==================================================================== CERT-Renater Note d'Information No. 2021/VULN332 _____________________________________________________________________ DATE : 18/06/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Scriptler Plugin for Jenkins versions prior to 3.3, 3.2, Generic Webhook Trigger Plugin for Jenkins versions prior to 1.74. ===================================================================== https://www.jenkins.io/security/advisory/2021-06-16/ https://www.jenkins.io/security/advisory/2021-06-18/ _____________________________________________________________________ Jenkins Security Advisory 2021-06-16 This advisory announces vulnerabilities in the following Jenkins deliverables: Scriptler Plugin Scriptler Plugin Descriptions Stored XSS vulnerability in Scriptler Plugin SECURITY-2224 / CVE-2021-21667 Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms. Stored XSS vulnerability in Scriptler Plugin SECURITY-2390 / CVE-2021-21668 Scriptler Plugin 3.1 and earlier does not escape script content. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. Scriptler Plugin 3.2 escapes script content. Severity SECURITY-2224: High SECURITY-2390: High Affected Versions Scriptler Plugin up to and including 3.2 Scriptler Plugin up to and including 3.1 Fix Scriptler Plugin should be updated to version 3.3 Scriptler Plugin should be updated to version 3.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Kevin Guerroudj for SECURITY-2224 _____________________________________________________________________ Jenkins Security Advisory 2021-06-18 This advisory announces vulnerabilities in the following Jenkins deliverables: Generic Webhook Trigger Plugin Descriptions XXE vulnerability in Generic Webhook Trigger Plugin SECURITY-2330 / CVE-2021-21669 Generic Webhook Trigger Plugin 1.72 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to call webhooks configured to extract parameters using XPath to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Generic Webhook Trigger Plugin 1.74 disables external entity resolution for its XML parser. Severity SECURITY-2330: High Affected Versions Generic Webhook Trigger Plugin up to and including 1.72 Fix Generic Webhook Trigger Plugin should be updated to version 1.74 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Kevin Guerroudj, Justin Philip, Marc Heyries for SECURITY-2330 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================