=====================================================================

                                 CERT-Renater

                       Note d'Information No. 2023/VULN442

_____________________________________________________________________

DATE                : 26/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CloudBees CD Plugin for Jenkins,
                  Edgewall Trac Plugin for Jenkins,
                  GitHub Plugin for Jenkins,
                  Gogs Plugin for Jenkins,
                  lambdatest-automation Plugin for Jenkins,
                  lambdatest-automation Plugin for Jenkins,
                  MSTeams Webhook Trigger Plugin for Jenkins,
                  Multibranch Scan Webhook Trigger Plugin for Jenkins,
                  Warnings Plugin for Jenkins,
                  Zanata Plugin versions prior to for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2023-10-25/
_____________________________________________________________________

  Jenkins Security Advisory 2023-10-25

This advisory announces vulnerabilities in the following Jenkins
deliverables:

     CloudBees CD Plugin
     Edgewall Trac Plugin
     GitHub Plugin
     Gogs Plugin
     lambdatest-automation Plugin
     lambdatest-automation Plugin
     MSTeams Webhook Trigger Plugin
     Multibranch Scan Webhook Trigger Plugin
     Warnings Plugin
     Zanata Plugin


Descriptions


Stored XSS vulnerability in GitHub Plugin
SECURITY-3246 / CVE-2023-46650
Severity (CVSS): High
Affected plugin: github

Description:

GitHub Plugin 1.37.3 and earlier does not escape the GitHub project
URL on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

GitHub Plugin 1.37.3.1 escapes GitHub project URL on the build page
when showing changes.

Exposure of system-scoped credentials in Warnings Plugin
SECURITY-3265 / CVE-2023-46651
Severity (CVSS): Medium
Affected plugin: warnings-ng

Description:

Warnings Plugin 10.5.0 and earlier does not set the appropriate
context for credentials lookup, allowing the use of system-scoped
credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access
and capture credentials they are not entitled to.

Warnings Plugin 10.5.1 defines the appropriate context for
credentials lookup.


Missing permission check in lambdatest-automation Plugin allows
enumerating credentials IDs

SECURITY-3222 / CVE-2023-46652
Severity (CVSS): Medium
Affected plugin: lambdatest-automation

Description:

lambdatest-automation Plugin 1.20.9 and earlier does not perform
a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of LAMBDATEST credentials stored in Jenkins.
Those can be used as part of an attack to capture the
credentials using another vulnerability.

An enumeration of credentials IDs in lambdatest-automation Plugin
1.20.10 requires Overall/Administer permission.

Exposure of token through logs in lambdatest-automation Plugin
SECURITY-3202 / CVE-2023-46653
Severity (CVSS): Low
Affected plugin: lambdatest-automation

Description:

lambdatest-automation Plugin 1.20.10 and earlier logs LAMBDATEST
Credentials access token at the INFO level.

This can result in accidental exposure of the token through
the default system log.

lambdatest-automation Plugin 1.21.0 no longer logs LAMBDATEST
Credentials access token.


Arbitrary file deletion vulnerability in CloudBees CD Plugin
SECURITY-3237 / CVE-2023-46654
Severity (CVSS): High
Affected plugin: electricflow

Description:

In CloudBees CD Plugin, artifacts that were previously copied
from an agent to the controller are deleted after publishing
by the 'CloudBees CD - Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links
to locations outside of the expected directory during this
cleanup process.

This allows attackers able to configure jobs to delete
arbitrary files on the Jenkins controller file system.

CloudBees CD Plugin 1.1.33 deletes symbolic links without
following them.


Arbitrary file read vulnerability in CloudBees CD Plugin
SECURITY-3238 / CVE-2023-46655
Severity (CVSS): Medium
Affected plugin: electricflow

Description:

CloudBees CD Plugin temporarily copies files from an agent
workspace to the controller in preparation for publishing
them in the 'CloudBees CD - Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links
to locations outside of the temporary directory on the
controller when collecting the list of files to publish.

This allows attackers able to configure jobs to publish
arbitrary files from the Jenkins controller file system to
the previously configured CloudBees CD server.

CloudBees CD Plugin 1.1.33 ensures that only files located
within the expected directory are published.


Non-constant time webhook token comparison in Multibranch
Scan Webhook Trigger Plugin
SECURITY-2875 / CVE-2023-46656
Severity (CVSS): Low
Affected plugin: multibranch-scan-webhook-trigger

Description:

Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does
not use a constant-time comparison when checking whether the
provided and expected webhook token are equal.

This could potentially allow attackers to use statistical
methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Non-constant time webhook token comparison in Gogs Plugin
SECURITY-2896 / CVE-2023-46657
Severity (CVSS): Low
Affected plugin: gogs-webhook

Description:

Gogs Plugin 1.0.15 and earlier does not use a constant-time
comparison when checking whether the provided and expected
webhook token are equal.

This could potentially allow attackers to use statistical
methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Non-constant time webhook token comparison in MSTeams
Webhook Trigger Plugin
SECURITY-2876 / CVE-2023-46658
Severity (CVSS): Low
Affected plugin: teams-webhook-trigger

Description:

MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not
use a constant-time comparison when checking whether the
provided and expected webhook token are equal.

This could potentially allow attackers to use statistical
methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Stored XSS vulnerability in Edgewall Trac Plugin
SECURITY-3247 / CVE-2023-46659
Severity (CVSS): High
Affected plugin: trac

Description:

Edgewall Trac Plugin 1.13 and earlier does not escape the Trac
website URL on the build page.

This results in a stored cross-site scripting (XSS)
vulnerability exploitable by attackers with Item/Configure
permission.

As of publication of this advisory, there is no fix. Learn why
we announce this.


Non-constant time webhook token hash comparison in Zanata
Plugin
SECURITY-2879 / CVE-2023-46660
Severity (CVSS): Low
Affected plugin: zanata

Description:

Zanata Plugin 0.6 and earlier does not use a constant-time
comparison when checking whether the provided and expected
webhook token hashes are equal.

This could potentially allow attackers to use statistical
methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix. Learn
why we announce this.


Severity

     SECURITY-2875: Low
     SECURITY-2876: Low
     SECURITY-2879: Low
     SECURITY-2896: Low
     SECURITY-3202: Low
     SECURITY-3222: Medium
     SECURITY-3237: High
     SECURITY-3238: Medium
     SECURITY-3246: High
     SECURITY-3247: High
     SECURITY-3265: Medium

Affected Versions

     CloudBees CD Plugin up to and including 1.1.32
     Edgewall Trac Plugin up to and including 1.13
     GitHub Plugin up to and including 1.37.3
     Gogs Plugin up to and including 1.0.15
     lambdatest-automation Plugin up to and including 1.20.9
     lambdatest-automation Plugin up to and including 1.20.10
     MSTeams Webhook Trigger Plugin up to and including 0.1.1
     Multibranch Scan Webhook Trigger Plugin up to and including 1.0.9
     Warnings Plugin up to and including 10.5.0
     Zanata Plugin up to and including 0.6

Fix

     CloudBees CD Plugin should be updated to version 1.1.33
     GitHub Plugin should be updated to version 1.37.3.1
     lambdatest-automation Plugin should be updated to version 1.20.10
     lambdatest-automation Plugin should be updated to version 1.21.0
     Warnings Plugin should be updated to version 10.5.1

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the
following plugins:

     Edgewall Trac Plugin
     Gogs Plugin
     MSTeams Webhook Trigger Plugin
     Multibranch Scan Webhook Trigger Plugin
     Zanata Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

     Andrea Chiera, CloudBees, Inc. for SECURITY-3202,
SECURITY-3222, SECURITY-3237, SECURITY-3238, SECURITY-3265
     Daniel Beck, CloudBees, Inc. for SECURITY-2896
     Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2875,
SECURITY-2876, SECURITY-2879, SECURITY-3246, SECURITY-3247


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================