====================================================================== CERT-Renater Note d'Information No. 2024/VULN265 _____________________________________________________________________ DATE : 27/05/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running OpenText Application Automation Tools Plugin for Jenkins, Report Info Plugin for Jenkins, Team Concert Git Plugin for Jenkins, Git server Plugin for Jenkins, Script Security Plugin for Jenkins, Subversion Partial Release Manager Plugin for Jenkins, Telegram Bot Plugin for Jenkins. ===================================================================== https://www.jenkins.io/security/advisory/2024-05-24/ https://www.jenkins.io/security/advisory/2024-05-02/ _____________________________________________________________________ Jenkins Security Advisory 2024-05-24 This advisory announces vulnerabilities in the following Jenkins deliverables: OpenText Application Automation Tools Plugin Report Info Plugin Team Concert Git Plugin Descriptions Stored XSS vulnerability in Team Concert Git Plugin SECURITY-3250 / CVE-2024-28793 Severity (CVSS): High Affected plugin: teamconcert-git Description: Team Concert Git Plugin 2.0.4 and earlier does not escape the Rational Team Concert (RTC) server URI on the build page when showing changes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. Team Concert Git Plugin 2.0.5 escapes the Rational Team Concert (RTC) server URI on the build page when showing changes. XXE vulnerabilities in OpenText Application Automation Tools Plugin SECURITY-3278 / CVE-2024-4189 (LrScriptResultsParser.java), CVE-2024-4184 (XpathReader.java), CVE-2024-4690 (others) Severity (CVSS): High Affected plugin: hp-application-automation-tools-plugin Description: OpenText Application Automation Tools Plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity (XXE) attacks. This allows attackers able to control the input files for OpenText Application Automation Tools Plugin build steps and post-build steps to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. OpenText Application Automation Tools Plugin 24.1.1-beta disables external entity resolution for its XML parsers. The fix is currently available only as a beta release. Beta releases will not appear in the regular update center but can be found in the experimental update center. For more information on how to install a beta release, see this documentation. Missing permission checks in OpenText Application Automation Tools Plugin SECURITY-3277 / CVE-2024-4211 (ALM jobs configurations), CVE-2024-4691 (ALM Octane configurations), CVE-2024-4692 (Service Virtualization configurations) Severity (CVSS): Medium Affected plugin: hp-application-automation-tools-plugin Description: OpenText Application Automation Tools Plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations. OpenText Application Automation Tools Plugin 24.1.1-beta requires Item/Configure permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations. The fix is currently available only as a beta release. Beta releases will not appear in the regular update center but can be found in the experimental update center. For more information on how to install a beta release, see this documentation. Path traversal vulnerability in Report Info Plugin SECURITY-3070 / CVE-2024-5273 Severity (CVSS): Medium Affected plugin: report-info Description: Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files. Additionally, Report Info Plugin does not support distributed builds. This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path. As of publication of this advisory, there is no fix. Learn why we announce this. Severity SECURITY-3070: Medium SECURITY-3250: High SECURITY-3277: Medium SECURITY-3278: High Affected Versions OpenText Application Automation Tools Plugin up to and including 24.1.0 Report Info Plugin up to and including 1.2 Team Concert Git Plugin up to and including 2.0.4 Fix OpenText Application Automation Tools Plugin should be updated to version 24.1.1-beta Team Concert Git Plugin should be updated to version 2.0.5 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: Report Info Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Daniel Beck, CloudBees, Inc. for SECURITY-3070 Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3250, SECURITY-3277, SECURITY-3278 _____________________________________________________________________ Jenkins Security Advisory 2024-05-02 This advisory announces vulnerabilities in the following Jenkins deliverables: Git server Plugin Script Security Plugin Subversion Partial Release Manager Plugin Telegram Bot Plugin Descriptions Multiple sandbox bypass vulnerabilities in Script Security Plugin SECURITY-3341 / CVE-2024-34144 (crafted constructor bodies), CVE-2024-34145 (sandbox-defined classes) Severity (CVSS): High Affected plugin: script-security Description: Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier: Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts. Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type. These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. These issues are caused by an incomplete fix of SECURITY-2824. Script Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox: Calls to to other constructors using this are now intercepted by the sandbox. Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls. Missing permission check in Git server Plugin SECURITY-3342 / CVE-2024-34146 Severity (CVSS): Medium Affected plugin: git-server Description: Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH. This allows attackers with a previously configured SSH public key but lacking Overall/Read permission to access Git repositories. Git server Plugin 117.veb_68868fa_027 requires Overall/Read permission to access Git repositories over SSH. Token stored in plain text by Telegram Bot Plugin SECURITY-3294 / CVE-2024-34147 Severity (CVSS): Low Affected plugin: telegram-notifications Description: Telegram Bot Plugin 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we announce this. Security protection disabled by Subversion Partial Release Manager Plugin SECURITY-3331 / CVE-2024-34148 Severity (CVSS): Medium Affected plugin: svn-partial-release-mgr Description: Subversion Partial Release Manager Plugin 1.0.1 and earlier programmatically sets the Java system property hudson.model.ParametersAction.keepUndefinedParameters whenever a build is triggered from a release tag with the 'Svn-Partial Release Manager' SCM. Doing so disables the fix for SECURITY-170 / CVE-2016-3721. As of publication of this advisory, there is no fix. Learn why we announce this. Severity SECURITY-3294: Low SECURITY-3331: Medium SECURITY-3341: High SECURITY-3342: Medium Affected Versions Git server Plugin up to and including 114.v068a_c7cc2574 Script Security Plugin up to and including 1335.vf07d9ce377a_e Subversion Partial Release Manager Plugin up to and including 1.0.1 Telegram Bot Plugin up to and including 1.4.0 Fix Git server Plugin should be updated to version 117.veb_68868fa_027 Script Security Plugin should be updated to version 1336.vf33a_a_9863911 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: Subversion Partial Release Manager Plugin Telegram Bot Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Daniel Beck, CloudBees, Inc. for SECURITY-3331, SECURITY-3342 Devin Nusbaum, CloudBees, Inc. for SECURITY-3341 Surya Dev Singh Rawal , Siemens-Healthineers Pvt Ltd for SECURITY-3294 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================