Jenkins Security Advisory 2021-03-30

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Build With Parameters Plugin

SECURITY-2231 / CVE-2021-21628

Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Build With Parameters Plugin 1.5.1 escapes parameter names and descriptions.

CSRF vulnerability in Build With Parameters Plugin

SECURITY-2257 / CVE-2021-21629

Build With Parameters Plugin 1.5 and earlier does not require POST requests for its form submission endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to build a project with attacker-specified parameters.

Build With Parameters Plugin 1.5.1 requires POST requests for the affected HTTP endpoint.

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-2222 / CVE-2021-21630

Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. Additionally, a view containing such a job needs to be configured with the build parameters column, or the attacker also needs View/Configure permission.

Extra Columns Plugin 1.23 escapes parameter values in the build parameters column.

Missing permission check in Cloud Statistics Plugin

SECURITY-2246 / CVE-2021-21631

Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

Cloud Statistics Plugin 0.27 requires Overall/Administer permission to access provisioning exception error messages.

CSRF vulnerability and missing permission checks in OWASP Dependency-Track Plugin allow capturing credentials

SECURITY-2250 / CVE-2021-21632 (permission check), CVE-2021-21633 (CSRF)

OWASP Dependency-Track Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing "Secret text" credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

OWASP Dependency-Track Plugin 3.1.1 requires POST requests and appropriate permissions for the affected HTTP endpoints.

Passwords stored in plain text by Jabber (XMPP) notifier and control Plugin

SECURITY-2162 / CVE-2021-21634

Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file hudson.plugins.jabber.im.transport.JabberPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Jabber (XMPP) notifier and control Plugin 1.42 stores passwords encrypted once its configuration is saved again.

Stored XSS vulnerability in REST List Parameter Plugin

SECURITY-2261 / CVE-2021-21635

REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

REST List Parameter Plugin 1.3.1 no longer identifies a parameter using user-specified content.

Missing permission check in Team Foundation Server Plugin allows enumerating credentials IDs

SECURITY-2283 (1) / CVE-2021-21636

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission check in Team Foundation Server Plugin allow capturing credentials

SECURITY-2283 (2) / CVE-2021-21637 (permission check), CVE-2021-21638 (CSRF)

Team Foundation Server Plugin 5.157.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Severity

Affected Versions

  • Build With Parameters Plugin up to and including 1.5
  • Cloud Statistics Plugin up to and including 0.26
  • Extra Columns Plugin up to and including 1.22
  • Jabber (XMPP) notifier and control Plugin up to and including 1.41
  • OWASP Dependency-Track Plugin up to and including 3.1.0
  • REST List Parameter Plugin up to and including 1.3.0
  • Team Foundation Server Plugin up to and including 5.157.1

Fix

  • Build With Parameters Plugin should be updated to version 1.5.1
  • Cloud Statistics Plugin should be updated to version 0.27
  • Extra Columns Plugin should be updated to version 1.23
  • Jabber (XMPP) notifier and control Plugin should be updated to version 1.42
  • OWASP Dependency-Track Plugin should be updated to version 3.1.1
  • REST List Parameter Plugin should be updated to version 1.3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Team Foundation Server Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-2162, SECURITY-2246, SECURITY-2283 (1), SECURITY-2283 (2)
  • Justin Philip for SECURITY-2250
  • Kevin Guerroudj for SECURITY-2231, SECURITY-2257, SECURITY-2261
  • Marc Heyries for SECURITY-2222