Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN151 _____________________________________________________________________ DATE : 19/03/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running AnchorChain Plugin for Jenkins, EDDSA API Plugin for Jenkins, Zoho QEngine Plugin for Jenkins. ===================================================================== https://www.jenkins.io/security/advisory/2025-03-19/ _____________________________________________________________________ Jenkins Security Advisory 2025-03-19 This advisory announces vulnerabilities in the following Jenkins deliverables: AnchorChain Plugin EDDSA API Plugin Zoho QEngine Plugin Descriptions EdDSA implementation in EDDSA API Plugin exhibits signature malleability SECURITY-3404 / CVE-2020-36843 Severity (CVSS): Medium Affected plugin: eddsa-api Description: EDDSA API Plugin makes the EdDSA-Java library (ed25519-java) available to other plugins. EDDSA API Plugin 0.3.0-13.v7cb_69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message. EDDSA API Plugin 0.3.0.1-16.vcb_4a_98a_3531c inlines the EdDSA-Java library (ed25519-java) directly into the plugin and adds validation to prevent signature malleability and ensure the SUF-CMA property. Stored XSS vulnerability in AnchorChain Plugin SECURITY-3529 / CVE-2025-30196 Severity (CVSS): High Affected plugin: AnchorChain Description: AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of publication of this advisory, there is no fix. Learn why we announce this. API key displayed without masking by Zoho QEngine Plugin SECURITY-3511 / CVE-2025-30197 Severity (CVSS): Low Affected plugin: zohoqengine Description: Zoho QEngine Plugin stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it. Zoho QEngine Plugin 1.0.31.v4a_b_1db_6d6a_f2 masks the QEngine API Key form field. Severity SECURITY-3404: Medium SECURITY-3511: Low SECURITY-3529: High Affected Versions AnchorChain Plugin up to and including 1.0 EDDSA API Plugin up to and including 0.3.0-13.v7cb_69ed68f00 Zoho QEngine Plugin up to and including 1.0.29.vfa_cc23396502 Fix EDDSA API Plugin should be updated to version 0.3.0.1-16.vcb_4a_98a_3531c Zoho QEngine Plugin should be updated to version 1.0.31.v4a_b_1db_6d6a_f2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: AnchorChain Plugin Learn why we announce these issues. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Lotfi Yahi, Aix Marseille University for SECURITY-3529 Romuald Moisan and Said Abdesslem Messadi for SECURITY-3511 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================