Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN580
_____________________________________________________________________

DATE                : 04/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Git client Plugin versions prior
                                       to 6.3.3,
     global-build-stats Plugin versions prior to 347.v32a_eb_0493c4f,
            Jakarta Mail API Plugin versions prior to 2.1.3-3,
    OpenTelemetry Plugin versions prior to 3.1543.1545.vf5a_4ec123769.

=====================================================================
https://www.jenkins.io/security/advisory/2025-09-03/
_____________________________________________________________________

 Jenkins Security Advisory 2025-09-03

This advisory announces vulnerabilities in the following Jenkins
deliverables:

    Git client Plugin
    global-build-stats Plugin
    Jakarta Mail API Plugin
    OpenTelemetry Plugin

Descriptions
File system information disclosure vulnerability in Git client Plugin
SECURITY-3590 / CVE-2025-58458
Severity (CVSS): Medium
Affected plugin: git-client
Description:

Git client Plugin 6.3.2 and earlier allows specifying the experimental
amazon-s3 protocol for use with the bundled JGit library. This
protocol authenticates against Amazon S3 based on contents of the
file whose path is provided as the authority part of the URL
(amazon-s3://path-to-file@bucketname/folder).

While use of this protocol in Git client Plugin to perform any actions
always fails due to a bug in the plugin, error messages can be used
to determine whether the specified file path exists on the controller.

This allows attackers to check for the existence of an
attacker-specified file path on the Jenkins controller file system.
Whether an attacker has the permissions to exploit this
vulnerability depends on the installed plugins that expose
Git client Plugin functionality to users. For example, attackers
with Credentials/Use Item permission (implied by Item/Configure)
can use form field validation responses of URL fields in Git Plugin.

        Jenkins instances using command line Git exclusively (the
default) are unaffected by this vulnerability.

Git client Plugin 6.3.3 prohibits use of the amazon-s3 protocol for
use with JGit.


SMTP command injection vulnerability in Jakarta Mail API Plugin
SECURITY-3617 / CVE-2025-7962
Severity (CVSS): Medium
Affected plugin: jakarta-mail-api
Description:

Jakarta Mail API Plugin 2.1.3-2 and earlier bundles versions of
Angus Mail vulnerable to CVE-2025-7962.

This allows attackers able to control recipient email addresses of
emails sent by Jenkins to send emails with arbitrary contents to
arbitrary recipients.

Jakarta Mail API Plugin 2.1.3-3 updates Angus Mail to version
2.0.4, which is unaffected by this issue.


Missing permission checks in global-build-stats Plugin allow
enumerating graph IDs

SECURITY-3535 / CVE-2025-58459
Severity (CVSS): Medium
Affected plugin: global-build-stats
Description:

global-build-stats Plugin 322.v22f4db_18e2dd and earlier does
not perform permission checks in its REST API endpoints.

This allows attackers with Overall/Read permission to enumerate
graph IDs. These IDs can be used to access those graphs.

global-build-stats Plugin 347.v32a_eb_0493c4f requires
Overall/Administer permission to access its REST API endpoints.


Missing permission check in OpenTelemetry Plugin allows capturing
credentials
SECURITY-3602 / CVE-2025-58460
Severity (CVSS): Medium
Affected plugin: opentelemetry
Description:

OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier does
not perform a permission check in a method implementing form
validation.

This allows attackers with Overall/Read permission to connect
to an attacker-specified URL using attacker-specified credentials
IDs obtained through another method, capturing credentials
stored in Jenkins.

OpenTelemetry Plugin 3.1543.1545.vf5a_4ec123769 requires
Overall/Administer permission for the affected form validation
method.


Severity

    SECURITY-3535: Medium
    SECURITY-3590: Medium
    SECURITY-3602: Medium
    SECURITY-3617: Medium


Affected Versions

    Git client Plugin up to and including 6.3.2
    global-build-stats Plugin up to and including 322.v22f4db_18e2dd
    Jakarta Mail API Plugin up to and including 2.1.3-2
    OpenTelemetry Plugin up to and including 3.1543.v8446b_92b_cd64


Fix

    Git client Plugin should be updated to version 6.3.3
    global-build-stats Plugin should be updated to version 347.v32a_eb_0493c4f
    Jakarta Mail API Plugin should be updated to version 2.1.3-3
    OpenTelemetry Plugin should be updated to version 3.1543.1545.vf5a_4ec123769

These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these
vulnerabilities unless otherwise indicated.


Credit

The Jenkins project would like to thank the reporters for discovering
and reporting these vulnerabilities:

    Daniel Beck, CloudBees, Inc. for SECURITY-3535, SECURITY-3590
    Kevin Guerroudj, CloudBees, Inc. for SECURITY-3602


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================