====================================================================== CERT-Renater Note d'Information No. 2024/VULN304 _____________________________________________________________________ DATE : 27/06/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Bitbucket Branch Source Plugin for Jenkins versions prior to 887.va_d359b_3d2d8d, Plain Credentials Plugin for Jenkins versions prior to 183.va_de8f1dd5a_2b_, Structs Plugin for Jenkins versions prior to 338.v848422169819. ===================================================================== https://www.jenkins.io/security/advisory/2024-06-26/ _____________________________________________________________________ Jenkins Security Advisory 2024-06-26 This advisory announces vulnerabilities in the following Jenkins deliverables: Bitbucket Branch Source Plugin Plain Credentials Plugin Structs Plugin Descriptions Exposure of secrets through system log in Structs Plugin SECURITY-3371 / CVE-2024-39458 Severity (CVSS): Low Affected plugin: structs Description: Structs Plugin provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters. This can result in accidental exposure of secrets through the default system log. Structs Plugin 338.v848422169819 inspects the types of actual parameters before logging these warning messages, and limits detailed diagnostic information to FINE level log messages if secrets are involved. These log messages are not displayed in the default Jenkins system log. Secret file credentials stored unencrypted in rare cases by Plain Credentials Plugin SECURITY-2495 / CVE-2024-39459 Severity (CVSS): Medium Affected plugin: plain-credentials Description: When creating secret file credentials Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be stored unencrypted (only Base64 encoded) on the Jenkins controller file system. These credentials can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials). Secret file credentials stored unencrypted are unusable, as they would be decrypted during their use. Any successfully used secret file credentials are therefore unaffected. Plain Credentials Plugin 183.va_de8f1dd5a_2b_ no longer attempts to decrypt the content of the file when creating secret file credentials. Bitbucket OAuth access token exposed in the build log by Bitbucket Branch Source Plugin SECURITY-3363 / CVE-2024-39460 Severity (CVSS): Medium Affected plugin: cloudbees-bitbucket-branch-source Description: Bitbucket Branch Source Plugin 886.v44cf5e4ecec5 and earlier prints the Bitbucket OAuth access token as part of the Bitbucket URL in the build log in some cases. Bitbucket Branch Source Plugin 887.va_d359b_3d2d8d does not include the Bitbucket OAuth access token as part of the Bitbucket URL in the build log. Severity SECURITY-2495: Medium SECURITY-3363: Medium SECURITY-3371: Low Affected Versions Bitbucket Branch Source Plugin up to and including 886.v44cf5e4ecec5 Plain Credentials Plugin up to and including 182.v468b_97b_9dcb_8 Structs Plugin up to and including 337.v1b_04ea_4df7c8 Fix Bitbucket Branch Source Plugin should be updated to version 887.va_d359b_3d2d8d Plain Credentials Plugin should be updated to version 183.va_de8f1dd5a_2b_ Structs Plugin should be updated to version 338.v848422169819 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Jason Stangroome for SECURITY-2495 Juan Pablo Santos, from Sanitas, SA for SECURITY-3371 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================