Jenkins Security Bulletin: Credential Exposure, Item Creation Bypass, OIDC Validation Issues

From this webpage screenshot, the following key information about the vulnerabilities can be obtained: 1. Vulnerability Descriptions: - Exposure of multi-line secrets through error messages in Jenkins: Jenkins versions 2.478 and earlier, and LTS 2.462.2 and earlier, do not hide multi-line secret values in error messages when processing form submissions involving the form field. - Item creation restriction bypass vulnerability in Jenkins: Jenkins's API provides fine-grained control over item creation, which can be bypassed by attackers to create temporary items. - Encrypted values of credentials revealed to users with Extended Read permission in Credentials Plugin: Credentials Plugin versions 1380 and earlier do not hide encrypted credential values of type when accessing project configuration files via REST API or CLI, if the user has Extended Read permission. - Lack of audience claim validation in OpenId Connect Authentication Plugin: OpenId Connect Authentication Plugin versions 4.354 and earlier do not validate the (Audience) claim when verifying ID tokens. - Lack of issuer claim validation in OpenId Connect Authentication Plugin: OpenId Connect Authentication Plugin versions 4.355 and earlier do not validate the (Issuer) claim when verifying ID tokens. 2. Vulnerability Impact: - Jenkins weekly: Fixed starting from version 2.479. - Jenkins LTS: Fixed starting from version 2.462.3. - Credentials Plugin: Fixed starting from version 1381. - OpenId Connect Authentication Plugin: Fixed starting from version 4.355. 3. Remediation: - Upgrade to the specified versions of Jenkins and plugins to resolve these vulnerabilities. 4. Credits: - Thank you to the individuals who reported these vulnerabilities, including Antonio Muñiz, James Nord, and Kevin Guerroudj. This information helps users understand the nature of the vulnerabilities, their scope of impact, and how to mitigate them by updating their software.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Bulletin: Credential Exposure, Item Creation Bypass, OIDC Validation Issues