The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.346.x prior to 2.346.40.0.12. It is, therefore, affected by multiple vulnerabilities including the following:

  - Medium Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g.,     Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through     greater permissions that imply them (e.g., Overall/Administer or Item/Configure). Role-based Authorization     Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they've been disabled. This     allows attackers to have greater access than they're entitled to after the following operations took     place: A permission is granted to attackers directly or through groups. The permission is disabled, e.g.,     through the script console. Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not     grant disabled permissions. (CVE-2023-28668)

  - High JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI. This results     in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control input files     for the 'Record JaCoCo coverage report' post-build action. JaCoCo Plugin 3.3.2.1 escapes class and method     names shown on the UI. (CVE-2023-28669)

  - High Pipeline Aggregator View Plugin 1.13 and earlier does not escape a variable representing the current     view's URL in inline JavaScript. This results in a stored cross-site scripting (XSS) vulnerability     exploitable by authenticated attackers with Overall/Read permission. Pipeline Aggregator View Plugin 1.14     obtains the current URL in a way not susceptible to XSS. (CVE-2023-28670)

  - Medium OctoPerf Load Testing Plugin Plugin 4.5.0 and earlier does not require POST requests for a     connection test HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This     vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified     credentials IDs obtained through another method, capturing credentials stored in Jenkins. OctoPerf Load     Testing Plugin Plugin 4.5.1 requires POST requests for the affected connection test HTTP endpoint.
    (CVE-2023-28671)

  - High OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a     connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an     attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing     credentials stored in Jenkins. OctoPerf Load Testing Plugin Plugin 4.5.2 properly performs a permission     check when accessing the affected connection test HTTP endpoint. (CVE-2023-28672)

  - Medium OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform a permission check in an     HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of     credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using     another vulnerability. An enumeration of credentials IDs in OctoPerf Load Testing Plugin Plugin 4.5.3     requires the appropriate permissions. (CVE-2023-28673)

  - Medium OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier does not perform permission checks in several     HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured     Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST     requests, resulting in a cross-site request forgery (CSRF) vulnerability. OctoPerf Load Testing Plugin     Plugin 4.5.3 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
    (CVE-2023-28674, CVE-2023-28675)

  - High Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint     converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF)     vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project.
    Combined with SECURITY-2966, this can result in the execution of unsandboxed Pipeline scripts. As of     publication of this advisory, there is no fix. Learn why we announce this. (CVE-2023-28676)

  - High Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle     projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step     invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration     that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert     To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, the script will be     pre-approved. As of publication of this advisory, there is no fix. Learn why we announce this.
    (CVE-2023-28677)

  - High Cppcheck Plugin 1.26 and earlier does not escape file names from Cppcheck report files before showing     them on the Jenkins UI. This results in a stored cross-site scripting (XSS) vulnerability exploitable by     attackers able to control report file contents. As of publication of this advisory, there is no fix. Learn     why we announce this. (CVE-2023-28678)

  - High Mashup Portlets Plugin 1.1.2 and earlier provides the Generic JS Portlet feature that lets a user     populate a portlet using a custom JavaScript expression. This results in a stored cross-site scripting     (XSS) vulnerability exploitable by authenticated attackers with Overall/Read permission. As of publication     of this advisory, there is no fix. Learn why we announce this. (CVE-2023-28679)

  - High Crap4J Plugin 0.9 and earlier does not configure its XML parser to prevent XML external entity (XXE)     attacks. This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted     XML document that uses external entities for extraction of secrets from the Jenkins controller or server-     side request forgery. As of publication of this advisory, there is no fix. Learn why we announce this.
    (CVE-2023-28680)

  - High Visual Studio Code Metrics Plugin 1.7 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. This allows attackers able to control VS Code Metrics File contents to have     Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the     Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix.
    Learn why we announce this. (CVE-2023-28681)

  - High Performance Publisher Plugin 8.09 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. This allows attackers able to control PerfPublisher report files to have     Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the     Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix.
    Learn why we announce this. (CVE-2023-28682)

  - High Phabricator Differential Plugin 2.1.5 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. This allows attackers able to control coverage report file contents for the     'Post to Phabricator' post-build action to have Jenkins parse a crafted XML document that uses external     entities for extraction of secrets from the Jenkins controller or server-side request forgery. As of     publication of this advisory, there is no fix. Learn why we announce this. (CVE-2023-28683)

  - High remote-jobs-view-plugin Plugin 0.0.3 and earlier does not configure its XML parser to prevent XML     external entity (XXE) attacks. This allows authenticated attackers with Overall/Read permission to have     Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the     Jenkins controller or server-side request forgery. As of publication of this advisory, there is no fix.
    Learn why we announce this. (CVE-2023-28684)

  - High AbsInt a Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity     (XXE) attacks. This allows attackers able to control 'Project File (APX)' contents to have Jenkins parse a     crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or     server-side request forgery. As of publication of this advisory, there is no fix. Learn why we announce     this. (CVE-2023-28685)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Jenkins Enterprise and Operations Center 2.346.x < 2.346.40.0.12 Multiple Vulnerabilities (CloudBees Security Advisory 2023-03-21-security-advisory)

critical Nessus Plugin ID 173193

Version 1.2