-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0196
                   Jenkins Security Advisory 2022-01-12
                              14 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Core
                   Jenkins plugins
Publisher:         Jenkins
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account      
                   Cross-site Request Forgery      -- Unknown/Unspecified   
                   Cross-site Scripting            -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-23118 CVE-2022-23117 CVE-2022-23116
                   CVE-2022-23115 CVE-2022-23114 CVE-2022-23113
                   CVE-2022-23112 CVE-2022-23111 CVE-2022-23110
                   CVE-2022-23109 CVE-2022-23108 CVE-2022-23107
                   CVE-2022-23106 CVE-2022-23105 CVE-2022-20621
                   CVE-2022-20620 CVE-2022-20619 CVE-2022-20618
                   CVE-2022-20617 CVE-2022-20616 CVE-2022-20615
                   CVE-2022-20614 CVE-2022-20613 CVE-2022-20612

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2022-01-12/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2022-01-12  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Jenkins (core)
  o Active Directory Plugin
  o Badge Plugin
  o batch task Plugin
  o Bitbucket Branch Source Plugin
  o Configuration as Code Plugin
  o Conjur Secrets Plugin
  o Credentials Binding Plugin
  o Debian Package Builder Plugin
  o Docker Commons Plugin
  o HashiCorp Vault Plugin
  o Mailer Plugin
  o Matrix Project Plugin
  o Metrics Plugin
  o Publish Over SSH Plugin
  o SSH Agent Plugin
  o Warnings Next Generation Plugin

Descriptions  

CSRF vulnerability in build triggers  

SECURITY-2558 / CVE-2022-20612

Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST
requests for the HTTP endpoint handling manual build requests when no security
realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to trigger build of job without parameters.

Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP
endpoint.

CSRF vulnerability and missing permission checks in Mailer Plugin  

SECURITY-2163 / CVE-2022-20613 (CSRF), CVE-2022-20614 (missing permission
check)

Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier does not perform a permission
check in a method implementing form validation.

This allows attackers with Overall/Read access to use the DNS used by the
Jenkins instance to resolve an attacker-specified hostname.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Mailer Plugin 408.vd726a_1130320 requires POST requests and Overall/Administer
permission for the affected form validation method.

Stored XSS vulnerability in Matrix Project Plugin  

SECURITY-2017 / CVE-2022-20615

Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in
node and label names, and label descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Agent/Configure permission.

Matrix Project Plugin 1.20 escapes HTML metacharacters in node and label names,
and label descriptions.

Missing permission check in Credentials Binding Plugin allows validating secret
file credentials IDs  

SECURITY-2342 / CVE-2022-20616

Credentials Binding Plugin 1.27 and earlier does not perform a permission check
in a method implementing form validation.

This allows attackers with Overall/Read access to validate if a credential ID
refers to a secret file credential and whether it's a zip file.

Credentials Binding Plugin 1.27.1 performs permission checks when validating
secret file credentials IDs.

OS command execution vulnerability in Docker Commons Plugin  

SECURITY-1878 / CVE-2022-20617

Docker Commons Plugin 1.17 and earlier does not sanitize the name of an image
or a tag.

This results in an OS command execution vulnerability exploitable by attackers
with Item/Configure permission or able to control the contents of a previously
configured job's SCM repository.

Docker Commons Plugin 1.18 sanitizes the name of an image or a tag.

Missing permission checks in Bitbucket Branch Source Plugin allow enumerating
credentials IDs  

SECURITY-2033 / CVE-2022-20618

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not perform
permission checks in several HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of
credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

An enumeration of credentials IDs in Bitbucket Branch Source Plugin
746.v350d2781c184 requires the appropriate permissions.

CSRF vulnerability in Bitbucket Branch Source Plugin allows capturing
credentials  

SECURITY-2467 / CVE-2022-20619

Bitbucket Branch Source Plugin 737.vdf9dc06105be and earlier does not require
POST requests for an HTTP endpoint, resulting in a cross-site request forgery
(CSRF) vulnerability.

This allows attackers with Overall/Read access to connect to an
attacker-specified URL using attacker-specified credentials IDs obtained
through another method, capturing credentials stored in Jenkins.

Bitbucket Branch Source Plugin 746.v350d2781c184 requires POST requests for the
affected HTTP endpoint.

Missing permission checks in SSH Agent Plugin allow enumerating credentials IDs
 

SECURITY-2189 / CVE-2022-20620

SSH Agent Plugin 1.23 and earlier does not perform permission checks in several
HTTP endpoints.

This allows attackers with Overall/Read access to enumerate credentials IDs of
credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

An enumeration of credentials IDs in SSH Agent Plugin 1.23.2 requires the
appropriate permissions.

Access key stored in plain text by Metrics Plugin  

SECURITY-1624 / CVE-2022-20621

Metrics Plugin 4.0.2.8 and earlier stores access keys unencrypted in its global
configuration file jenkins.metrics.api.MetricsAccessKey.xml on the Jenkins
controller as part of its configuration.

This access key can be viewed by users with access to the Jenkins controller
file system.

Metrics Plugin 4.0.2.8.1 stores access key encrypted once its configuration is
saved again.

Additionally, the token value is only displayed once when it is generated.

User passwords transmitted in plain text by Active Directory Plugin  

SECURITY-1389 / CVE-2022-23105

Active Directory Plugin implements two separate modes: integration with ADSI on
Windows, and an OS agnostic LDAP-based mode.

Active Directory Plugin 2.25 and earlier does not encrypt the transmission of
data between the Jenkins controller and Active Directory servers unless it is
configured to use the OS agnostic LDAP mode and the system property
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps is set
to true.

This allows attackers able to capture network traffic between the Jenkins
controller and Active Directory servers to obtain credentials of users logging
into Jenkins, as well as credentials of the manager DN (LDAP mode) or the
Windows/Active Directory user Jenkins is running as (ADSI mode).

Active Directory Plugin 2.25.1 adds an option to only connect to Active
Directory via TLS/SSL to both modes (ADSI and LDAP). This option is enabled by
default for new installations and is now the recommended way to enforce TLS/SSL
for connections to Active Directory. Unlike the existing StartTLS option for
the LDAP-based mode, it will not proceed using an insecure connection if
establishing a TLS/SSL connection fails.

Administrators upgrading from previous versions of the plugin will be shown a
warning on the Jenkins UI requesting they update the plugin configuration
unless the (now otherwise obsolete) flag
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps was set
to true.

     The plugin exposes configuration of the ADSI flags implementing the TLS/SSL
     requirement via the system properties
Note hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_FLAGS_OVERRIDE
     and
     hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE
     . See the plugin documentation for further details.

     Care needs to be taken when reconfiguring the security realm to not
Note accidentally lock yourself out. See the documentation for advice how to
     resolve this problem if it occurs.

Non-constant time token comparison in Configuration as Code Plugin  

SECURITY-2141 / CVE-2022-23106

Configuration as Code Plugin 1.55 and earlier does not use a constant-time
comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a
valid authentication token.

Configuration as Code Plugin 1.55.1 now uses a constant-time comparison when
validating authentication tokens.

Path traversal vulnerability in Warnings Next Generation Plugin  

SECURITY-2090 / CVE-2022-23107

Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name
of a file when configuring a custom ID.

This allows attackers with Item/Configure permission to write and read specific
files with a hard-coded suffix on the Jenkins controller file system.

Warnings Next Generation Plugin 9.10.3 checks for the presence of prohibited
directory separator characters in the custom ID.

Stored XSS vulnerability in Badge Plugin  

SECURITY-2547 / CVE-2022-23108

Badge Plugin allows adding custom build badges with a custom description and
optionally a link to a URL.

Badge Plugin 1.9 and earlier does not escape the description and does not check
for allowed protocols when creating a badge.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

Badge Plugin 1.9.1 escapes the description and check for allowed protocols when
creating a badge.

Improper credentials masking in HashiCorp Vault Plugin  

SECURITY-2213 / CVE-2022-23109

Pipelines display commands executed in their Pipeline step descriptions and
their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin
2.84 and earlier specified an allowlist of known non-sensitive variables and
masked everything else. This caused problems, so Pipeline: Groovy Plugin 2.85
and newer expects pipeline steps to explicitly specify that variables are to be
treated as sensitive and should be removed from output.

HashiCorp Vault Plugin 3.7.0 and earlier relied on the previous behavior and
did not explicitly declare variables as sensitive or redacted them.

This can result in exposure of Vault credentials in Pipeline build logs and
Pipeline step descriptions.

HashiCorp Vault Plugin 3.8.0 explicitly masks Vault credentials in build logs
and Pipeline step descriptions.

This fix only applies to new builds. Administrators are advised to review build
logs and Pipeline metadata files created before HashiCorp Vault Plugin 3.8.0
for the presence of Vault credentials.

Stored XSS vulnerability in Publish Over SSH Plugin  

SECURITY-2287 / CVE-2022-23110

Publish Over SSH Plugin 1.22 and earlier does not escape the SSH server name.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Overall/Administer permission.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Publish Over SSH Plugin  

SECURITY-2290 / CVE-2022-23111 (CSRF), CVE-2022-23112 (missing permission
check)

Publish Over SSH Plugin 1.22 and earlier does not perform permission checks in
methods implementing connection tests.

This allows attackers with Overall/Read access to connect to an
attacker-specified SSH server using attacker-specified credentials.

Additionally, these connection tests methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Path traversal vulnerability in Publish Over SSH Plugin  

SECURITY-2307 / CVE-2022-23113

Publish Over SSH Plugin 1.22 and earlier performs a validation of the file name
specifying whether it is present or not.

This results in a path traversal vulnerability allowing attackers with Item/
Configure permission to discover the name of the Jenkins controller files.

As of publication of this advisory, there is no fix.

Password stored in plain text by Publish Over SSH Plugin  

SECURITY-2291 / CVE-2022-23114

Publish Over SSH Plugin 1.22 and earlier stores password unencrypted in its
global configuration file
jenkins.plugins.publish_over_ssh.BapSshPublisherPlugin.xml on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

CSRF vulnerability in batch task Plugin  

SECURITY-1025 / CVE-2022-23115

batch task Plugin 1.19 and earlier does not require POST requests for several
HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers with Overall/Read access to retrieve
logs, build or delete a batch task.

As of publication of this advisory, there is no fix.

Agent-to-controller security bypass in Conjur Secrets Plugin allows decrypting
secrets  

SECURITY-2522 (1) / CVE-2022-23116

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows
agent processes to obtain the plain text of any attacker-provided encrypted
secret.

This allows attackers able to control agent processes to decrypt secrets stored
in Jenkins obtained through another method.

As of publication of this advisory, there is no fix.

Agent-to-controller security bypass in Conjur Secrets Plugin allows retrieving
all credentials  

SECURITY-2522 (2) / CVE-2022-23117

Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows
agent processes to obtain all username/password credentials (Credentials Plugin
) stored on the Jenkins controller.

This allows attackers able to control agent processes to retrieve those
credentials.

As of publication of this advisory, there is no fix.

Agent-to-controller security bypass in Debian Package Builder Plugin  

SECURITY-2546 / CVE-2022-23118

Debian Package Builder Plugin 1.6.11 and earlier implements functionality that
allows agent processes to invoke command-line git at an attacker-specified path
on the controller.

This allows attackers able to control agent processes to invoke arbitrary OS
commands on the controller.

As of publication of this advisory, there is no fix.

Severity  

  o SECURITY-1025: Medium
  o SECURITY-1389: Medium
  o SECURITY-1624: Low
  o SECURITY-1878: High
  o SECURITY-2017: High
  o SECURITY-2033: Medium
  o SECURITY-2090: Medium
  o SECURITY-2141: Low
  o SECURITY-2163: Medium
  o SECURITY-2189: Medium
  o SECURITY-2213: Medium
  o SECURITY-2287: Medium
  o SECURITY-2290: Medium
  o SECURITY-2291: Low
  o SECURITY-2307: Medium
  o SECURITY-2342: Low
  o SECURITY-2467: High
  o SECURITY-2522 (1): Medium
  o SECURITY-2522 (2): Medium
  o SECURITY-2546: High
  o SECURITY-2547: High
  o SECURITY-2558: Medium

Affected Versions  

  o Jenkins weekly up to and including 2.329
  o Jenkins LTS up to and including 2.319.1
  o Active Directory Plugin up to and including 2.25
  o Badge Plugin up to and including 1.9
  o batch task Plugin up to and including 1.19
  o Bitbucket Branch Source Plugin up to and including 737.vdf9dc06105be
  o Configuration as Code Plugin up to and including 1.55
  o Conjur Secrets Plugin up to and including 1.0.9
  o Credentials Binding Plugin up to and including 1.27
  o Debian Package Builder Plugin up to and including 1.6.11
  o Docker Commons Plugin up to and including 1.17
  o HashiCorp Vault Plugin up to and including 3.7.0
  o Mailer Plugin up to and including 391.ve4a_38c1b_cf4b_
  o Matrix Project Plugin up to and including 1.19
  o Metrics Plugin up to and including 4.0.2.8
  o Publish Over SSH Plugin up to and including 1.22
  o SSH Agent Plugin up to and including 1.23
  o Warnings Next Generation Plugin up to and including 9.10.2

Fix  

  o Jenkins weekly should be updated to version 2.330
  o Jenkins LTS should be updated to version 2.319.2
  o Active Directory Plugin should be updated to version 2.25.1
  o Badge Plugin should be updated to version 1.9.1
  o Bitbucket Branch Source Plugin should be updated to version
    746.v350d2781c184
  o Configuration as Code Plugin should be updated to version 1.55.1
  o Credentials Binding Plugin should be updated to version 1.27.1
  o Docker Commons Plugin should be updated to version 1.18
  o HashiCorp Vault Plugin should be updated to version 3.8.0
  o Mailer Plugin should be updated to version 408.vd726a_1130320
  o Matrix Project Plugin should be updated to version 1.20
  o Metrics Plugin should be updated to version 4.0.2.8.1
  o SSH Agent Plugin should be updated to version 1.23.2
  o Warnings Next Generation Plugin should be updated to version 9.10.3

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o batch task Plugin
  o Conjur Secrets Plugin
  o Debian Package Builder Plugin
  o Publish Over SSH Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-2033, SECURITY-2522 (1),
    SECURITY-2522 (2), SECURITY-2546
  o Devin Nusbaum, CloudBees, Inc. for SECURITY-2467
  o James Nord, CloudBees, Inc. for SECURITY-2141
  o Jasen Minton for SECURITY-2213
  o Kevin Guerroudj for SECURITY-2287
  o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2547
  o Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for
    SECURITY-2558
  o Kevin Guerroudj, Justin Philip and Marc Heyries for SECURITY-2307
  o Marc Heyries, Justin Philip and Kevin Guerroudj for SECURITY-2290,
    SECURITY-2291
  o Matt Sicker, CloudBees, Inc. for SECURITY-2163
  o Oleg Nenashev for SECURITY-1025
  o Tomasz Szuba for SECURITY-1878
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-2017, SECURITY-2090
  o Wasin Saengow for SECURITY-1624

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYeESveNLKJtyKPYoAQihgBAAhvTm+xVvVwkmjLkv0boSllL1zytYZtHB
4OokeRx/XwgNR/qwhRTj62iTjXwIGNFc01KUEzb98hd+Ge+0+PoFbjHSJkkBObOS
nZSWGVEZ9yDl5zwEHqa1KcaiQJjxAPmKwBybb1Nd9+5Dgw3WzgEFwviVWR6gJBDI
LVvjCJe1ycsZ4A8RBVrGV3JPfMEvOhya+BNMOzw9/zM7PhO6YCpr6sZLS3PevtsF
zS7LBx0pw4hZ/8vA9tmsRyQevKZlbsRJJNJW9npYOfQRmrzDO8TcTjoieGIkFmFV
hUx7lYuKmv1y7P3acXGI7W3/tdo3a5L3CSmQONHU+VboJbOwUGNt3tTfXbMFbzQK
UctUpkGQbSsGmGxUZ/7IncHp5s49mMiB9ifkz214cEmrJDW3QbvD5/IdT+YccuYo
FywZ9usLpMIr5ix2+RL8mtlpnm28BpE1a1LcpdyU51h6b2BhE5DrS59eMQsSkjNk
73hK6gN3Ztxczec2kwDxLOVvVYOkYwqVHigOPcRFZAsXLaQtTawGBgRNTQDn4+L4
CN4mEo7trF40cxMSPMJtyAJudt+d9nYr+tuU3kxaPpvprEHFkzBePvPsV2UkhZyg
bx+zpojJ5ng6FrFIKOYT9pE3cgaDaBED1r24ogZKQ6fWY/vk8ydTZyw6Qs5itdzl
n0QnqQKOnEQ=
=bZT9
-----END PGP SIGNATURE-----