=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN488

_____________________________________________________________________

DATE                : 29/11/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Google Compute Engine Plugin
                      for Jenkins, Jira Plugin for Jenkins,
                      MATLAB Plugin for Jenkins,
                  NeuVector Vulnerability Scanner Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2023-11-29/
_____________________________________________________________________

  Jenkins Security Advisory 2023-11-29

This advisory announces vulnerabilities in the following Jenkins
deliverables:

     Google Compute Engine Plugin
     Jira Plugin
     MATLAB Plugin
     NeuVector Vulnerability Scanner Plugin


Descriptions

Exposure of system-scoped credentials in Jira Plugin
SECURITY-3225 / CVE-2023-49653
Severity (CVSS): Medium
Affected plugin: jira

Description:

Jira Plugin 3.11 and earlier does not set the appropriate context
for credentials lookup, allowing the use of system-scoped credentials
otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and
capture credentials they are not entitled to.

Jira Plugin 3.12 defines the appropriate context for credentials
lookup.


Incorrect permission checks in Google Compute Engine Plugin
SECURITY-2835 / CVE-2023-49652
Severity (CVSS): Medium
Affected plugin: google-compute-engine

Description:

Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier
does not correctly perform permission checks in multiple HTTP
endpoints. This allows attackers with global Item/Configure
permission (while lacking Item/Configure permission on any
particular job) to do the following:

     Enumerate system-scoped credentials IDs of credentials
stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

     Connect to Google Cloud Platform using attacker-specified
credentials IDs obtained through another method, to obtain
information about existing projects.

Google Compute Engine Plugin 4.551.v5a_4dc98f6962 requires
Overall/Administer permission for the affected HTTP endpoints.


CSRF vulnerabilities and missing permission checks in MATLAB
Plugin allow XXE
SECURITY-3193 / CVE-2023-49654 (permission checks),
CVE-2023-49655 (CSRF), CVE-2023-49656 (XXE)

Severity (CVSS): High
Affected plugin: matlab

Description:

MATLAB Plugin determines whether a user-specified directory on
the Jenkins controller is the location of a MATLAB installation
by parsing an XML file in that directory.

MATLAB Plugin 2.11.0 and earlier does not perform permission
checks in several HTTP endpoints implementing related form
validation.

Additionally, these HTTP endpoints do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin does not configure its XML parser to
prevent XML external entity (XXE) attacks. This allows attackers
able to create files on the Jenkins controller file system to have
Jenkins parse a crafted XML document that uses external entities
for extraction of secrets from the Jenkins controller or
server-side request forgery.

MATLAB Plugin 2.11.1 configures its XML parser to prevent XML
external entity (XXE) attacks.

Additionally, POST requests and Item/Configure permission are
required for the affected HTTP endpoints.


CSRF vulnerability and missing permission checks in NeuVector
Vulnerability Scanner Plugin
SECURITY-3256 / CVE-2023-49673 (CSRF), CVE-2023-49674
(missing permission check)
Severity (CVSS): Medium
Affected plugin: neuvector-vulnerability-scanner

Description:

NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not
perform a permission check in a connection test HTTP endpoint. This
allows attackers with Overall/Read permission to connect to an
attacker-specified hostname and port using attacker-specified
username and password. Additionally, this HTTP endpoint does not
require POST requests, resulting in a cross-site request forgery
(CSRF) vulnerability.

NeuVector Vulnerability Scanner Plugin 2.2 requires POST requests
and Overall/Administer permission for the affected HTTP endpoint.

Severity

     SECURITY-2835: Medium
     SECURITY-3193: High
     SECURITY-3225: Medium
     SECURITY-3256: Medium


Affected Versions

     Google Compute Engine Plugin up to and including
4.550.vb_327fca_3db_11
     Jira Plugin up to and including 3.11
     MATLAB Plugin up to and including 2.11.0
     NeuVector Vulnerability Scanner Plugin up to and including 1.22


Fix

     Google Compute Engine Plugin should be updated to version
4.551.v5a_4dc98f6962
     Jira Plugin should be updated to version 3.12
     MATLAB Plugin should be updated to version 2.11.1
     NeuVector Vulnerability Scanner Plugin should be updated to
version 2.2


These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

     Andrea Chiera, CloudBees, Inc. for SECURITY-3193, SECURITY-3225
     James Nord, CloudBees, Inc. for SECURITY-2835
     Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3256


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================