Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN133

_____________________________________________________________________

DATE                : 10/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Jenkins versions prior to
                             weekly 2.500, LTS 2.492.1.

=====================================================================
https://www.jenkins.io/security/advisory/2025-03-05/
_____________________________________________________________________

 Jenkins Security Advisory 2025-03-05

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Jenkins (core)

Descriptions
Encrypted values of secrets stored in agent configuration revealed to
users with Agent/Extended Read permission

SECURITY-3495 / CVE-2025-27622
Severity (CVSS): Medium
Description:

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact
encrypted values of secrets when accessing config.xml of agents via
REST API or CLI.

This allows attackers with Agent/Extended Read permission to view
encrypted values of secrets.
	This issue is related to SECURITY-266 in the 2016-05-11
security advisory.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets
stored in agent config.xml accessed via REST API or CLI for users
lacking Agent/Configure permission.


Encrypted values of secrets stored in view configuration revealed to
users with View/Read permission

SECURITY-3496 / CVE-2025-27623
Severity (CVSS): Medium
Description:

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact
encrypted values of secrets when accessing config.xml of views via
REST API or CLI.

This allows attackers with View/Read permission to view encrypted
values of secrets.
	This issue is related to SECURITY-266 in the 2016-05-11
security advisory.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets
stored in view config.xml accessed via REST API or CLI for users
lacking View/Configure permission.
CSRF vulnerability

SECURITY-3498 / CVE-2025-27624
Severity (CVSS): Medium
Description:

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require
POST requests for the HTTP endpoint toggling collapsed/expanded
status of sidepanel widgets (e.g., Build Queue and Build Executor
Status widgets), resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to have users toggle their
collapsed/expanded status of sidepanel widgets.

Additionally, as the API accepts any string as the identifier of
the panel ID to be toggled, attacker-controlled content can be
stored in the victim’s user profile in Jenkins.

Jenkins 2.500, LTS 2.492.2 requires POST requests for the affected
HTTP endpoint.


Open redirect vulnerability
SECURITY-3501 / CVE-2025-27625
Severity (CVSS): Medium
Description:

Various features in Jenkins redirect users to partially user-controlled
URLs inside Jenkins. To prevent open redirect vulnerabilities,
Jenkins limits redirections to safe URLs (neither absolute nor
scheme-relative/network-path reference).

In Jenkins 2.499 and earlier, LTS 2.492.1 and earlier, redirects
starting with backslash (\) characters are considered safe.

This allows attackers to perform phishing attacks by having users go to
a Jenkins URL that will forward them to a different site, because
browsers interpret these characters as part of scheme-relative
redirects.

Jenkins 2.500, LTS 2.492.2 considers redirects to URLs starting with
backslash (\) characters to be unsafe, rejecting such redirects.


Severity

    SECURITY-3495: Medium
    SECURITY-3496: Medium
    SECURITY-3498: Medium
    SECURITY-3501: Medium

Affected Versions

    Jenkins weekly up to and including 2.499
    Jenkins LTS up to and including 2.492.1

Fix

    Jenkins weekly should be updated to version 2.500
    Jenkins LTS should be updated to version 2.492.2

These versions include fixes to the vulnerabilities described above. All
prior versions are considered to be affected by these vulnerabilities
unless otherwise indicated.
Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

    Antoine Ruffino, CloudBees, Inc. for SECURITY-3498
    Daniel Beck, CloudBees, Inc. for SECURITY-3495, SECURITY-3496
    XBOW for SECURITY-3501


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================