Jenkins Security Advisory 2021-06-30

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Improper permission checks allow canceling queue items and aborting builds

SECURITY-2278 / CVE-2021-21670

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types in addition to Item/Cancel permission.

As a workaround on earlier versions of Jenkins, do not grant Item/Cancel permission to users who do not have Item/Read permission.

Session fixation vulnerability

SECURITY-2371 / CVE-2021-21671

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

This vulnerability was introduced in Jenkins 2.266 and LTS 2.277.1.

Jenkins 2.300, LTS 2.289.2 invalidates the existing session on login.

In case of problems, administrators can choose a different implementation by setting the Java system property hudson.security.SecurityRealm.sessionFixationProtectionMode to 2, or disable the fix entirely by setting that system property to 0.

XXE vulnerability in Selenium HTML report Plugin

SECURITY-2329 / CVE-2021-21672

Selenium HTML report Plugin 1.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with the ability to control the report files parsed using this plugin to have Jenkins parse a crafted report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Selenium HTML report Plugin 1.1 disables external entity resolution for its XML parser.

Open redirect vulnerability in CAS Plugin

SECURITY-2387 / CVE-2021-21673

CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

CAS Plugin 1.6.1 only redirects to relative (Jenkins) URLs.

Missing permission check in requests-plugin Plugin allows viewing pending requests

SECURITY-1995 / CVE-2021-21674

requests-plugin Plugin 2.2.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending requests.

requests-plugin Plugin 2.2.7 requires Overall/Administer permission to view the list of pending requests.

The previous sentence originally stated that Overall/Read permission was newly required. This statement was incorrect and has been fixed on 2021-07-05.

CSRF vulnerabilities in requests-plugin Plugin

SECURITY-2136 (1) / CVE-2021-21675

requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.

requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints.

This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

Missing permission check in requests-plugin Plugin allows sending emails

SECURITY-2136 (2) / CVE-2021-21676

requests-plugin Plugin 2.2.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to send test emails to an attacker-specified email address.

requests-plugin Plugin 2.2.8 requires Overall/Administer permission to send test emails.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.299
  • Jenkins LTS up to and including 2.289.1
  • CAS Plugin up to and including 1.6.0
  • requests-plugin Plugin up to and including 2.2.6
  • requests-plugin Plugin up to and including 2.2.12
  • requests-plugin Plugin up to and including 2.2.7
  • Selenium HTML report Plugin up to and including 1.0

Fix

  • Jenkins weekly should be updated to version 2.300
  • Jenkins LTS should be updated to version 2.289.2
  • CAS Plugin should be updated to version 1.6.1
  • requests-plugin Plugin should be updated to version 2.2.7
  • requests-plugin Plugin should be updated to version 2.2.13
  • requests-plugin Plugin should be updated to version 2.2.8
  • Selenium HTML report Plugin should be updated to version 1.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Angélique Jard, CloudBees, Inc. for SECURITY-2278
  • Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2329
  • Matt Sicker, CloudBees, Inc. for SECURITY-1995
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-2387