-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.1600
                     Jenkins plugins security advisory
                               13 April 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-29052 CVE-2022-29051 CVE-2022-29050
                   CVE-2022-29049 CVE-2022-29048 CVE-2022-29047
                   CVE-2022-29046 CVE-2022-29045 CVE-2022-29044
                   CVE-2022-29043 CVE-2022-29042 CVE-2022-29041
                   CVE-2022-29040 CVE-2022-29039 CVE-2022-29038
                   CVE-2022-29037 CVE-2022-29036 CVE-2017-2601

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2022-04-12/

Comment: CVSS (Max):  8.0 CVE-2022-29049 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: Jenkins
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2022-04-12  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Credentials Plugin
  o CVS Plugin
  o Extended Choice Parameter Plugin
  o Gerrit Trigger Plugin
  o Git Parameter Plugin
  o Google Compute Engine Plugin
  o Jira Plugin
  o Job Generator Plugin
  o Mask Passwords Plugin
  o Node and Label parameter Plugin
  o Pipeline: Shared Groovy Libraries Plugin
  o promoted builds Plugin
  o Publish Over FTP Plugin
  o Subversion Plugin

Descriptions  

Stored XSS vulnerabilities in multiple plugins providing additional parameter
types  

SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS),
CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger),
CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job
Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label
Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion)

Multiple plugins do not escape the name and description of the parameter types
they provide:

  o Credentials Plugin 1111.v35a_307992395 and earlier (SECURITY-2690 /
    CVE-2022-29036)

  o CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037)

  o Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier
    (SECURITY-2704 / CVE-2022-29038)

  o Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039)

  o Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040)

  o Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041)

  o Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042)

  o Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043)

  o Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 /
    CVE-2022-29044)

  o promoted builds Plugin 873.v6149db_d64130 and earlier (SECURITY-2692 /
    CVE-2022-29045)

  o Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046)

This results in stored cross-site scripting (XSS) vulnerabilities exploitable
by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on
another page, like the "Build With Parameters" and "Parameters" pages provided
by Jenkins (core), and that those pages are not hardened to prevent
exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of
this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and
LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the
following plugins have been updated to list parameters in a way that prevents
exploitation by default.

  o Maven Release Plugin 0.16.3 (SECURITY-2669)

  o Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611)

  o Pipeline: Input Step Plugin 447.v95e5a_6e3502a_ and 2.12.1 (SECURITY-2674)

  o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 (SECURITY-2670)

  o Rebuilder Plugin 1.33.1 (SECURITY-2671)

  o Release Plugin 2.14 (SECURITY-2672)

Older releases of these plugins allow exploitation of the vulnerabilities
listed above.

As of publication of this advisory, the following plugins have not yet been
updated to list parameters in a way that prevents exploitation of these
vulnerabilities:

  o Coordinator Plugin (SECURITY-2668)

  o Show Build Parameters Plugin (SECURITY-2325)

  o Unleash Maven Plugin (SECURITY-2673)

These are not vulnerabilities in these plugins. Only plugins defining parameter
types can be considered to be vulnerable to this issue.

     Some plugins both define parameter types and implement a page listing
Note parameters, so they can appear in multiple lists and may have both a
     security fix and a security hardening applied.

The following plugins have been updated to escape the name and description of
the parameter types they provide in the versions specified:

  o Credentials Plugin 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4,
    1074.1076.v39c30cecb_0e2, and 2.6.1.1

  o CVS Plugin 2.19.1

  o Gerrit Trigger Plugin 2.35.3

  o Git Parameter Plugin 0.9.16

  o Jira Plugin 3.7.1 and 3.6.1

  o Mask Passwords Plugin 3.1

  o Node and Label parameter Plugin 1.10.3.1

  o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1

  o Subversion Plugin 2.15.4

As of publication of this advisory, there is no fix available for the following
plugins:

  o Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038)

  o Job Generator (SECURITY-2263 / CVE-2022-29042)

Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy
Libraries Plugin  

SECURITY-1951 / CVE-2022-29047

Multibranch Pipelines by default limit who can change the Pipeline definition
from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build
content from users without commit access, but who can submit pull requests,
without granting them the ability to modify the Pipeline definition. In that
case, Jenkins will just use the Pipeline definition in the pull request's
destination branch instead.

In Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier
the same protection does not apply to uses of the library step with a retriever
argument pointing to a library in the current build's repository and branch
(e.g., library(..., retriever: legacySCM(scm))). This allows attackers able to
submit pull requests (or equivalent), but not able to commit directly to the
configured SCM, to effectively change the Pipeline behavior by changing the
library behavior in their pull request, even if the Pipeline is configured to
not trust them.

Pipeline: Shared Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts
library retrieval if the library would be retrieved from the same repository
and revision as the current build, and the revision being built is untrusted.

CSRF vulnerability in Subversion Plugin  

SECURITY-2075 / CVE-2022-29048

Subversion Plugin 2.15.3 and earlier does not require POST requests for several
form validation methods, resulting in cross-site request forgery (CSRF)
vulnerabilities.

These vulnerabilities allow attackers to connect to an attacker-specified URL.

Subversion Plugin 2.15.4 requires POST requests for the affected form
validation methods.

Promotion names in promoted builds Plugin are not validated when using Job DSL 
 

SECURITY-2655 / CVE-2022-29049

promoted builds Plugin provides dedicated support for defining promotions using
Job DSL Plugin.

promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the
names of promotions defined in Job DSL. This allows attackers with Job/
Configure permission to create a promotion with an unsafe name. As a result,
the promotion name could be used for cross-site scripting (XSS) or to replace
other config.xml files.

promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 validates the name of
promotions.

CSRF vulnerability and missing permission checks in Publish Over FTP Plugin  

SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission
check)

Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in
methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an FTP server
using attacker-specified credentials.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions
for the affected form validation methods.

Private key stored in plain text by Google Compute Engine Plugin  

SECURITY-2045 / CVE-2022-29052

Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted
in cloud agent config.xml files on the Jenkins controller as part of its
configuration.

These private keys can be viewed by users with Agent/Extended Read permission
or access to the Jenkins controller file system.

Google Compute Engine Plugin 4.3.9 stores private keys encrypted.

Severity  

  o SECURITY-1951: High
  o SECURITY-2045: Medium
  o SECURITY-2075: Medium
  o SECURITY-2321: Medium
  o SECURITY-2617: High
  o SECURITY-2655: High

Affected Versions  

  o Credentials Plugin up to and including 1111.v35a_307992395
  o CVS Plugin up to and including 2.19
  o Extended Choice Parameter Plugin up to and including 346.vd87693c5a_86c
  o Gerrit Trigger Plugin up to and including 2.35.2
  o Git Parameter Plugin up to and including 0.9.15
  o Google Compute Engine Plugin up to and including 4.3.8
  o Jira Plugin up to and including 3.7
  o Job Generator Plugin up to and including 1.22
  o Mask Passwords Plugin up to and including 3.0
  o Node and Label parameter Plugin up to and including 1.10.3
  o Pipeline: Shared Groovy Libraries Plugin up to and including
    564.ve62a_4eb_b_e039
  o promoted builds Plugin up to and including 873.v6149db_d64130
  o Publish Over FTP Plugin up to and including 1.16
  o Subversion Plugin up to and including 2.15.3

Fix  

  o Credentials Plugin should be updated to version 1112.vc87b_7a_3597f6,
    1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, or 2.6.1.1
  o CVS Plugin should be updated to version 2.19.1
  o Gerrit Trigger Plugin should be updated to version 2.35.3
  o Git Parameter Plugin should be updated to version 0.9.16
  o Google Compute Engine Plugin should be updated to version 4.3.9
  o Jira Plugin should be updated to version 3.7.1 or 3.6.1
  o Mask Passwords Plugin should be updated to version 3.1
  o Node and Label parameter Plugin should be updated to version 1.10.3.1
  o Pipeline: Shared Groovy Libraries Plugin should be updated to version
    566.vd0a_a_3334a_555 or 2.21.3
  o promoted builds Plugin should be updated to version 876.v99d29788b_36b_ or
    3.10.1
  o Publish Over FTP Plugin should be updated to version 1.17
  o Subversion Plugin should be updated to version 2.15.4

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Extended Choice Parameter Plugin
  o Job Generator Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-2045
  o James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for
    SECURITY-2075
  o James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc. for
    SECURITY-1951
  o Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
    SECURITY-2655
  o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and
    Daniel Beck, CloudBees, Inc. for SECURITY-2617
  o Kevin Guerroudj, Justin Philip, Marc Heyries for SECURITY-2321

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYlY+EeNLKJtyKPYoAQh1Rg//R3y9nfT0/xI/f1QZr1D0AHDlpvtAF5qq
6bvqmpq6uNAl928i3Wh0VXr8znNgovb83sSXDHF316kXlcZxssh8Mnpl7tTg59QF
BOwEkjAtcZ9WzpB7fZuDOMbvM2vRs96qGIFvE5ukhCsTNuz5yZ+6D3P77kEe/EaX
lWA/kHgfdyxVexk0sZCgPFNRmvT00kSwg7fjSl4nibubO66E2AXl/4OWzadOgRI9
ul+ygnJcoRSSG1IwhOrXSDfnzqp4FedllkF2qYEn5bthBdOC4xyb99yD9PzxB+nt
VoTYDqzSdeInFx7ZeQPFbf9sGCEsbFTJ+/K1UUTV7dTkZlSg8nWH+1q5hpR+prAo
s7Sx1NHddI2ubrhUoeiFWoNfG17kIBl0sXCmwqqwvSYLUKjcaI/WvS6mTaV2ghmu
1QrUDhIQyBpn5KsGeSRPqwWFKgr5rny5WAcBXWDRJAQG+304UpGjRwTbgat4oCyz
jbjc/S4Qwdfmjp/lySHLEwG+nZcYJ6OYTQvLFoMN7xpHcieLeTNf7WJAM5Ey9uwn
GsMPKbunCPtFPM1Jp7Mwpa39ZmcJpZHPz8K2zhAYArFDYONYfJPY6zSVS0iOIF80
3n9y5Ey3NT0FV23OC/NA0nQ4WzwnAHLsaN4j/eaqziuNo0AIbvgWTd0RhArT7c6H
KbnznZ+H4fk=
=CIgj
-----END PGP SIGNATURE-----