=====================================================================

                              CERT-Renater

                  Note d'Information No. 2021/VULN604
_____________________________________________________________________

DATE                : 12/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Active Choices Plugin;
                       OWASP Dependency-Check Plugin
                       Performance Plugin
                       pom2config Plugin
                       Scriptler Plugin
                       Squash TM Publisher (Squash4Jenkins) Plugin.

=====================================================================
https://www.jenkins.io/security/advisory/2021-11-12/
_____________________________________________________________________

 Jenkins Security Advisory 2021-11-12

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Active Choices Plugin
    OWASP Dependency-Check Plugin
    Performance Plugin
    pom2config Plugin
    Scriptler Plugin
    Squash TM Publisher (Squash4Jenkins) Plugin


Descriptions


Stored XSS vulnerability in Active Choices Plugin
SECURITY-2219 / CVE-2021-21699

Active Choices Plugin 2.5.6 and earlier does not escape the parameter
name of reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.7 escapes references to parameter names.


Stored XSS vulnerability in Scriptler Plugin
SECURITY-2406 / CVE-2021-21700

Scriptler Plugin 3.3 and earlier does not escape the name of scripts on
the UI when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to create Scriptler scripts.

Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking
to confirm their deletion.


XXE vulnerability in Performance Plugin
SECURITY-2394 / CVE-2021-21701

Performance Plugin 3.20 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins
parse a crafted XML report file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


XXE vulnerability in pom2config Plugin
SECURITY-2415 / CVE-2021-43576

pom2config Plugin 1.2 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to
have Jenkins parse a crafted XML file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.

As of publication of this advisory, there is no fix.


XXE vulnerability in OWASP Dependency-Check Plugin
SECURITY-2488 / CVE-2021-43577

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its
XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins
parse a crafted XML file that uses external entities for extraction of
secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.


Arbitrary file write vulnerability in Squash TM Publisher (Squash4Jenkins) Plugin
SECURITY-2525 / CVE-2021-43578

Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements
an agent-to-controller message that does not implement any validation of
its input.

This allows attackers able to control agent processes to replace
arbitrary files on the Jenkins controller file system with an
attacker-controlled JSON string.

As of publication of this advisory, there is no fix.


Severity

    SECURITY-2219: High
    SECURITY-2394: High
    SECURITY-2406: High
    SECURITY-2415: High
    SECURITY-2488: High
    SECURITY-2525: High


Affected Versions

    Active Choices Plugin up to and including 2.5.6
    OWASP Dependency-Check Plugin up to and including 5.1.1
    Performance Plugin up to and including 3.20
    pom2config Plugin up to and including 1.2
    Scriptler Plugin up to and including 3.3
    Squash TM Publisher (Squash4Jenkins) Plugin up to and including
     1.0.0

Fix

    Active Choices Plugin should be updated to version 2.5.7
    Scriptler Plugin should be updated to version 3.4

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.

As of publication of this advisory, no fixes are available for the
following plugins:

    OWASP Dependency-Check Plugin
    Performance Plugin
    pom2config Plugin
    Squash TM Publisher (Squash4Jenkins) Plugin


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Adith Sudhakar working with Trend Micro Zero Day Initiative for
     SECURITY-2394, SECURITY-2415
    Daniel Beck, CloudBees, Inc. for SECURITY-2525
    Guy Lederfein of Trend Micro for SECURITY-2406
    Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro
     for SECURITY-2219



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================