Jenkins Security Advisory: XXE, Plaintext Passwords, and Missing Permission Checks in Plugins

Jenkins Security Advisory 2023-07-12 This advisory announces vulnerabilities in the following Jenkins deliverables: Active Directory Plugin Assembla Auth Plugin Benchmark Evaluator Plugin Datadog Plugin ElasticBox CI Plugin External Monitor Job Type Plugin mabl Plugin MathWorks Polyspace Plugin OpenShift Login Plugin Oracle Cloud Infrastructure Compute Plugin Orka by MacStadium Plugin Pipeline restFul API Plugin Rebuilder Plugin SAML Single Sign On(SSO) Plugin Sumologic Publisher Plugin Test Results Aggregator Plugin Descriptions XXE Vulnerability in External Monitor Job Type Plugin SE-3133 / CVE-2023-37942 Severity (CVSS): High Affected plugin: external-monitor-job External Monitor Job Type Plugin 206.v9aFf0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser. Password transmitted in plain text by Active Directory Plugin SECURITY-3059 / CVE-2023-37943 Severity (CVSS): Low Affected plugin: active-directory Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain"). Active Directory Plugin 2.3.0 and earlier ignores the "Require TLS" and "StartTLS" options and always performs the connection test to Active Directory unencrypted. This allows attackers to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. Missing permission check in Datadog Plugin allows capturing credentials SECUR-3130 / CVE-2023-37944 Severity (CVSS): Medium Affected plugin: datadog Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint. Missing permission check in SAML Single Sign On(SSO) Plugin SECURITY-3164 / CVE-2023-37945 Severity (CVSS): Medium Affected plugin: miniOrange-saml-sp SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java Object#toString()), which potentially includes sensitive information. Session fixation vulnerability in OpenShift Login Plugin SECUR-2998 / CVE-2023-37946 Severity (CVSS): High Affected plugin: openshift-login OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 invalidates the existing session on login. Open redirect vulnerability in OpenShift Login Plugin SE-3999 / CVE-2023-37947 Severity (CVSS): Medium Affected plugin: openshift-login OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 only redirects to relative (Jenkins) URLs. Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin SECU-3044 / CVE-2023-37948 Severity (CVSS): Medium Affected plugin: oracle-cloud-infrastructure-compute Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds. Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs. Missing permission check in Orka by MacStadium Plugin allows capturing credentials SEC-3128 / CVE-2023-37949 Severity (CVSS): Medium Affected plugin: macstadium-orka Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint. Missing permission check in mabl Plugin allows enumerating credentials IDs SECUR-3137

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: XXE, Plaintext Passwords, and Missing Permission Checks in Plugins