Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN311

_____________________________________________________________________

DATE                : 15/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Cadence vManager Plugin for Jenkins,
                        DingTalk Plugin for Jenkins,
                        Health Advisor by CloudBees Plugin for Jenkins,
                        OpenID Connect Provider Plugin for Jenkins,
                        WSO2 Oauth Plugin for Jenkins.

=====================================================================
https://www.jenkins.io/security/advisory/2025-05-14/
_____________________________________________________________________

 Jenkins Security Advisory 2025-05-14

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Cadence vManager Plugin
    DingTalk Plugin
    Health Advisor by CloudBees Plugin
    OpenID Connect Provider Plugin
    WSO2 Oauth Plugin


Descriptions

Insufficient validation of claims in OpenID Connect Provider Plugin
SECURITY-3574 / CVE-2025-47884
Severity (CVSS): Critical
Affected plugin: oidc-provider
Description:

In OpenID Connect Provider Plugin, claim templates can use environment
variables for jobs and builds for dynamic content. The default claim
template for build ID tokens uses the JOB_URL environment variable for
the sub (Subject) claim.

In OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the
generation of build ID Tokens uses potentially overridden values of
environment variables.

When certain other plugins are installed which allow arbitrary
environment variables to be overridden (e.g., Environment Injector
Plugin), this allows attackers able to configure jobs to craft a build
ID Token that impersonates a trusted job, potentially gaining
unauthorized access to external services.

In OpenID Connect Provider Plugin 111.v29fd614b_3617 the generation of
build ID Tokens ignores environment variables if they have been
overridden.


Stored XSS vulnerability in Health Advisor by CloudBees Plugin
SECURITY-3559 / CVE-2025-47885
Severity (CVSS): High
Affected plugin: cloudbees-jenkins-advisor
Description:

Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does
not escape responses from the Jenkins Health Advisor server.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control Jenkins Health Advisor server
responses.

Health Advisor by CloudBees Plugin 374.376.v3a_41a_a_142efe escapes
responses from the Jenkins Health Advisor server.


CSRF vulnerability and missing permission checks in Cadence vManager Plugin
SECURITY-3548 / CVE-2025-47886 (CSRF), CVE-2025-47887 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: vmanager-plugin
Description:

Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier does not
perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Cadence vManager Plugin 4.0.1-288.v8804b_ea_a_cb_7f requires POST requests
and Item/Configure permission for the affected form validation method.


SSL/TLS certificate validation unconditionally disabled by DingTalk Plugin
SECURITY-3353 / CVE-2025-47888
Severity (CVSS): Medium
Affected plugin: dingding-notifications
Description:

DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS
certificate and hostname validation for connections to the configured
DingTalk webhooks.

As of publication of this advisory, there is no fix. Learn why we
announce this.


Authentication bypass vulnerability in WSO2 Oauth Plugin
SECURITY-3481 / CVE-2025-47889
Severity (CVSS): Critical
Affected plugin: wso2id-oauth
Description:

In WSO2 Oauth Plugin 1.0 and earlier authentication claims are accepted
without validation by the "WSO2 Oauth" security realm.

This allows unauthenticated attackers to log in to controllers using this
security realm using any username and any password, including usernames
that do not exist.

Sessions created this way do not have any additional authorities, i.e.,
memberships in groups. Even the "authenticated" group membership is absent.
The impact of successfully creating a session this way depends on the
authorization strategy and how it is configured. Commonly used
authorization strategies behave as described below:

    The authorization strategy "Logged-in users can do anything" determines
that users who logged in this way are not the anonymous user, and are
granted Overall/Administer permission.

    The authorization strategy "Role-based strategy" provided by Role-based
Authorization Strategy Plugin grants attackers permissions assigned directly
to the specified user (or ambiguous permissions applicable to both users
and groups). Permissions that would be granted through groups would not
be granted.

    The authorization strategies "Matrix-based security" and "Project-based
Matrix Authorization Strategy" provided by Matrix Authorization Strategy
Plugin grant permissions assigned directly to the specified user (or
ambiguous permissions applicable to both users and groups, typically
predating version 3.0 of the plugin). Permissions that would be granted
through groups would not be granted.

As of publication of this advisory, there is no fix. Learn why we announce
this.


Severity

    SECURITY-3353: Medium
    SECURITY-3481: Critical
    SECURITY-3548: Medium
    SECURITY-3559: High
    SECURITY-3574: Critical


Affected Versions

    Cadence vManager Plugin up to and including 4.0.1-286.v9e25a_740b_a_48
    DingTalk Plugin up to and including 2.7.3
    Health Advisor by CloudBees Plugin up to and including 374.v194b_d4f0c8c8
    OpenID Connect Provider Plugin up to and including 96.vee8ed882ec4d
    WSO2 Oauth Plugin up to and including 1.0


Fix

    Cadence vManager Plugin should be updated to version 4.0.1-288.v8804b_ea_a_cb_7f
    Health Advisor by CloudBees Plugin should be updated to version 374.376.v3a_41a_a_142efe
    OpenID Connect Provider Plugin should be updated to version 111.v29fd614b_3617

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

    DingTalk Plugin
    WSO2 Oauth Plugin

Learn why we announce these issues.


Credit

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-3559
    Jesse Glick, CloudBees, Inc. for SECURITY-3574
    Kevin Guerroudj, CloudBees, Inc. for SECURITY-3481
    Pierre Beitz, CloudBees, Inc. for SECURITY-3353
    Vincent Lardet for SECURITY-3548


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================