====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN271
_____________________________________________________________________

DATE                : 12/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Credentials Plugin for Jenkins,
                          Dashboard View Plugin for Jenkins,
                              P4 Plugin for Jenkins,
                          S3 publisher Plugin for Jenkins,
                         Xcode integration Plugin for Jenkins,
                   Xray - Test Management for Jira Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2021-05-11/
_____________________________________________________________________

 Jenkins Security Advisory 2021-05-11

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Credentials Plugin
    Dashboard View Plugin
    P4 Plugin
    S3 publisher Plugin
    Xcode integration Plugin
    Xray - Test Management for Jira Plugin


Descriptions


Reflected XSS vulnerability in Credentials Plugin
SECURITY-2349 / CVE-2021-21648

Credentials Plugin 2.3.18 and earlier does not escape user-controlled
information on a view it provides.

This results in a reflected cross-site scripting (XSS) vulnerability.

Credentials Plugin 2.3.19 restricts the user-controlled information it
provides to a safe subset.


Stored XSS vulnerability in Dashboard View Plugin
SECURITY-2233 / CVE-2021-21649

Dashboard View Plugin 2.15 and earlier does not escape URLs referenced
in Image Dashboard Portlets.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with View/Configure permission.

Dashboard View Plugin 2.16 does not render unsafe URLs.

As part of this fix, the property for image URLs was changed from url to
imageUrl. Existing Configuration as Code configurations are still
supported, but exports will emit the new property.


Missing permission checks in S3 publisher Plugin allow obtaining
metadata about artifacts
SECURITY-2200 / CVE-2021-21650

S3 publisher Plugin 0.11.6 and earlier does not perform Run/Artifacts
permission checks in various HTTP endpoints and API models.

This allows attackers with Item/Read permission to obtain information
about artifacts uploaded to S3, if the optional Run/Artifacts permission
is enabled.

S3 publisher Plugin 0.11.7 requires Run/Artifacts permission to obtain
information about artifacts if this permission is enabled.


Missing permission check in S3 publisher Plugin
SECURITY-2201 / CVE-2021-21651

S3 publisher Plugin 0.11.6 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain the list of
configured profiles.

S3 publisher Plugin 0.11.7 performs permission checks when providing a
list of configured profiles.


CSRF vulnerability in Xray - Test Management for Jira Plugin allows
capturing credentials
SECURITY-2251 (1) / CVE-2021-21652

Xray - Test Management for Jira Plugin 2.4.0 and earlier does not
require POST requests for a connection test method, resulting in a
cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified
URL using attacker-specified credentials IDs obtained through another
method, capturing credentials stored in Jenkins.

Xray - Test Management for Jira Plugin 2.4.1 requires POST requests for
the affected connection test method.


Missing permission check in Xray - Test Management for Jira Plugin
allows enumerating credentials IDs
SECURITY-2251 (2) / CVE-2021-21653

Xray - Test Management for Jira Plugin 2.4.0 and earlier does not
perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of credentials stored in Jenkins. Those can be used as
part of an attack to capture the credentials using another
vulnerability.

An enumeration of credentials IDs in Xray - Test Management for Jira
Plugin 2.4.1 requires the appropriate permissions.


CSRF vulnerability and missing permission checks in P4 Plugin
SECURITY-2327 / CVE-2021-21654 (permission check), CVE-2021-21655 (CSRF)

P4 Plugin 1.11.4 and earlier does not perform permission checks in
multiple HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an
attacker-specified Perforce server using attacker-specified username and
password.

Additionally, these HTTP endpoints do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.11.5 requires POST requests and Overall/Administer for the
affected HTTP endpoints.


XXE vulnerability in Xcode integration Plugin
SECURITY-2335 / CVE-2021-21656

Xcode integration Plugin 2.0.14 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for the Xcode
build step to have Jenkins parse a crafted Xcode Workspace File that
uses external entities for extraction of secrets from the Jenkins
controller or server-side request forgery.

Xcode integration Plugin 2.0.15 disables external entity resolution for
its XML parser.


Severity

    SECURITY-2200: Medium
    SECURITY-2201: Medium
    SECURITY-2233: High
    SECURITY-2251 (1): High
    SECURITY-2251 (2): Medium
    SECURITY-2327: Medium
    SECURITY-2335: High
    SECURITY-2349: High


Affected Versions

    Credentials Plugin up to and including 2.3.18
    Dashboard View Plugin up to and including 2.15
    P4 Plugin up to and including 1.11.4
    S3 publisher Plugin up to and including 0.11.6
    Xcode integration Plugin up to and including 2.0.14
    Xray - Test Management for Jira Plugin up to and including 2.4.0

Fix

    Credentials Plugin should be updated to version 2.3.19
    Dashboard View Plugin should be updated to version 2.16
    P4 Plugin should be updated to version 1.11.5
    S3 publisher Plugin should be updated to version 0.11.7
    Xcode integration Plugin should be updated to version 2.0.15 Xray -
Test Management for Jira Plugin should be updated to version 2.4.1

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-2200
    Justin Philip for SECURITY-2251 (1), SECURITY-2251 (2)
    Kevin Guerroudj for SECURITY-2233, SECURITY-2335
    Kevin Guerroudj, Justin Philip, Marc Heyries for SECURITY-2327
    Wadeck Follonier, CloudBees, Inc. for SECURITY-2349


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================