Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1368
Jenkins Security Advisory 2021-04-21
22 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Jenkins plugins
Publisher: Jenkins
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Request Forgery -- Remote/Unauthenticated
Create Arbitrary Files -- Existing Account
Delete Arbitrary Files -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21647 CVE-2021-21646 CVE-2021-21645
CVE-2021-21644 CVE-2021-21643 CVE-2021-21642
Original Bulletin:
https://www.jenkins.io/security/advisory/2021-04-21/
- --------------------------BEGIN INCLUDED TEXT--------------------
Jenkins Security Advisory 2021-04-21
This advisory announces vulnerabilities in the following Jenkins deliverables:
o CloudBees CD Plugin
o Config File Provider Plugin
o Templating Engine Plugin
Descriptions
XXE vulnerability in Config File Provider Plugin
SECURITY-2204 / CVE-2021-21642
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser
to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to
have Jenkins parse a crafted configuration file that uses external entities for
extraction of secrets from the Jenkins controller or server-side request
forgery.
Config File Provider Plugin 3.7.1 disables external entity resolution for its
XML parser.
Incorrect permission checks in Config File Provider Plugin allow enumerating
credentials IDs
SECURITY-2254 / CVE-2021-21643
Config File Provider Plugin 3.7.0 and earlier does not correctly perform
permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate
system-scoped credentials IDs of credentials stored in Jenkins. Those can be
used as part of an attack to capture the credentials using another
vulnerability.
An enumeration of system-scoped credentials IDs in Config File Provider Plugin
3.7.1 requires Overall/Administer permission.
CSRF vulnerability in Config File Provider Plugin allows deleting configuration
files
SECURITY-2202 / CVE-2021-21644
Config File Provider Plugin 3.7.0 and earlier does not require POST requests
for an HTTP endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.
This vulnerability allows attackers to delete configuration files corresponding
to an attacker-specified ID.
This is due to an incomplete fix of SECURITY-938.
Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP
endpoint.
Missing permission checks in Config File Provider Plugin allow enumerating
configuration file IDs
SECURITY-2203 / CVE-2021-21645
Config File Provider Plugin 3.7.0 and earlier does not perform permission
checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration
file IDs.
An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1
requires the appropriate permissions.
Remote code execution vulnerability in Templating Engine Plugin
SECURITY-2311 / CVE-2021-21646
Templating Engine Plugin 2.1 and earlier does not protect its pipeline
configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute
arbitrary code in the context of the Jenkins controller JVM.
Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect
its pipeline configurations.
Missing permission check in CloudBees CD Plugin allows scheduling builds
SECURITY-2309 / CVE-2021-21647
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in
an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects
without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds
via its HTTP endpoint.
Severity
o SECURITY-2202: Medium
o SECURITY-2203: Medium
o SECURITY-2204: High
o SECURITY-2254: Medium
o SECURITY-2309: Medium
o SECURITY-2311: High
Affected Versions
o CloudBees CD Plugin up to and including 1.1.21
o Config File Provider Plugin up to and including 3.7.0
o Templating Engine Plugin up to and including 2.1
Fix
o CloudBees CD Plugin should be updated to version 1.1.22
o Config File Provider Plugin should be updated to version 3.7.1
o Templating Engine Plugin should be updated to version 2.2
These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.
Credit
The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:
o Daniel Beck, CloudBees, Inc. for SECURITY-2254, SECURITY-2311
o Devin Nusbaum, CloudBees, Inc. for SECURITY-2309
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYICxqeNLKJtyKPYoAQg/jw//S2RkednhYaQInko+pErK2KNm1Be5Q879
vK2hZ3tG6S5ySMvNvtBadZ0oQfYQUsyGhAFJLrm457x71Lx+ezq8P3fs0ftqweyp
X8ZLVT6/7VBBPC3s+2Zy1w8ljs/6pQ9DdXPRYtSgVH8FM7W6ArzZVjZcFRsfa9yZ
K4RbOrgolCNtPXoUkPDPyeA42ULIPATBfdt5cmwNu7DJCB9soVV8LAjIjHIC9cuG
g+kIcLM/2bwaqMSohl2Gcg3AcYcgOdxkOiABf8OYfuC9zCyuxDA17UmmxvbzJt4g
oc6TCTdxCnxc/T2J6ZV546N8YrXk7emN5snXEBPJlezuwEyG+drsVpKNulldQd5c
BbD/W36sGu19GVR1zcwdYG8/m9Zv+97hP81L46/k2N48XgOoGIFXjxS+BoytOAox
UAoE05B7TJi0RLmrPABcMUczARM8xgC3tHP/y0gtHHesrGPnXAyyAOntmJcN51S4
IGhs1R3cUTGv6qACjOEHQ3L75nAbYJk6QmGVUowAhhWm22U67iN3fMo98w94pYOF
/5KWkIbHhuSX1Rk4YvCi0nrMr43iR107dfsIHMpG/el2z5pYKXSqMH1LXap833Hl
VfZ9OiThomnrcsSXDabq+vEEGRYw8bfRcr5bqMy0Uhe8ib/YFFmaQeK95q2ufzNs
Pi4xwGsxyQY=
=VyJh
-----END PGP SIGNATURE-----