=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2024/VULN090
_____________________________________________________________________

DATE                : 07/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins plugins.

=====================================================================
https://www.jenkins.io/security/advisory/2024-03-06/
_____________________________________________________________________

Jenkins Security Advisory 2024-03-06

This advisory announces vulnerabilities in the following Jenkins
deliverables:

   o AppSpider Plugin
   o Bitbucket Branch Source Plugin
   o Build Monitor View Plugin
   o Delphix Plugin
   o Delphix Plugin
   o docker-build-step Plugin
   o GitBucket Plugin
   o HTML Publisher Plugin
   o iceScrum Plugin
   o MQ Notifier Plugin
   o OWASP Dependency-Check Plugin
   o Subversion Partial Release Manager Plugin
   o Trilead API Plugin

Descriptions

Terrapin SSH vulnerability in Trilead API Plugin

SECURITY-3333 / CVE-2023-48795
Severity (CVSS): Medium
Affected plugin: trilead-api
Description:

Trilead API Plugin bundles the Jenkins project's fork of the Trilead
SSH2 library for use by other plugins.

Trilead API Plugin 2.133.vfb_8a_7b_9c5dd1 and earlier, except
2.84.86.vf9c960e9b_458, bundles versions of Jenkins/Trilead SSH2 that
are susceptible to CVE-2023-48795 (Terrapin). This vulnerability
allows a machine-in-the-middle attacker to reduce the security of an
SSH connection.

Trilead API Plugin 2.141.v284120fd0c46 updates the bundled
Jenkins/Trilead SSH2 library to version
build-217-jenkins-274.276.v58da_75159cb_7, which by default
removes the affected ciphers and encryption modes.

Improper input sanitization in HTML Publisher Plugin

SECURITY-3301 / CVE-2024-28149
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:

SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in
HTML Publisher Plugin 1.15 and earlier. The fix for it retained
compatibility for older reports as a fallback.

In HTML Publisher Plugin 1.16 through 1.32 (both inclusive) this
fallback for reports created in HTML Publisher Plugin 1.15 and earlier
does not properly sanitize input. This allows attackers with
Item/Configure permission to do the following:

   o Implement stored cross-site scripting (XSS) attacks.

   o Determine whether a path on the Jenkins controller file system
     exists, without being able to access it.

HTML Publisher Plugin 1.32.1 removes support for reports created before
HTML Publisher Plugin 1.15. Those reports are retained on disk, but may
no longer be accessible through the Jenkins UI.

Stored XSS vulnerability in HTML Publisher Plugin

SECURITY-3302 / CVE-2024-28150
Severity (CVSS): High
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin 1.32 and earlier does not escape job names,
report names, and index page titles shown as part of the report frame.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Item/Configure permission.

HTML Publisher Plugin 1.32.1 escapes job names, report names, and
index page titles when creating a new report. HTML Publisher Plugin
1.32.1 checks reports created in earlier releases for the presence
of unsafe characters in the report frame, and refuses to show these
frames if unsafe characters are identified.

Path traversal vulnerability in HTML Publisher Plugin

SECURITY-3303 / CVE-2024-28151
Severity (CVSS): Medium
Affected plugin: htmlpublisher
Description:

HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links
in report directories on agents and recreates them on the controller.
Attackers with Item/Configure permission can use them to determine
whether a path on the Jenkins controller file system exists, without
being able to access it.

HTML Publisher Plugin 1.32.1 does not archive symbolic links.

Incorrect trust policy behavior for pull requests from forks in
Bitbucket Branch Source Plugin

SECURITY-3300 / CVE-2024-28152
Severity (CVSS): Medium
Affected plugin: cloudbees-bitbucket-branch-source
Description:

Multibranch Pipelines with Bitbucket branch source can be configured
to discover pull requests from forks. The trust policy is set to
"Forks in the same account" by default.

In Bitbucket Branch Source Plugin 866.vdea_7dcd3008e and earlier,
except 848.850.v6a_a_2a_234a_c81, this trust policy allows changes to
Jenkinsfiles from users without write access to the project when using
Bitbucket Server. This allows attackers able to submit pull requests 
from forks to
change the Pipeline behavior.

In Bitbucket Branch Source Plugin 871.v28d74e8b_4226, the "Forks in
the same account" trust policy does not extend trust to Jenkinsfiles
modified by users without write access to the project.

  Pipelines using Bitbucket Cloud are unaffected by this issue.

Stored XSS vulnerability in OWASP Dependency-Check Plugin

SECURITY-3344 / CVE-2024-28153
Severity (CVSS): High
Affected plugin: dependency-check-jenkins-plugin
Description:

OWASP Dependency-Check Plugin 5.4.5 and earlier does not escape
vulnerability metadata from Dependency-Check reports on the Jenkins
UI.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control workspace contents or CVE
metadata.

OWASP Dependency-Check Plugin 5.4.6 escapes vulnerability metadata
from Dependency-Check reports.

Sensitive information exposure in build logs by MQ Notifier Plugin

SECURITY-3180 / CVE-2024-28154
Severity (CVSS): Medium
Affected plugin: mq-notifier
Description:

MQ Notifier Plugin has a global option to log the JSON payload it
sends to RabbitMQ in the build log. This includes the build
parameters, some of which may be sensitive, and they are not masked.

In MQ Notifier Plugin 1.4.0 and earlier, this option is enabled by
default.
This results in unwanted exposure of sensitive information in build
logs.

MQ Notifier Plugin 1.4.1 disables the global option to log the JSON
payload it sends to RabbitMQ by default. This option is disabled when
updating from a previous release and needs to be re-enabled by
administrators who want to use this feature.

Missing permission checks in AppSpider Plugin

SECURITY-3144 / CVE-2024-28155
Severity (CVSS): Medium
Affected plugin: jenkinsci-appspider-plugin
Description:

AppSpider Plugin 1.0.16 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to obtain
information about available scan config names, engine group names,
and client names.

AppSpider Plugin 1.0.17 requires Item/Configure permission for the
affected HTTP endpoints.

SSL/TLS certificate validation disabled by default in Delphix Plugin

SECURITY-3215 / CVE-2024-28161
Severity (CVSS): Medium
Affected plugin: delphix
Description:

Delphix Plugin provides a global option for administrators to enable
or disable SSL/TLS certificate validation for Data Control Tower
(DCT) connections.

In Delphix Plugin 3.0.1 this option is set to disable SSL/TLS
certificate validation by default.

In Delphix Plugin 3.0.2 this option is set to enable SSL/TLS
certificate validation by default.

  Delphix Plugin 3.0.2 inverts the semantics of the existing option.
  Administrators who update from version 3.0.1 to 3.0.2 will need to
toggle this  option to have the previously configured behavior.

Improper SSL/TLS certificate validation in Delphix Plugin

SECURITY-3330 / CVE-2024-28162
Severity (CVSS): Medium
Affected plugin: delphix
Description:

Delphix Plugin provides a global option for administrators to enable
or disable SSL/TLS certificate validation for Data Control Tower (DCT)
connections.

In Delphix Plugin 3.0.1 through 3.1.0 (both inclusive) an option
change from disabled validation to enabled validation fails to take
effect until Jenkins is restarted.

Delphix Plugin 3.1.1 applies the configuration change immediately
when switching from disabled validation to enabled validation.

CSRF vulnerability and missing permission check in docker-build-step
Plugin

SECURITY-3200 / CVE-2024-2215 (CSRF), CVE-2024-2216 (permission check)
Severity (CVSS): Medium
Affected plugin: docker-build-step
Description:

docker-build-step Plugin 2.11 and earlier does not perform a
permission check in an HTTP endpoint implementing a connection test.

This allows attackers with Overall/Read permission to connect to an
attacker-specified TCP or Unix socket URL. Additionally, the plugin
reconfigures itself using the provided connection test parameters,
affecting future build step executions.

Additionally, this endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we
announce this.

Stored XSS vulnerability in Build Monitor View Plugin

SECURITY-3280 / CVE-2024-28156
Severity (CVSS): High
Affected plugin: build-monitor-plugin
Description:

Build Monitor View Plugin 1.14-860.vd06ef2568b_3f and earlier does not
escape Build Monitor View names.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure Build Monitor Views.

As of publication of this advisory, there is no fix. Learn why we
announce this.

Stored XSS vulnerability in GitBucket Plugin

SECURITY-3249 / CVE-2024-28157
Severity (CVSS): High
Affected plugin: gitbucket
Description:

GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on
build views.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix. Learn why we
announce this.

CSRF vulnerability and missing permission checks in Subversion Partial
Release Manager Plugin

SECURITY-3325 / CVE-2024-28158 (CSRF), CVE-2024-28159 (permission
check)
Severity (CVSS): Medium
Affected plugin: svn-partial-release-mgr
Description:

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not
perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to trigger a build.

Additionally, this endpoint does not require POST requests, resulting
in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we
announce this.

Stored XSS vulnerability in iceScrum Plugin

SECURITY-3248 / CVE-2024-28160
Severity (CVSS): High
Affected plugin: icescrum
Description:

iceScrum Plugin 1.1.6 and earlier does not sanitize iceScrum project
URLs on build views.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to configure jobs.

As of publication of this advisory, there is no fix. Learn why we
announce this.

Severity

   o SECURITY-3144: Medium
   o SECURITY-3180: Medium
   o SECURITY-3200: Medium
   o SECURITY-3215: Medium
   o SECURITY-3248: High
   o SECURITY-3249: High
   o SECURITY-3280: High
   o SECURITY-3300: Medium
   o SECURITY-3301: High
   o SECURITY-3302: High
   o SECURITY-3303: Medium
   o SECURITY-3325: Medium
   o SECURITY-3330: Medium
   o SECURITY-3333: Medium
   o SECURITY-3344: High

Affected Versions

   o AppSpider Plugin up to and including 1.0.16
   o Bitbucket Branch Source Plugin up to and including 866.vdea_7dcd3008e
   o Build Monitor View Plugin up to and including 1.14-860.vd06ef2568b_3f
   o Delphix Plugin up to and including 3.0.1
   o Delphix Plugin up to and including 3.1.0
   o docker-build-step Plugin up to and including 2.11
   o GitBucket Plugin up to and including 0.8
   o HTML Publisher Plugin up to and including 1.32
   o iceScrum Plugin up to and including 1.1.6
   o MQ Notifier Plugin up to and including 1.4.0
   o OWASP Dependency-Check Plugin up to and including 5.4.5
   o Subversion Partial Release Manager Plugin up to and including 1.0.1
   o Trilead API Plugin up to and including 2.133.vfb_8a_7b_9c5dd1

Fix

   o AppSpider Plugin should be updated to version 1.0.17
   o Bitbucket Branch Source Plugin should be updated to version
     871.v28d74e8b_4226
   o Delphix Plugin should be updated to version 3.0.2
   o Delphix Plugin should be updated to version 3.1.1
   o HTML Publisher Plugin should be updated to version 1.32.1
   o MQ Notifier Plugin should be updated to version 1.4.1
   o OWASP Dependency-Check Plugin should be updated to version 5.4.6
   o Trilead API Plugin should be updated to version 2.141.v284120fd0c46
_____________________________________________________________________
These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the
following plugins:

   o Build Monitor View Plugin
   o docker-build-step Plugin
   o GitBucket Plugin
   o iceScrum Plugin
   o Subversion Partial Release Manager Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

   o Anders Hammar for SECURITY-3300
   o Andrea Chiera, CloudBees, Inc. for SECURITY-3200
   o Daniel Beck, CloudBees, Inc. for SECURITY-3215, SECURITY-3280
   o Kevin Guerroudj, CloudBees, Inc. for SECURITY-3144, SECURITY-3301,
     SECURITY-3302, SECURITY-3303
   o Wadeck Follonier, CloudBees, Inc. for SECURITY-3325
   o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3248, SECURITY-3249,
     SECURITY-3330
   o tkmwrbl for SECURITY-3344


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================