This advisory announces vulnerabilities in the following Jenkins deliverables:
GitLab Plugin 1.5.34 and earlier does not escape multiple user-provided values shown as part of the build cause of webhook-triggered builds.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of webhook-triggered builds.
TestNG Results Plugin has options in its post-build step configuration to not escape test descriptions and exception messages.
If those options are unchecked, TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results.
TestNG Results Plugin 555.va0d5f66521e3 by default ignores the user-level options to not escape content.
Administrators who want to restore this functionality must set the Java system property hudson.plugins.testng.Publisher.allowUnescapedHTML
to true
.
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in XebiaLabs XL Release Plugin 22.0.1 requires Overall/Administer permission.
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
requests-plugin Plugin 2.2.16 and earlier does not correctly perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view the list of pending requests.
This is basically the same vulnerability as SECURITY-1995, whose fix was ineffective. |
requests-plugin Plugin 2.2.17 requires Overall/Administer permission to view the list of pending requests.
Plot Plugin 2.1.10 and earlier does not escape plot descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix.
build-metrics Plugin 1.3 does not escape the build description on one of its views.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission.
As of publication of this advisory, there is no fix.
build-metrics Plugin 1.3 and earlier does not perform a permission check in multiple HTTP endpoints.
This allows attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them.
As of publication of this advisory, there is no fix.
Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.
As of publication of this advisory, there is no fix.
Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked.
As of publication of this advisory, there is no fix.
Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.
As of publication of this advisory, there is no fix.
Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to rebuild previous matrix builds.
As of publication of this advisory, there is no fix.
eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix.
Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type.
Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and "Parameters" pages from vulnerabilities like this by default.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
As of publication of this advisory, there is no fix.
Recipe Plugin 1.2 and earlier does not perform a permission check in multiple HTTP endpoints.
This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.
As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Additionally, the plugin allows users to export the full configuration of jobs as part of a recipe, granting access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.
As of publication of this advisory, there is no fix.
Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.
As of publication of this advisory, there is no fix.
Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix.
Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.
Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml
on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted in its global configuration files on the Jenkins controller as part of its configuration:
Pushover Application Token in tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml
Slack Bot Token in tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml
Telegram Bot Token in tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml
Additionally, they are transmitted in plain text as part of the global configuration form.
These tokens can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml
on the Jenkins controller as part of its configuration.
These secrets can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml
and in job config.xml
files on the Jenkins controller as part of its configuration.
Additionally, they are transmitted in plain text as part of the respective configuration forms.
These API keys can be viewed by users with Item/Extended Read permission (job config.xml
only) or access to the Jenkins controller file system (both).
As of publication of this advisory, there is no fix.
Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml
on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml
files on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml
on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file org.jenkinsci.plugins.spark.SparkNotifier.xml
on the Jenkins controller as part of its configuration.
These bearer tokens can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
RQM Plugin 2.8 and earlier stores a password unencrypted in its global configuration file net.praqma.jenkins.rqm.RqmBuilder.xml
on the Jenkins controller as part of its configuration.
This password can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix.
XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to access the XPath Configuration Viewer page. Given appropriate XPath expressions, this page grants access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.
As of publication of this advisory, there is no fix.
XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to create and delete XPath expressions.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to view an administrative configuration page listing pending requests.
As of publication of this advisory, there is no fix.
Request Rename Or Delete Plugin 1.1.0 and earlier does not require POST requests for HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to accept pending requests, thereby renaming or deleting jobs.
As of publication of this advisory, there is no fix.
hpe-network-virtualization Plugin 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml
on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints.
This allows attackers with Overall/Read permission to disable jobs.
Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
This CSRF vulnerability is only exploitable in Jenkins 2.286 and earlier, LTS 2.277.1 and earlier. See the LTS upgrade guide. |
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: