====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN431
_____________________________________________________________________

DATE                : 07/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core),
                        Azure AD Plugin
                        Code Coverage API Plugin
                        Nested View Plugin
                        Nomad Plugin
                        SAML Plugin

=====================================================================
https://www.jenkins.io/security/advisory/2021-08-31/
_____________________________________________________________________
This advisory announces vulnerabilities in the following Jenkins
deliverables:

Azure AD Plugin
Code Coverage API Plugin
Nested View Plugin
Nomad Plugin
SAML Plugin
Descriptions
RCE vulnerability in Code Coverage API Plugin
SECURITY-2376 / CVE-2021-21677
Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200
deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable
by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object
deserialization to only deserialize safe types.

SAML Plugin allows bypassing CSRF protection for any URL
SECURITY-2469 / CVE-2021-21678
An extension point in Jenkins allows selectively disabling cross-site
request forgery (CSRF) protection for specific URLs. SAML Plugin
implements this extension point for the URL that users are redirected to
after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive,
allowing attackers to craft URLs that would bypass the CSRF protection
of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request
forgery (CSRF) protection for to the one URL that needs it.

Azure AD Plugin allows bypassing CSRF protection for any URL
SECURITY-2470 / CVE-2021-21679
An extension point in Jenkins allows selectively disabling cross-site
request forgery (CSRF) protection for specific URLs. Azure AD Plugin
implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is
too permissive, allowing attackers to craft URLs that would bypass the
CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin
164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF
protection for URLs used by the JavaScript component. Instead, that
component was reconfigured to pass the expected CSRF token.

XXE vulnerability in Nested View Plugin
SECURITY-2411 / CVE-2021-21680
Nested View Plugin 1.20 and earlier does not configure its XML
transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a
crafted view XML definition that uses external entities for extraction
of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML
transformer.

Password stored in plain text by Nomad Plugin
SECURITY-2396 / CVE-2021-21681
Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate
against the Docker registry unencrypted in the global config.xml file on
the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins
controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is
effective after Jenkins restarts.

Severity
SECURITY-2376: High
SECURITY-2396: Low
SECURITY-2411: High
SECURITY-2469: High
SECURITY-2470: High
Affected Versions
Azure AD Plugin up to and including 179.vf6841393099e
Code Coverage API Plugin up to and including 1.4.0
Nested View Plugin up to and including 1.20
Nomad Plugin up to and including 0.7.4
SAML Plugin up to and including 2.0.7
Fix
Azure AD Plugin should be updated to version 180.v8b1e80e6f242
Code Coverage API Plugin should be updated to version 1.4.1
Nested View Plugin should be updated to version 1.21
Nomad Plugin should be updated to version 0.7.5
SAML Plugin should be updated to version 2.0.8
These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.

Credit
The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

Brian Hysell, Synopsys Software Integrity Group for SECURITY-2411
Daniel Beck, CloudBees, Inc. for SECURITY-2469, SECURITY-2470


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================