Operating System:

[WIN][UNIX/Linux]

Published:

15 November 2021

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2021.3884 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3884
                   Jenkins Security Advisory 2021-11-12
                             15 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Active Choices Plugin
                   OWASP Dependency-Check Plugin
                   Performance Plugin
                   pom2config Plugin
                   Scriptler Plugin
                   Squash TM Publisher (Squash4Jenkins) Plugin
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Overwrite Arbitrary Files -- Existing Account
                   Cross-site Scripting      -- Existing Account
                   Access Confidential Data  -- Existing Account
                   Reduced Security          -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-43578 CVE-2021-43577 CVE-2021-43576
                   CVE-2021-21701 CVE-2021-21700 CVE-2021-21699

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2021-11-12/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2021-11-12  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Active Choices Plugin
  o OWASP Dependency-Check Plugin
  o Performance Plugin
  o pom2config Plugin
  o Scriptler Plugin
  o Squash TM Publisher (Squash4Jenkins) Plugin

Descriptions  

Stored XSS vulnerability in Active Choices Plugin  

SECURITY-2219 / CVE-2021-21699

Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of
reactive parameters and dynamic reference parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Job/Configure permission.

Active Choices Plugin 2.5.7 escapes references to parameter names.

Stored XSS vulnerability in Scriptler Plugin  

SECURITY-2406 / CVE-2021-21700

Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI
when asking to confirm their deletion.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to create Scriptler scripts.

Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to
confirm their deletion.

XXE vulnerability in Performance Plugin  

SECURITY-2394 / CVE-2021-21701

Performance Plugin 3.20 and earlier does not configure its XML parser to
prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse
a crafted XML report file that uses external entities for extraction of secrets
from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in pom2config Plugin  

SECURITY-2415 / CVE-2021-43576

pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent
XML external entity (XXE) attacks.

This allows attackers with Overall/Read and Item/Read permissions to have
Jenkins parse a crafted XML file that uses external entities for extraction of
secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

XXE vulnerability in OWASP Dependency-Check Plugin  

SECURITY-2488 / CVE-2021-43577

OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML
parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control workspace contents to have Jenkins parse
a crafted XML file that uses external entities for extraction of secrets from
the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix.

Arbitrary file write vulnerability in Squash TM Publisher (Squash4Jenkins)
Plugin  

SECURITY-2525 / CVE-2021-43578

Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an
agent-to-controller message that does not implement any validation of its
input.

This allows attackers able to control agent processes to replace arbitrary
files on the Jenkins controller file system with an attacker-controlled JSON
string.

As of publication of this advisory, there is no fix.

Severity  

  o SECURITY-2219: High
  o SECURITY-2394: High
  o SECURITY-2406: High
  o SECURITY-2415: High
  o SECURITY-2488: High
  o SECURITY-2525: High

Affected Versions  

  o Active Choices Plugin up to and including 2.5.6
  o OWASP Dependency-Check Plugin up to and including 5.1.1
  o Performance Plugin up to and including 3.20
  o pom2config Plugin up to and including 1.2
  o Scriptler Plugin up to and including 3.3
  o Squash TM Publisher (Squash4Jenkins) Plugin up to and including 1.0.0

Fix  

  o Active Choices Plugin should be updated to version 2.5.7
  o Scriptler Plugin should be updated to version 3.4

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o OWASP Dependency-Check Plugin
  o Performance Plugin
  o pom2config Plugin
  o Squash TM Publisher (Squash4Jenkins) Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Adith Sudhakar working with Trend Micro Zero Day Initiative for
    SECURITY-2394, SECURITY-2415
  o Daniel Beck, CloudBees, Inc. for SECURITY-2525
  o Guy Lederfein of Trend Micro for SECURITY-2406
  o Kevin Guerroudj, and, independently, Audrey Prieur of Trend Micro for
    SECURITY-2219
  o haby0 (Duxiaoman Financial Security Team) for SECURITY-2488

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZHQD+NLKJtyKPYoAQggEQ/+NE774/AMbZpY6KzPxCc7xre32+teNkUF
7n/bHYfj0SnawsCkjKtca4wFr+p2x06UQ1/d+SE6ZquVv1ZmnRsn1m+ZGz9MEZLY
QDlLYrx7iKRTtVKig3Qj30Em2TNLfogMMzl0xfm0pfYf5itQ7VX1VXzhn8a3OWkP
GCm5E7OX4JmzMcMhDgMFXnF/gW9BbKNBWPHYfsq4I04VXjR8rzwHxFrs8ima2S14
ivd7GN3O69u0OWZK8EWumZUsh+LVGnCEPMn/toXooeZfSr83gCS2eiRb6BeDfqeV
KQ+HMg+1zXco8dWTXOjE8wjXqn+QXN4bn0sV3GX8H3jCuy+yTlmQZITQMbTP8hmy
qiH9GzOxYybYsIPr3gJoRZ/HVxCW24W1LAbCx+J1WSepSrBXJY6GVh0tEz4tYyJY
9k4xu8BhRK8yByiauf2kTYXjmwDY0e8Md7dISGZidU4Rqn8qoHXkFre1Iw40iLly
ZG3MRlpIZH58NS9I3v0UaoBoV6VHnsrz8RH74BeZ1hvUffpauwRg6XYbDhpRWBHY
98M29niWWg9QSCm1W86Rnv0vhBU3Tt7l9pxI0SEcmS15oZ9Z1nVO5a0pac06Db6S
7K+f249cZ01kvCdS/v9Cjhze3u/Cmmn2+4q42z1e+d25tbsdbz/1RkwwabLARluH
wFlJGiAx2JU=
=vZli
-----END PGP SIGNATURE-----