Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                              CERT-Renater

                  Note d'Information No. 2025/VULN039

_____________________________________________________________________

DATE                : 23/01/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Azure Service Fabric Plugin for
                                      Jenkins,
                     Bitbucket Server Integration Plugin for Jenkins,
                     Eiffel Broadcaster Plugin for Jenkins,
              Folder-based Authorization Strategy Plugin for Jenkins,
                     GitLab Plugin for Jenkins,
       OpenId Connect Authentication Plugin for Jenkins, for Jenkins,
                     Zoom Plugin for Jenkins,
                     Zoom Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2025-01-22/
_____________________________________________________________________

 Jenkins Security Advisory 2025-01-22

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Azure Service Fabric Plugin
    Bitbucket Server Integration Plugin
    Eiffel Broadcaster Plugin
    Folder-based Authorization Strategy Plugin
    GitLab Plugin
    OpenId Connect Authentication Plugin
    Zoom Plugin
    Zoom Plugin

Descriptions

Incorrect permission check in GitLab Plugin allows enumerating
credentials IDs

SECURITY-3260 / CVE-2025-24397
Severity (CVSS): Medium
Affected plugin: gitlab-plugin

Description:

GitLab Plugin 1.9.6 and earlier does not correctly perform a permission
check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while
lacking Item/Configure permission on any particular job) to enumerate
credential IDs of GitLab API token credentials and Secret text
credentials stored in Jenkins. Those can be used as part of an attack
to capture the credentials using another vulnerability.

An enumeration of credential IDs in GitLab Plugin 1.9.7 requires
Overall/Administer permission.


Bitbucket Server Integration Plugin allows bypassing CSRF protection
for any URL

SECURITY-3434 / CVE-2025-24398
Severity (CVSS): High
Affected plugin: atlassian-bitbucket-server-integration

Description:

An extension point in Jenkins allows selectively disabling cross-site
request forgery (CSRF) protection for specific URLs. Bitbucket Server
Integration Plugin implements this extension point to support
OAuth 1.0 authentication.

In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both
inclusive) this implementation is too permissive, allowing attackers
to craft URLs that would bypass the CSRF protection of any target URL.

Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it
disables cross-site request forgery (CSRF) protection for to the URLs
that needs it.


Improper handling of case sensitivity in OpenId Connect Authentication
Plugin

SECURITY-3461 / CVE-2025-24399
Severity (CVSS): High
Affected plugin: oic-auth

Description:

OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier,
except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive.

On a Jenkins instance configured with a case-sensitive OpenID Connectp
rovider, this allows attackers to log in as any user by providing a
username that differs only in letter case, potentially gaining
administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.453.v4d7765c854f4 introduces an
advanced configuration option to manage username case sensitivity, with
default to case-sensitive.

        Upgrading to the fixed version does not modify the default
behavior from case-insensitive to case-sensitive. To enable
case-sensitivity, this must be explicitly configured in the plugin
settings.


Tokens stored in plain text by Zoom Plugin

SECURITY-3292 (1) / CVE-2025-0142
Severity (CVSS): Medium
Affected plugin: zoom

Description:

Zoom Plugin 1.3 and earlier stores Zoom integration tokens unencrypted
in job config.xml files on the Jenkins controller as part of its
configuration.

These tokens can be viewed by users with Item/Extended Read permission
or access to the Jenkins controller file system.

Zoom Plugin 1.4 stores Zoom integration tokens encrypted once job
configurations are saved again.


Tokens displayed without masking by Zoom Plugin

SECURITY-3292 (2) / CVE pending
Severity (CVSS): Low
Affected plugin: zoom

Description:

Zoom Plugin requires Zoom integration tokens for Zoom Build Notifier
post-build actions.

In Zoom Plugin 1.5 and earlier the job configuration form does not
mask these tokens, increasing the potential for attackers to observe
and capture them.

Zoom Plugin 1.6 masks Zoom integration tokens displayed on the job
configuration form.


Cache confusion in Eiffel Broadcaster Plugin

SECURITY-3485 / CVE-2025-24400
Severity (CVSS): Medium
Affected plugin: eiffel-broadcaster

Description:

Eiffel Broadcaster Plugin allows events published to RabbitMQ to be
signed using certificate credentials. To improve performance, the
plugin caches some data from the credential.

Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses
the credential ID as the cache key. This allows attackers able to
create a credential with the same ID as a legitimate one in a
different credentials store, to sign an event published to RabbitMQ
with the legitimate certificate credentials.

        Signing is disabled by default, only instances explicitly
configured to enable it are affected.

Eiffel Broadcaster Plugin 2.10.3 removes the cache.


Disabled permissions can be granted by Folder-based Authorization
Strategy Plugin

SECURITY-3062 / CVE-2025-24401
Severity (CVSS): Medium
Affected plugin: folder-auth

Description:

Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and
earlier does not verify that permissions configured to be granted
are enabled. This may allow users formerly granted (typically
optional permissions, like Overall/Manage) to access functionality
they’re no longer entitled to.

As of publication of this advisory, there is no fix. Learn why we
announce this.


CSRF vulnerability and missing permission checks in Azure Service
Fabric Plugin

SECURITY-3094 / CVE-2025-24402 (CSRF), CVE-2025-24403 (missing
permission check)

Severity (CVSS): Medium
Affected plugin: service-fabric

Description:

Azure Service Fabric Plugin 1.6 and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate
credentials IDs of Azure credentials stored in Jenkins. Those can
be used as part of an attack to capture the credentials using
another vulnerability.

Additionally, those HTTP endpoints do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability,
allowing attackers to connect to a previously configured Service
Fabric URL using attacker-specified credentials IDs.

As of publication of this advisory, there is no fix. Learn why
we announce this.


Severity

    SECURITY-3062: Medium
    SECURITY-3094: Medium
    SECURITY-3260: Medium
    SECURITY-3292 (1): Medium
    SECURITY-3292 (2): Low
    SECURITY-3434: High
    SECURITY-3461: High
    SECURITY-3485: Medium


Affected Versions

    Azure Service Fabric Plugin up to and including 1.6
    Bitbucket Server Integration Plugin up to and including 4.1.3
    Eiffel Broadcaster Plugin up to and including 2.10.2
    Folder-based Authorization Strategy Plugin up to and including 217.vd5b_18537403e
    GitLab Plugin up to and including 1.9.6
    OpenId Connect Authentication Plugin up to and including 4.452.v2849b_d3945fa_
    Zoom Plugin up to and including 1.3
    Zoom Plugin up to and including 1.5


Fix

    Bitbucket Server Integration Plugin should be updated
to version 4.1.4
    Eiffel Broadcaster Plugin should be updated to version
2.10.3
    GitLab Plugin should be updated to version 1.9.7
    OpenId Connect Authentication Plugin should be updated
to version 4.453.v4d7765c854f4
    Zoom Plugin should be updated to version 1.4
    Zoom Plugin should be updated to version 1.6

These versions include fixes to the vulnerabilities described
above. All prior versions are considered to be affected by
these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for
the following plugins:

    Azure Service Fabric Plugin
    Folder-based Authorization Strategy Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for
discovering and reporting these vulnerabilities:

    James Nord, CloudBees Inc. for SECURITY-3461
    Kevin Guerroudj, CloudBees, Inc. for SECURITY-3094
    Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin,
CloudBees, Inc. for SECURITY-3260
    Magnus Bäck, Axis Communications for SECURITY-3485
    Vincent Latombe, CloudBees, Inc. for SECURITY-3434
    Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3062

        
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================