Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3884 Jenkins Security Advisory 2021-11-12 15 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Active Choices Plugin OWASP Dependency-Check Plugin Performance Plugin pom2config Plugin Scriptler Plugin Squash TM Publisher (Squash4Jenkins) Plugin Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Overwrite Arbitrary Files -- Existing Account Cross-site Scripting -- Existing Account Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-43578 CVE-2021-43577 CVE-2021-43576 CVE-2021-21701 CVE-2021-21700 CVE-2021-21699 Original Bulletin: https://www.jenkins.io/security/advisory/2021-11-12/ - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2021-11-12 This advisory announces vulnerabilities in the following Jenkins deliverables: o Active Choices Plugin o OWASP Dependency-Check Plugin o Performance Plugin o pom2config Plugin o Scriptler Plugin o Squash TM Publisher (Squash4Jenkins) Plugin Descriptions Stored XSS vulnerability in Active Choices Plugin SECURITY-2219 / CVE-2021-21699 Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Active Choices Plugin 2.5.7 escapes references to parameter names. Stored XSS vulnerability in Scriptler Plugin SECURITY-2406 / CVE-2021-21700 Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts. Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion. XXE vulnerability in Performance Plugin SECURITY-2394 / CVE-2021-21701 Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. XXE vulnerability in pom2config Plugin SECURITY-2415 / CVE-2021-43576 pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. XXE vulnerability in OWASP Dependency-Check Plugin SECURITY-2488 / CVE-2021-43577 OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix. Arbitrary file write vulnerability in Squash TM Publisher (Squash4Jenkins) Plugin SECURITY-2525 / CVE-2021-43578 Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input. This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string. As of publication of this advisory, there is no fix. Severity o SECURITY-2219: High o SECURITY-2394: High o SECURITY-2406: High o SECURITY-2415: High o SECURITY-2488: High o SECURITY-2525: High Affected Versions o Active Choices Plugin up to and including 2.5.6 o OWASP Dependency-Check Plugin up to and including 5.1.1 o Performance Plugin up to and including 3.20 o pom2config Plugin up to and including 1.2 o Scriptler Plugin up to and including 3.3 o Squash TM Publisher (Squash4Jenkins) Plugin up to and including 1.0.0 Fix o Active Choices Plugin should be updated to version 2.5.7 o Scriptler Plugin should be updated to version 3.4 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: o OWASP Dependency-Check Plugin o Performance Plugin o pom2config Plugin o Squash TM Publisher (Squash4Jenkins) Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Adith Sudhakar working with Trend Micro Zero Day Initiative for SECURITY-2394, SECURITY-2415 o Daniel Beck, CloudBees, Inc. for SECURITY-2525 o Guy Lederfein of Trend Micro for SECURITY-2406 o Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro for SECURITY-2219 o haby0 (Duxiaoman Financial Security Team) for SECURITY-2488 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZHQD+NLKJtyKPYoAQggEQ/+NE774/AMbZpY6KzPxCc7xre32+teNkUF 7n/bHYfj0SnawsCkjKtca4wFr+p2x06UQ1/d+SE6ZquVv1ZmnRsn1m+ZGz9MEZLY QDlLYrx7iKRTtVKig3Qj30Em2TNLfogMMzl0xfm0pfYf5itQ7VX1VXzhn8a3OWkP GCm5E7OX4JmzMcMhDgMFXnF/gW9BbKNBWPHYfsq4I04VXjR8rzwHxFrs8ima2S14 ivd7GN3O69u0OWZK8EWumZUsh+LVGnCEPMn/toXooeZfSr83gCS2eiRb6BeDfqeV KQ+HMg+1zXco8dWTXOjE8wjXqn+QXN4bn0sV3GX8H3jCuy+yTlmQZITQMbTP8hmy qiH9GzOxYybYsIPr3gJoRZ/HVxCW24W1LAbCx+J1WSepSrBXJY6GVh0tEz4tYyJY 9k4xu8BhRK8yByiauf2kTYXjmwDY0e8Md7dISGZidU4Rqn8qoHXkFre1Iw40iLly ZG3MRlpIZH58NS9I3v0UaoBoV6VHnsrz8RH74BeZ1hvUffpauwRg6XYbDhpRWBHY 98M29niWWg9QSCm1W86Rnv0vhBU3Tt7l9pxI0SEcmS15oZ9Z1nVO5a0pac06Db6S 7K+f249cZ01kvCdS/v9Cjhze3u/Cmmn2+4q42z1e+d25tbsdbz/1RkwwabLARluH wFlJGiAx2JU= =vZli -----END PGP SIGNATURE-----