Operating System:

[WIN][UNIX/Linux]

Published:

31 March 2021

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2021.1106 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1106
                     Jenkins plugins security advisory
                               31 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Plugins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data     -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-21638 CVE-2021-21637 CVE-2021-21636
                   CVE-2021-21635 CVE-2021-21634 CVE-2021-21633
                   CVE-2021-21632 CVE-2021-21631 CVE-2021-21630
                   CVE-2021-21629 CVE-2021-21628 

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2021-03-30/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2021-03-30  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Build With Parameters Plugin
  o Cloud Statistics Plugin
  o Extra Columns Plugin
  o Jabber (XMPP) notifier and control Plugin
  o OWASP Dependency-Track Plugin
  o REST List Parameter Plugin
  o Team Foundation Server Plugin

Descriptions  

Stored XSS vulnerability in Build With Parameters Plugin  

SECURITY-2231 / CVE-2021-21628

Build With Parameters Plugin 1.5 and earlier does not escape parameter names
and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.

Build With Parameters Plugin 1.5.1 escapes parameter names and descriptions.

CSRF vulnerability in Build With Parameters Plugin  

SECURITY-2257 / CVE-2021-21629

Build With Parameters Plugin 1.5 and earlier does not require POST requests for
its form submission endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to build a project with attacker-specified
parameters.

Build With Parameters Plugin 1.5.1 requires POST requests for the affected HTTP
endpoint.

Stored XSS vulnerability in Extra Columns Plugin  

SECURITY-2222 / CVE-2021-21630

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the
build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission. Additionally, a view containing
such a job needs to be configured with the build parameters column, or the
attacker also needs View/Configure permission.

Extra Columns Plugin 1.23 escapes parameter values in the build parameters
column.

Missing permission check in Cloud Statistics Plugin  

SECURITY-2246 / CVE-2021-21631

Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in
an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random
activity IDs to view related provisioning exception error messages.

Cloud Statistics Plugin 0.27 requires Overall/Administer permission to access
provisioning exception error messages.

CSRF vulnerability and missing permission checks in OWASP Dependency-Track
Plugin allow capturing credentials  

SECURITY-2250 / CVE-2021-21632 (permission check), CVE-2021-21633 (CSRF)

OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing "Secret text" credentials stored in Jenkins.
If no credentials ID is specified, the globally configured credential is used,
if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate
permissions for the affected HTTP endpoints.

Passwords stored in plain text by Jabber (XMPP) notifier and control Plugin  

SECURITY-2162 / CVE-2021-21634

Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords
unencrypted in its global configuration file
hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller
file system.

Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once
its configuration is saved again.

Stored XSS vulnerability in REST List Parameter Plugin  

SECURITY-2261 / CVE-2021-21635

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name
reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.

REST List Parameter Plugin 1.3.1 no longer identifies a parameter using
user-specified content.

Missing permission check in Team Foundation Server Plugin allows enumerating
credentials IDs  

SECURITY-2283 (1) / CVE-2021-21636

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in Team Foundation Server
Plugin allow capturing credentials  

SECURITY-2283 (2) / CVE-2021-21637 (permission check), CVE-2021-21638 (CSRF)

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission
check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Severity  

  o SECURITY-2162: Low
  o SECURITY-2222: High
  o SECURITY-2231: High
  o SECURITY-2246: Low
  o SECURITY-2250: Medium
  o SECURITY-2257: Low
  o SECURITY-2261: High
  o SECURITY-2283 (1): Medium
  o SECURITY-2283 (2): High

Affected Versions  

  o Build With Parameters Plugin up to and including 1.5
  o Cloud Statistics Plugin up to and including 0.26
  o Extra Columns Plugin up to and including 1.22
  o Jabber (XMPP) notifier and control Plugin up to and including 1.41
  o OWASP Dependency-Track Plugin up to and including 3.1.0
  o REST List Parameter Plugin up to and including 1.3.0
  o Team Foundation Server Plugin up to and including 5.157.1

Fix  

  o Build With Parameters Plugin should be updated to version 1.5.1
  o Cloud Statistics Plugin should be updated to version 0.27
  o Extra Columns Plugin should be updated to version 1.23
  o Jabber (XMPP) notifier and control Plugin should be updated to version 1.42
  o OWASP Dependency-Track Plugin should be updated to version 3.1.1
  o REST List Parameter Plugin should be updated to version 1.3.1

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Team Foundation Server Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-2162, SECURITY-2246,
    SECURITY-2283 (1), SECURITY-2283 (2)
  o Justin Philip for SECURITY-2250
  o Kevin Guerroudj for SECURITY-2231, SECURITY-2257, SECURITY-2261
  o Marc Heyries for SECURITY-2222

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYGP12+NLKJtyKPYoAQhXdA//UqWfWomHsuBjWrhXFlMYLLD5z9g3jau/
VCSwPU5Oze92BDMq4imhmIjBwNbkhgHEBRzoCK0qC3kGOuMDRh2v4PcJ35n9cjcm
I+eexbKXytcP3VqHKU2NtvVpPImt2TZrqvEySG54Mdjd9bTpRtbd4yrfQMkxXjen
hzgdrzoT7M8W4fATD4xFjfOoFi4r94L3NfS7IfkLs6egVvC2ljmt372Kenb8vwqx
R4M/BwsL3NfqIj6ZRs9oyScj/v3BcChQze//Rn8qstUu65HYFQ+q2HmhgeHMkopc
Y2KqwCzcQcD580FAp+sPEO3nG3ojnwFUDd6ABbPVVMvz0TaZMBNP9uCjNxikBLm/
Q8b2hhB+e/dYYWqNA8L2b4LtNqucOw1iDGdLtzaS+s9T5gK0LgWlhbXt1VsTohx9
nAF+MY7oJ4HujvGqXC3TpNy+4KpZ+6Ey2TBlvgzNmllFR+45w1tlUc4HJujAQPd3
DnEqcXMjwmq2aScaS8fkSmCZEsPnhABRJl392ziwfCp7EyqoYLO1KfJsWOl8eh7I
Cj1B1kGUvoWHuiWJzVXIYQOH0M/Lv7suWABXq+V3IKz09CbOzyCgB8rEV1J4icgP
itKDXw1wlJ0Jio2IOKZUziDDB6OV3Ao/PiO+vz44Y4vrGwMODoch6dMOQh9Cgz+/
aEIhZB6yfeY=
=NZ1J
-----END PGP SIGNATURE-----