==================================================================== CERT-Renater Note d'Information No. 2021/VULN338 _____________________________________________________________________ DATE : 01/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jenkins (core), CAS Plugin for Jenkins, requests-plugin Plugin for Jenkins, requests-plugin Plugin for Jenkins, requests-plugin Plugin for Jenkins, Selenium HTML report Plugin for Jenkins. ===================================================================== https://www.jenkins.io/security/advisory/2021-06-30/ _____________________________________________________________________ Jenkins Security Advisory 2021-06-30 This advisory announces vulnerabilities in the following Jenkins deliverables: Jenkins (core) CAS Plugin requests-plugin Plugin requests-plugin Plugin requests-plugin Plugin Selenium HTML report Plugin Descriptions Improper permission checks allow canceling queue items and aborting builds SECURITY-2278 / CVE-2021-21670 Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission. As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission. Session fixation vulnerability SECURITY-2371 / CVE-2021-21671 Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1. Jenkins 2.300, LTS 2.289.2 invalidates the existing session on login. Note In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0. XXE vulnerability in Selenium HTML report Plugin SECURITY-2329 / CVE-2021-21672 Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser. Open redirect vulnerability in CAS Plugin SECURITY-2387 / CVE-2021-21673 CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs. Missing permission check in requests-plugin Plugin allows viewing pending requests SECURITY-1995 / CVE-2021-21674 requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view the list of pending requests. requests-plugin Plugin 2.2.7 requires Overall/Read permission to view the list of pending requests. CSRF vulnerabilities in requests-plugin Plugin SECURITY-2136 (1) / CVE-2021-21675 requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc. requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints. This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13. Missing permission check in requests-plugin Plugin allows sending emails SECURITY-2136 (2) / CVE-2021-21676 requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address. requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails. Severity SECURITY-1995: Medium SECURITY-2136 (1): Medium SECURITY-2136 (2): Medium SECURITY-2278: Medium SECURITY-2329: High SECURITY-2371: High SECURITY-2387: Medium Affected Versions Jenkins weekly up to and including 2.299 Jenkins LTS up to and including 2.289.1 CAS Plugin up to and including 1.6.0 requests-plugin Plugin up to and including 2.2.6 requests-plugin Plugin up to and including 2.2.12 requests-plugin Plugin up to and including 2.2.7 Selenium HTML report Plugin up to and including 1.0 Fix Jenkins weekly should be updated to version 2.300 Jenkins LTS should be updated to version 2.289.2 CAS Plugin should be updated to version 1.6.1 requests-plugin Plugin should be updated to version 2.2.7 requests-plugin Plugin should be updated to version 2.2.13 requests-plugin Plugin should be updated to version 2.2.8 Selenium HTML report Plugin should be updated to version 1.1 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Angélique Jard, CloudBees, Inc. for SECURITY-2278 Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2329 Matt Sicker, CloudBees, Inc. for SECURITY-1995 Wadeck Follonier, CloudBees, Inc. for SECURITY-2387 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================