these frames if unsafe characters are identified.
htmlpublisher
HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it.
HTML Publisher Plugin 1.32.1 does not archive symbolic links.
cloudbees-bitbucket-branch-source
Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default.
In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier, except 848.850.v6a_a_2a_234a_c81, this trust policy allows changes to Jenkinsfiles from users without write access to the project when using Bitbucket Server. This allows attackers able to submit pull requests from forks to change the Pipeline behavior.
In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in the same account" trust policy does not extend trust to Jenkinsfiles modified by users without write access to the project.
| Pipelines using Bitbucket Cloud are unaffected by this issue. |
dependency-check-jenkins-plugin
OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control workspace contents or CVE metadata.
OWASP Dependency-Check Plugin 5.4.6 escapes vulnerability metadata from Dependency-Check reports.
mq-notifier
MQ Notifier Plugin has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked.
In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of sensitive information in build logs.
MQ Notifier Plugin 1.4.1 disables the global option to log the JSON payload it sends to RabbitMQ by default. This option is disabled when updating from a previous release and needs to be re-enabled by administrators who want to use this feature.
jenkinsci-appspider-plugin
AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.
AppSpider Plugin 1.0.17 requires Item/Configure permission for the affected HTTP endpoints.
delphix
Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections.
In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS certificate validation by default.
In Delphix Plugin 3.0.2 this option is set to enable SSL/TLS certificate validation by default.
| Delphix Plugin 3.0.2 inverts the semantics of the existing option. Administrators who update from version 3.0.1 to 3.0.2 will need to toggle this option to have the previously configured behavior. |
delphix
Delphix Plugin provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections.
In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option change from disabled validation to enabled validation fails to take effect until Jenkins is restarted.
Delphix Plugin 3.1.1 applies the configuration change immediately when switching from disabled validation to enabled validation.
docker-build-step
docker-build-step Plugin 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test.
This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided connection test parameters, affecting future build step executions.
Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
build-monitor-plugin
Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not escape Build Monitor View names.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure Build Monitor Views.
As of publication of this advisory, there is no fix. Learn why we announce this.
gitbucket
GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
As of publication of this advisory, there is no fix. Learn why we announce this.
svn-partial-release-mgr
Subversion Partial Release Manager Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to trigger a build.
Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
icescrum
iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project URLs on build views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: