Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.0440
Jenkins Security Advisory 2023-01-24
25 January 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins Plugins
Publisher: Jenkins
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-24459 CVE-2023-24458 CVE-2023-24457
CVE-2023-24456 CVE-2023-24455 CVE-2023-24454
CVE-2023-24453 CVE-2023-24452 CVE-2023-24451
CVE-2023-24450 CVE-2023-24449 CVE-2023-24448
CVE-2023-24447 CVE-2023-24446 CVE-2023-24445
CVE-2023-24444 CVE-2023-24443 CVE-2023-24442
CVE-2023-24441 CVE-2023-24440 CVE-2023-24439
CVE-2023-24438 CVE-2023-24437 CVE-2023-24436
CVE-2023-24435 CVE-2023-24434 CVE-2023-24433
CVE-2023-24432 CVE-2023-24431 CVE-2023-24430
CVE-2023-24429 CVE-2023-24428 CVE-2023-24427
CVE-2023-24426 CVE-2023-24425 CVE-2023-24424
CVE-2023-24423 CVE-2023-24422
Original Bulletin:
https://www.jenkins.io/security/advisory/2023-01-24/
Comment: CVSS (Max): 8.8 CVE-2022-24422 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Jenkins
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2023-01-24
This advisory announces vulnerabilities in the following Jenkins deliverables:
o Azure AD Plugin
o BearyChat Plugin
o Bitbucket OAuth Plugin
o Cisco Spark Notifier Plugin
o Gerrit Trigger Plugin
o GitHub Pull Request Builder Plugin
o GitHub Pull Request Coverage Status Plugin
o JIRA Pipeline Steps Plugin
o Keycloak Authentication Plugin
o Kubernetes Credentials Provider Plugin
o MSTest Plugin
o OpenID Plugin
o OpenId Connect Authentication Plugin
o Orka by MacStadium Plugin
o PWauth Security Realm Plugin
o RabbitMQ Consumer Plugin
o Script Security Plugin
o Semantic Versioning Plugin
o TestComplete support Plugin
o TestQuality Updater Plugin
o view-cloner Plugin
o visualexpert Plugin
Descriptions
Sandbox bypass vulnerability in Script Security Plugin
SECURITY-3016 / CVE-2023-24422
Severity (CVSS): High
Affected plugin: script-security
Description:
Script Security Plugin provides a sandbox feature that allows low privileged
users to define scripts, including Pipelines, that are generally safe to
execute. Calls to code defined inside a sandboxed script are intercepted, and
various allowlists are checked to determine whether the call is to be allowed.
In Script Security Plugin 1228.vd93135a_2fb_25 and earlier, property
assignments performed implicitly by the Groovy language runtime when invoking
map constructors were not intercepted by the sandbox.
This vulnerability allows attackers with permission to define and run sandboxed
scripts, including Pipelines, to bypass the sandbox protection and execute
arbitrary code in the context of the Jenkins controller JVM.
Script Security Plugin 1229.v4880b_b_e905a_6 intercepts property assignments
when invoking map constructors.
As part of this fix, map constructors may only be invoked in the sandbox using
the new key. Attempting to invoke a map constructor using a Groovy cast will
fail unconditionally. For example, code such as [key: value] as MyClass or
MyClass mc = [key: value] must be converted to use new MyClass(key: value)
instead.
CSRF vulnerability in Gerrit Trigger Plugin
SECURITY-2137 / CVE-2023-24423
Severity (CVSS): Medium
Affected plugin: gerrit-trigger
Description:
Gerrit Trigger Plugin 2.38.0 and earlier does not require POST requests for
several HTTP endpoints, resulting in a cross-site request forgery (CSRF)
vulnerability.
This vulnerability allows attackers to rebuild previous builds triggered by
Gerrit.
Gerrit Trigger Plugin 2.38.1 requires POST requests for the affected HTTP
endpoints.
Session fixation vulnerability in OpenId Connect Authentication Plugin
SECURITY-2978 / CVE-2023-24424
Severity (CVSS): High
Affected plugin: oic-auth
Description:
OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the
existing session on login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
OpenId Connect Authentication Plugin 2.5 invalidates the existing session on
login.
Exposure of system-scoped Kubernetes credentials in Kubernetes Credentials
Provider Plugin
SECURITY-3022 / CVE-2023-24425
Severity (CVSS): Medium
Affected plugin: kubernetes-credentials-provider
Description:
Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not
set the appropriate context for Kubernetes credentials lookup, allowing the use
of System-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and potentially
capture Kubernetes credentials they are not entitled to.
Kubernetes Credentials Provider Plugin 1.209.v862c6e5fb_1ef defines the
appropriate context for Kubernetes credentials lookup.
Session fixation vulnerability in Azure AD Plugin
SECURITY-2980 / CVE-2023-24426
Severity (CVSS): High
Affected plugin: azure-ad
Description:
Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the existing
session on login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
Azure AD Plugin 306.va_7083923fd50 invalidates the existing session on login.
Session fixation vulnerability in Bitbucket OAuth Plugin
SECURITY-2982 / CVE-2023-24427
Severity (CVSS): High
Affected plugin: bitbucket-oauth
Description:
Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the existing
session on login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
Bitbucket OAuth Plugin 0.13 invalidates the existing session on login.
CSRF vulnerability in Bitbucket OAuth Plugin
SECURITY-2981 / CVE-2023-24428
Severity (CVSS): Medium
Affected plugin: bitbucket-oauth
Description:
Bitbucket OAuth Plugin 0.12 and earlier does not implement a state parameter in
its OAuth flow, a unique and non-guessable value associated with each
authentication request.
This vulnerability allows attackers to trick users into logging in to the
attacker's account.
Bitbucket OAuth Plugin 0.13 implements a state parameter in its OAuth flow.
Agent-to-controller security bypass in Semantic Versioning Plugin
SECURITY-2973 (1) / CVE-2023-24429
Severity (CVSS): High
Affected plugin: semantic-versioning-plugin
Description:
Semantic Versioning Plugin defines a controller/agent message that processes a
given file as XML and its XML parser is not configured to prevent XML external
entity (XXE) attacks.
Semantic Versioning Plugin 1.14 and earlier does not restrict execution of the
controller/agent message to agents, and implements no limitations about the
file path that can be parsed. This allows attackers able to control agent
processes to have Jenkins parse a crafted file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.
This is due to an incomplete fix of SECURITY-2124.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS
2.303.2 and earlier. See the LTS upgrade guide.
Semantic Versioning Plugin 1.15 does not allow the affected controller/agent
message to be submitted by agents for execution on the controller.
XXE vulnerability on agents in Semantic Versioning Plugin
SECURITY-2973 (2) / CVE-2023-24430
Severity (CVSS): Medium
Affected plugin: semantic-versioning-plugin
Description:
Semantic Versioning Plugin 1.14 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.
This allows attackers able to control the contents of the version file for the
'Determine Semantic Version' build step to have agent processes parse a crafted
file that uses external entities for extraction of secrets from the Jenkins
agent or server-side request forgery.
Because Jenkins agent processes usually execute build tools whose input
(source code, build scripts, etc.) is controlled externally, this
vulnerability only has a real impact in very narrow circumstances: when
attackers can control XML files, but are unable to change build steps,
Jenkinsfiles, test code that gets executed on the agents, or similar.
Semantic Versioning Plugin 1.15 disables external entity resolution for its XML
parser.
Missing permission checks in Orka by MacStadium Plugin allow enumerating
credentials IDs
SECURITY-2772 (1) / CVE-2023-24431
Severity (CVSS): Medium
Affected plugin: macstadium-orka
Description:
Orka by MacStadium Plugin 1.31 and earlier does not perform permission checks
in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
An enumeration of credentials IDs in Orka by MacStadium Plugin 1.32 requires
Overall/Administer permission.
CSRF vulnerability and missing permission checks in Orka by MacStadium Plugin
allow capturing credentials
SECURITY-2772 (2) / CVE-2023-24432 (CSRF), CVE-2023-24433 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: macstadium-orka
Description:
Orka by MacStadium Plugin 1.31 and earlier does not perform permission checks
in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.
Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.
Orka by MacStadium Plugin 1.32 requires POST requests and Overall/Administer
permission for the affected HTTP endpoints.
Missing permission check in GitHub Pull Request Builder Plugin allows
enumerating credentials IDs
SECURITY-2789 (1) / CVE-2023-24436
Severity (CVSS): Medium
Affected plugin: ghprb
Description:
GitHub Pull Request Builder Plugin 1.42.2 and earlier does not perform a
permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission checks in GitHub Pull Request Builder
Plugin
SECURITY-2789 (2) / CVE-2023-24434 (CSRF), CVE-2023-24435 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: ghprb
Description:
GitHub Pull Request Builder Plugin 1.42.2 and earlier does not perform
permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission checks in JIRA Pipeline Steps Plugin
SECURITY-2786 / CVE-2023-24437 (CSRF), CVE-2023-24438 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: jira-steps
Description:
JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier does not perform
permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Keys stored in plain text by JIRA Pipeline Steps Plugin
SECURITY-2774 / CVE-2023-24439 (storage), CVE-2023-24440 (masking)
Severity (CVSS): Low
Affected plugin: jira-steps
Description:
JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private
key unencrypted in its global configuration file
org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins
controller as part of its configuration.
This key can be viewed by users with access to the Jenkins controller file
system.
Additionally, the global configuration form does not mask the API key,
increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix. Learn why we announce
this.
XXE vulnerability on agents in MSTest Plugin
SECURITY-2292 / CVE-2023-24441
Severity (CVSS): Medium
Affected plugin: mstest
Description:
MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.
This allows attackers able to control the contents of the report file for the
'Publish MSTest test result report' post-build step to have agent processes
parse a crafted file that uses external entities for extraction of secrets from
the Jenkins agent or server-side request forgery.
Because Jenkins agent processes usually execute build tools whose input
(source code, build scripts, etc.) is controlled externally, this
vulnerability only has a real impact in very narrow circumstances: when
attackers can control XML files, but are unable to change build steps,
Jenkinsfiles, test code that gets executed on the agents, or similar.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Credentials stored in plain text by GitHub Pull Request Coverage Status Plugin
SECURITY-2767 / CVE-2023-24442
Severity (CVSS): Low
Affected plugin: github-pr-coverage-status
Description:
GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub
Personal Access Token, Sonar access token and Sonar password unencrypted in its
global configuration file
com.github.terma.jenkins.githubprcoveragestatus.Configuration.xml on the
Jenkins controller as part of its configuration.
These credentials can be viewed by users with access to the Jenkins controller
file system.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Session fixation vulnerability in Keycloak Authentication Plugin
SECURITY-2987 / CVE-2023-24456
Severity (CVSS): High
Affected plugin: keycloak
Description:
Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the
existing session on login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability in Keycloak Authentication Plugin
SECURITY-2986 / CVE-2023-24457
Severity (CVSS): Medium
Affected plugin: keycloak
Description:
Keycloak Authentication Plugin 2.3.0 and earlier does not implement a state
parameter in its OAuth flow, a unique and non-guessable value associated with
each authentication request.
This vulnerability allows attackers to trick users into logging in to the
attacker's account.
As of publication of this advisory, there is no fix. Learn why we announce
this.
XXE vulnerability in TestComplete support Plugin
SECURITY-2741 / CVE-2023-24443
Severity (CVSS): High
Affected plugin: TestComplete
Description:
TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.
This allows attackers able to control the zip archive input file for the
'TestComplete Test' build step to have Jenkins parse a crafted file that uses
external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Session fixation vulnerability in OpenID Plugin
SECURITY-2996 / CVE-2023-24444
Severity (CVSS): High
Affected plugin: openid
Description:
OpenID Plugin 2.4 and earlier does not invalidate the existing session on
login.
This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Open redirect vulnerability in OpenID Plugin
SECURITY-2997 / CVE-2023-24445
Severity (CVSS): Medium
Affected plugin: openid
Description:
OpenID Plugin 2.4 and earlier improperly determines that a redirect URL after
login is legitimately pointing to Jenkins.
This allows attackers to perform phishing attacks by having users go to a
Jenkins URL that will forward them to a different site after successful
authentication.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability in OpenID Plugin
SECURITY-2995 / CVE-2023-24446
Severity (CVSS): Medium
Affected plugin: openid
Description:
OpenID Plugin 2.4 and earlier does not implement a state parameter in its OAuth
flow, a unique and non-guessable value associated with each authentication
request.
This vulnerability allows attackers to trick users into logging in to the
attacker's account.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission check in RabbitMQ Consumer Plugin
SECURITY-2778 / CVE-2023-24447 (CSRF), CVE-2023-24448 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: rabbitmq-consumer
Description:
RabbitMQ Consumer Plugin 2.8 and earlier does not perform a permission check in
a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified AMQP server using attacker-specified username and password.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Path traversal vulnerability in PWauth Security Realm Plugin
SECURITY-2985 / CVE-2023-24449
Severity (CVSS): Medium
Affected plugin: pwauth
Description:
PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of
files in methods implementing form validation.
This allows attackers with Overall/Read permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Passwords stored in plain text by view-cloner Plugin
SECURITY-2787 / CVE-2023-24450
Severity (CVSS): Medium
Affected plugin: view-cloner
Description:
view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job
config.xml files on the Jenkins controller as part of its configuration.
These passwords can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Missing permission checks in Cisco Spark Notifier Plugin allow enumerating
credentials IDs
SECURITY-2803 / CVE-2023-24451
Severity (CVSS): Medium
Affected plugin: cisco-spark-notifier
Description:
Cisco Spark Notifier Plugin 1.1.1 and earlier does not perform permission
checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission check in BearyChat Plugin
SECURITY-2745 / CVE-2023-24458 (CSRF), CVE-2023-24459 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: bearychat
Description:
BearyChat Plugin 3.0.2 and earlier does not perform a permission check in a
method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
CSRF vulnerability and missing permission check in TestQuality Updater Plugin
SECURITY-2800 / CVE-2023-24452 (CSRF), CVE-2023-24453 (missing permission
check)
Severity (CVSS): Medium
Affected plugin: testquality-updater
Description:
TestQuality Updater Plugin 1.3 and earlier does not perform a permission check
in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified username and password.
Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Password stored in plain text by TestQuality Updater Plugin
SECURITY-2091 / CVE-2023-24454
Severity (CVSS): Low
Affected plugin: testquality-updater
Description:
TestQuality Updater Plugin 1.3 and earlier stores the TestQuality Updater
password unencrypted in its global configuration file
com.testquality.jenkins.TestQualityNotifier.xml on the Jenkins controller as
part of its configuration.
This password can be viewed by users with access to the Jenkins controller file
system.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Path traversal vulnerability in visualexpert Plugin
SECURITY-2709 / CVE-2023-24455
Severity (CVSS): Medium
Affected plugin: visualexpert
Description:
visualexpert Plugin 1.3 and earlier does not restrict the names of files in
methods implementing form validation.
This allows attackers with Item/Configure permission to check for the existence
of an attacker-specified file path on the Jenkins controller file system.
As of publication of this advisory, there is no fix. Learn why we announce
this.
Severity
o SECURITY-2091: Low
o SECURITY-2137: Medium
o SECURITY-2292: Medium
o SECURITY-2709: Medium
o SECURITY-2741: High
o SECURITY-2745: Medium
o SECURITY-2767: Low
o SECURITY-2772 (1): Medium
o SECURITY-2772 (2): Medium
o SECURITY-2774: Low
o SECURITY-2778: Medium
o SECURITY-2786: Medium
o SECURITY-2787: Medium
o SECURITY-2789 (1): Medium
o SECURITY-2789 (2): Medium
o SECURITY-2800: Medium
o SECURITY-2803: Medium
o SECURITY-2973 (1): High
o SECURITY-2973 (2): Medium
o SECURITY-2978: High
o SECURITY-2980: High
o SECURITY-2981: Medium
o SECURITY-2982: High
o SECURITY-2985: Medium
o SECURITY-2986: Medium
o SECURITY-2987: High
o SECURITY-2995: Medium
o SECURITY-2996: High
o SECURITY-2997: Medium
o SECURITY-3016: High
o SECURITY-3022: Medium
Affected Versions
o Azure AD Plugin up to and including 303.va_91ef20ee49f
o BearyChat Plugin up to and including 3.0.2
o Bitbucket OAuth Plugin up to and including 0.12
o Cisco Spark Notifier Plugin up to and including 1.1.1
o Gerrit Trigger Plugin up to and including 2.38.0
o GitHub Pull Request Builder Plugin up to and including 1.42.2
o GitHub Pull Request Coverage Status Plugin up to and including 2.2.0
o JIRA Pipeline Steps Plugin up to and including 2.0.165.v8846cf59f3db
o Keycloak Authentication Plugin up to and including 2.3.0
o Kubernetes Credentials Provider Plugin up to and including
1.208.v128ee9800c04
o MSTest Plugin up to and including 1.0.0
o OpenID Plugin up to and including 2.4
o OpenId Connect Authentication Plugin up to and including 2.4
o Orka by MacStadium Plugin up to and including 1.31
o PWauth Security Realm Plugin up to and including 0.4
o RabbitMQ Consumer Plugin up to and including 2.8
o Script Security Plugin up to and including 1228.vd93135a_2fb_25
o Semantic Versioning Plugin up to and including 1.14
o TestComplete support Plugin up to and including 2.8.1
o TestQuality Updater Plugin up to and including 1.3
o view-cloner Plugin up to and including 1.1
o visualexpert Plugin up to and including 1.3
Fix
o Azure AD Plugin should be updated to version 306.va_7083923fd50
o Bitbucket OAuth Plugin should be updated to version 0.13
o Gerrit Trigger Plugin should be updated to version 2.38.1
o Kubernetes Credentials Provider Plugin should be updated to version
1.209.v862c6e5fb_1ef
o OpenId Connect Authentication Plugin should be updated to version 2.5
o Orka by MacStadium Plugin should be updated to version 1.32
o Script Security Plugin should be updated to version 1229.v4880b_b_e905a_6
o Semantic Versioning Plugin should be updated to version 1.15
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
As of publication of this advisory, no fixes are available for the following
plugins:
o BearyChat Plugin
o Cisco Spark Notifier Plugin
o GitHub Pull Request Builder Plugin
o GitHub Pull Request Coverage Status Plugin
o JIRA Pipeline Steps Plugin
o Keycloak Authentication Plugin
o MSTest Plugin
o OpenID Plugin
o PWauth Security Realm Plugin
o RabbitMQ Consumer Plugin
o TestComplete support Plugin
o TestQuality Updater Plugin
o view-cloner Plugin
o visualexpert Plugin
Learn why we announce these issues.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-2973 (1), SECURITY-2973 (2)
o Devin Nusbaum, CloudBees, Inc. for SECURITY-3016
o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2800, SECURITY-2803,
SECURITY-2978, SECURITY-2980, SECURITY-2981, SECURITY-2982, SECURITY-2985
o Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc. for
SECURITY-2986, SECURITY-2987, SECURITY-2995, SECURITY-2996, SECURITY-2997
o Long Nguyen, Viettel Cyber Security for SECURITY-2091
o Marc Heyries, Justin Philip, Kevin Guerroudj, and independently, CC Bomber,
Kitri BoB for SECURITY-2292
o Marcelo Castro, intersoft AG for SECURITY-3022
o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2709, SECURITY-2741,
SECURITY-2745, SECURITY-2767, SECURITY-2772 (1), SECURITY-2772 (2),
SECURITY-2774, SECURITY-2786, SECURITY-2787, SECURITY-2789 (1),
SECURITY-2789 (2)
o Wadeck Follonier, CloudBees, Inc. for SECURITY-2137
o Yaroslav Afenkin, CloudBees, Inc. for SECURITY-2778
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY9CwGskNZI30y1K9AQhXeRAAjGlHW79F+k2G5av1fbTBDohGVYRk59CN
BNar2OlFx7uhG0cnjyx1Am0S8udML69VjSxP5jrzcvGmaWRMz6i0rFdrIkcaZWD3
vE8K5z0SB977nAVrwf4gd5FFkGG41facFn07xs81idPMbyqHetiP415RVGNEvbYw
KZJwU4BCkK77yRLCS49vD+CxhPOgpf+OUa40aoG8JqwKYxEF6WwcyYjELyNfh2Ic
TOBV55htgefIg2oxkqUulKOYsixU1R4CF9XmaRFh1j52hUOqktAqgqm5yBIUQ9ki
lRLikTvd15gGyZ4J2DLtYd4HHLGKx/qqiuxW2IGp7B1oWZ73DE4rzeIhuiXSBEhv
gDCbzDJ4yxuhXbwIyCSQhcfcrE4+mHfhZ/C5IWhlthnt/DKUacNOgB9MLw+y69Ez
HmChSoEkdyQ8PATAszueoAkbMjAHccIiX59dgvPuUo/6Fl5gLCYjKaB/Y0484cHL
V5B8Cmee3f+8Fyyz81kC26VW8pby8LN5ivRn3LScFvSWfi/g3+GIBy3yP0pX0w8S
z6aqEkWs6xjFzYfry8PGk8A5idTG/trLnNeUIznJR9Wmd0lXiB1U7c2Qj6vKAVBF
+oTtvU97atrThG9xNKlp+ZKjasdOaNupnUvhvrmSJe9pvdbXJhkeaMa0yLPBQzBn
htP4qB7wleU=
=LMco
-----END PGP SIGNATURE-----