Jenkins Enterprise and Operations Center 2.346.x < 2.346.40.0.6 / 2.361.3.4 Multiple Vulnerabilities (CloudBees Security Advisory 2022-11-15)

critical Nessus Plugin ID 167634

Synopsis

A job scheduling and management system hosted on the remote web server is affected by multiple vulnerabilities.

Description

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.346.x prior to 2.346.40.0.6 or 2.x prior to 2.361.3.4. It is, therefore, affected by multiple vulnerabilities including the following:

- CVE-2022-38751 on snakeyaml (fixed train 2.346.x.0.z) (BEE-23728)

- CVE-2022-38749 on snakeyaml (fixed train 2.346.x.0.z) (BEE-23729)

- Remote code execution vulnerability in Pipeline Utility Steps Plugin (CVE-2022-33980)

- SSL/TLS certificate validation unconditionally disabled by NS-ND Integration Performance Publisher Plugin (CVE-2022-38666)

- Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)

- Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)

- Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)

- Stored XSS vulnerability in Naginator Plugin (CVE-2022-45382)

- Incorrect permission checks in Support Core Plugin (CVE-2022-45383)

- Password stored in plain text by Reverse Proxy Auth Plugin (CVE-2022-45384)

- Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin (CVE-2022-45385)

- XXE vulnerability on agents in Violations Plugin (CVE-2022-45386)

- Stored XSS vulnerability in BART Plugin (CVE-2022-45387)

- Arbitrary file read vulnerability in Config Rotator Plugin (CVE-2022-45388)

- Lack of authentication mechanism for webhook in XP-Dev Plugin (CVE-2022-45389)

- Missing permission check in loader.io Plugin allows enumerating credentials IDs (CVE-2022-45390)

- SSL/TLS certificate validation globally and unconditionally disabled by NS-ND Integration Performance Publisher Plugin (CVE-2022-45391)

- Passwords stored in plain text by NS-ND Integration Performance Publisher Plugin (CVE-2022-45392)

- CSRF vulnerability and missing permission check in Delete log Plugin (CVE-2022-45393, CVE-2022-45394)

- XXE vulnerability on agents in CCCC Plugin (CVE-2022-45395)

- XXE vulnerability on agents in SourceMonitor Plugin (CVE-2022-45396)

- XXE vulnerability on agents in OSF Builder Suite :: XML Linter Plugin (CVE-2022-45397)

- CSRF vulnerability and missing permission check in Cluster Statistics Plugin (CVE-2022-45398, CVE-2022-45399)

- XXE vulnerability in JAPEX Plugin (CVE-2022-45400)

- Stored XSS vulnerability in Associated Files Plugin (CVE-2022-45401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade Jenkins Enterprise or Jenkins Operations Center to version 2.346.40.0.6, 2.361.3.4 or later.

See Also

http://www.nessus.org/u?d9523d7d

Plugin Details

Severity: Critical

ID: 167634

File Name: cloudbees-security-advisory-2022-11-15.nasl

Version: 1.5

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 11/16/2022

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-33980

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-45400

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/15/2022

Vulnerability Publication Date: 11/15/2022

Reference Information

CVE: CVE-2022-33980, CVE-2022-38666, CVE-2022-45379, CVE-2022-45380, CVE-2022-45381, CVE-2022-45382, CVE-2022-45383, CVE-2022-45384, CVE-2022-45385, CVE-2022-45386, CVE-2022-45387, CVE-2022-45388, CVE-2022-45389, CVE-2022-45390, CVE-2022-45391, CVE-2022-45392, CVE-2022-45393, CVE-2022-45394, CVE-2022-45395, CVE-2022-45396, CVE-2022-45397, CVE-2022-45398, CVE-2022-45399, CVE-2022-45400, CVE-2022-45401