Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1368 Jenkins Security Advisory 2021-04-21 22 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins plugins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Cross-site Request Forgery -- Remote/Unauthenticated Create Arbitrary Files -- Existing Account Delete Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-21647 CVE-2021-21646 CVE-2021-21645 CVE-2021-21644 CVE-2021-21643 CVE-2021-21642 Original Bulletin: https://www.jenkins.io/security/advisory/2021-04-21/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2021-04-21 This advisory announces vulnerabilities in the following Jenkins deliverables: o CloudBees CD Plugin o Config File Provider Plugin o Templating Engine Plugin Descriptions XXE vulnerability in Config File Provider Plugin SECURITY-2204 / CVE-2021-21642 Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser. Incorrect permission checks in Config File Provider Plugin allow enumerating credentials IDs SECURITY-2254 / CVE-2021-21643 Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of system-scoped credentials IDs in Config File Provider Plugin 3.7.1 requires Overall/Administer permission. CSRF vulnerability in Config File Provider Plugin allows deleting configuration files SECURITY-2202 / CVE-2021-21644 Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix of SECURITY-938. Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint. Missing permission checks in Config File Provider Plugin allow enumerating configuration file IDs SECURITY-2203 / CVE-2021-21645 Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions. Remote code execution vulnerability in Templating Engine Plugin SECURITY-2311 / CVE-2021-21646 Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations. Missing permission check in CloudBees CD Plugin allows scheduling builds SECURITY-2309 / CVE-2021-21647 CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission. CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint. Severity o SECURITY-2202: Medium o SECURITY-2203: Medium o SECURITY-2204: High o SECURITY-2254: Medium o SECURITY-2309: Medium o SECURITY-2311: High Affected Versions o CloudBees CD Plugin up to and including 1.1.21 o Config File Provider Plugin up to and including 3.7.0 o Templating Engine Plugin up to and including 2.1 Fix o CloudBees CD Plugin should be updated to version 1.1.22 o Config File Provider Plugin should be updated to version 3.7.1 o Templating Engine Plugin should be updated to version 2.2 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Daniel Beck, CloudBees, Inc. for SECURITY-2254, SECURITY-2311 o Devin Nusbaum, CloudBees, Inc. for SECURITY-2309 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYICxqeNLKJtyKPYoAQg/jw//S2RkednhYaQInko+pErK2KNm1Be5Q879 vK2hZ3tG6S5ySMvNvtBadZ0oQfYQUsyGhAFJLrm457x71Lx+ezq8P3fs0ftqweyp X8ZLVT6/7VBBPC3s+2Zy1w8ljs/6pQ9DdXPRYtSgVH8FM7W6ArzZVjZcFRsfa9yZ K4RbOrgolCNtPXoUkPDPyeA42ULIPATBfdt5cmwNu7DJCB9soVV8LAjIjHIC9cuG g+kIcLM/2bwaqMSohl2Gcg3AcYcgOdxkOiABf8OYfuC9zCyuxDA17UmmxvbzJt4g oc6TCTdxCnxc/T2J6ZV546N8YrXk7emN5snXEBPJlezuwEyG+drsVpKNulldQd5c BbD/W36sGu19GVR1zcwdYG8/m9Zv+97hP81L46/k2N48XgOoGIFXjxS+BoytOAox UAoE05B7TJi0RLmrPABcMUczARM8xgC3tHP/y0gtHHesrGPnXAyyAOntmJcN51S4 IGhs1R3cUTGv6qACjOEHQ3L75nAbYJk6QmGVUowAhhWm22U67iN3fMo98w94pYOF /5KWkIbHhuSX1Rk4YvCi0nrMr43iR107dfsIHMpG/el2z5pYKXSqMH1LXap833Hl VfZ9OiThomnrcsSXDabq+vEEGRYw8bfRcr5bqMy0Uhe8ib/YFFmaQeK95q2ufzNs Pi4xwGsxyQY= =VyJh -----END PGP SIGNATURE-----