====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN228
_____________________________________________________________________

DATE                : 21/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CloudBees CD Plugin for Jenkins
                               versions prior to 1.1.22;
      Config File Provider Plugin for Jenkins versions prior to 3.7.1;
      Templating Engine Plugin for Jenkins versions prior to 3.7.1.

=====================================================================
https://www.jenkins.io/security/advisory/2021-04-21/
_____________________________________________________________________


 Jenkins Security Advisory 2021-04-21

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    CloudBees CD Plugin
    Config File Provider Plugin
    Templating Engine Plugin


Descriptions

XXE vulnerability in Config File Provider Plugin
SECURITY-2204 / CVE-2021-21642

Config File Provider Plugin 3.7.0 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to define Maven configuration
files to have Jenkins parse a crafted configuration file that uses
external entities for extraction of secrets from the Jenkins controller
or server-side request forgery.

Config File Provider Plugin 3.7.1 disables external entity resolution
for its XML parser.


Incorrect permission checks in Config File Provider Plugin allow
enumerating credentials IDs
SECURITY-2254 / CVE-2021-21643

Config File Provider Plugin 3.7.0 and earlier does not correctly perform
permission checks in several HTTP endpoints.

This allows attackers with global Job/Configure permission to enumerate
system-scoped credentials IDs of credentials stored in Jenkins. Those
can be used as part of an attack to capture the credentials using
another vulnerability.

An enumeration of system-scoped credentials IDs in Config File Provider
Plugin 3.7.1 requires Overall/Administer permission.


CSRF vulnerability in Config File Provider Plugin allows deleting
configuration files
SECURITY-2202 / CVE-2021-21644

Config File Provider Plugin 3.7.0 and earlier does not require POST
requests for an HTTP endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files
corresponding to an attacker-specified ID.

This is due to an incomplete fix of SECURITY-938.

Config File Provider Plugin 3.7.1 requires POST requests for the
affected HTTP endpoint.


Missing permission checks in Config File Provider Plugin allow
enumerating configuration file IDs
SECURITY-2203 / CVE-2021-21645

Config File Provider Plugin 3.7.0 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate
configuration file IDs.

An enumeration of configuration file IDs in Config File Provider Plugin
3.7.1 requires the appropriate permissions.


Remote code execution vulnerability in Templating Engine Plugin
SECURITY-2311 / CVE-2021-21646

Templating Engine Plugin 2.1 and earlier does not protect its pipeline
configurations using Script Security Plugin.

This vulnerability allows attackers with Job/Configure permission to
execute arbitrary code in the context of the Jenkins controller JVM.

Templating Engine Plugin 2.2 integrates with Script Security Plugin to
protect its pipeline configurations.


Missing permission check in CloudBees CD Plugin allows scheduling builds
SECURITY-2309 / CVE-2021-21647

CloudBees CD Plugin 1.1.21 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Item/Read permission to schedule builds of
projects without having Item/Build permission.

CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule
builds via its HTTP endpoint.


Severity

    SECURITY-2202: Medium
    SECURITY-2203: Medium
    SECURITY-2204: High
    SECURITY-2254: Medium
    SECURITY-2309: Medium
    SECURITY-2311: High


Affected Versions

    CloudBees CD Plugin up to and including 1.1.21
    Config File Provider Plugin up to and including 3.7.0
    Templating Engine Plugin up to and including 2.1


Fix

    CloudBees CD Plugin should be updated to version 1.1.22
    Config File Provider Plugin should be updated to version 3.7.1
    Templating Engine Plugin should be updated to version 2.2

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-2254, SECURITY-2311
    Devin Nusbaum, CloudBees, Inc. for SECURITY-2309


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================