====================================================================

CERT-Renater

Note d'Information No. 2024/VULN395
_____________________________________________________________________

DATE : 02/10/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins (core), Credentials Plugin,
OpenId Connect Authentication Plugin.

=====================================================================
https://www.jenkins.io/security/advisory/2024-10-02/
_____________________________________________________________________

Jenkins Security Advisory 2024-10-02

This advisory announces vulnerabilities in the following Jenkins
deliverables:

Jenkins (core)
Credentials Plugin
OpenId Connect Authentication Plugin


Descriptions

Exposure of multi-line secrets through error messages in Jenkins
SECURITY-3451 / CVE-2024-47803
Severity (CVSS): Medium
Description:

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact
multi-line secret values in error messages generated for form
submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those
error messages, e.g., in the system log.
This issue is similar to SECURITY-765 in the 2018-10-10
security advisory.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in
error messages generated for form submissions involving the
secretTextarea form field.


Item creation restriction bypass vulnerability in Jenkins
SECURITY-3448 / CVE-2024-47804
Severity (CVSS): Medium
Description:

Jenkins provides APIs for fine-grained control of item creation:

Authorization strategies can prohibit the creation of items
of a given type in a given item group (ACL#hasCreatePermission2).

Item types can prohibit creation of new instances in a given
item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).

If an attempt is made to create an item of a prohibited type
through the Jenkins CLI or the REST API and either of the
above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and
earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass
these restrictions, creating a temporary item. With
Item/Configure permission, they can also save the item to
persist it.

If an attempt is made to create an item of a prohibited type
through the Jenkins CLI or the REST API and either of the
above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain
the item in memory.


Encrypted values of credentials revealed to users with
Extended Read permission in Credentials Plugin
SECURITY-3373 / CVE-2024-47805
Severity (CVSS): Medium
Affected plugin: credentials
Description:

Credentials Plugin 1380.va_435002fa_924 and earlier, except
1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values
of credentials using the SecretBytes type (e.g., Certificate
credentials, or Secret file credentials from Plain Credentials
Plugin) when accessing item config.xml via REST API or CLI.

This allows attackers with Item/Extended Read permission to
view encrypted SecretBytes values in credentials.
This issue is similar to SECURITY-266 in the 2016-05-11
security advisory, which applied to the Secret type used for
inline secrets and some credentials types.

Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted
values of credentials using the SecretBytes type in item
config.xml files.
This fix is only effective on Jenkins 2.479 and newer,
LTS 2.462.3 and newer. While Credentials
Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463
through 2.478 (both inclusive), encrypted values of
credentials using the SecretBytes type will not be redacted
when accessing item config.xml via REST API or CLI.


Lack of audience claim validation in OpenId Connect
Authentication Plugin
SECURITY-3441 (1) / CVE-2024-47806
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and
earlier does not check the aud (Audience) claim of an ID Token
during its authentication flow, a value to verify the token
is issued for the correct client.

This vulnerability may allow attackers to subvert the
authentication flow, potentially gaining administrator access
to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4
checks the aud (Audience) claim of an ID Token during its
authentication flow.


Lack of issuer claim validation in OpenId Connect
Authentication Plugin
SECURITY-3441 (2) / CVE-2024-47807
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and
earlier does not check the iss (Issuer) claim of an ID Token
during its authentication flow, a value that identifies the
Originating Party (IdP).

This vulnerability may allow attackers to subvert the
authentication flow, potentially gaining administrator access
to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4
checks the iss (Issuer) claim of an ID Token during its
authentication flow when the Issuer is known.
When using the "Manual entry" configuration mode,
the new "Issuer" field must be populated after updating to
protect from this issue. When using "Discovery via well-known
endpoint", the Issuer will be set automatically.


Severity

SECURITY-3373: Medium
SECURITY-3441 (1): High
SECURITY-3441 (2): High
SECURITY-3448: Medium
SECURITY-3451: Medium


Affected Versions

Jenkins weekly up to and including 2.478
Jenkins LTS up to and including 2.462.2
Credentials Plugin up to and including 1380.va_435002fa_924
OpenId Connect Authentication Plugin up to and including 
4.354.v321ce67a_1de8


Fix

Jenkins weekly should be updated to version 2.479
Jenkins LTS should be updated to version 2.462.3
Credentials Plugin should be updated to version 1381.v2c3a_12074da_b_
OpenId Connect Authentication Plugin should be updated to version 
4.355.v3a_fb_fca_b_96d4

These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by
these vulnerabilities unless otherwise indicated.
Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

Antonio Muñiz, CloudBees, Inc. for SECURITY-3448
James Nord, CloudBees, Inc. for SECURITY-3441 (1), SECURITY-3441 (2)
Kevin Guerroudj, CloudBees, Inc. for SECURITY-3373
Olivier Lamy, CloudBees, Inc. for SECURITY-3451


=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================