Jenkins plugins Multiple Vulnerabilities (2023-09-06)

high Nessus Plugin ID 180576

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

- Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the 'name' query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. (CVE-2023-41930)

- Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.
(CVE-2023-41932)

- Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2023-41933)

- Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non- constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
(CVE-2023-41935)

- Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token. (CVE-2023-41936)

- Jenkins Bitbucket Push and Pull Request Plugin 2.4.0 through 2.8.3 (both inclusive) trusts values provided in the webhook payload, including certain URLs, and uses configured Bitbucket credentials to connect to those URLs, allowing attackers to capture Bitbucket credentials stored in Jenkins by sending a crafted webhook payload. (CVE-2023-41937)

- Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used. This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways. Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed. Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about JAXP Properties for External Access restrictions inside Oracle's Java API for XML Processing (JAXP) Security Guide.
(CVE-2022-46751)

- A cross-site request forgery (CSRF) vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules. (CVE-2023-41938)

- Jenkins SSH2 Easy Plugin 1.4 and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they're no longer entitled to. (CVE-2023-41939)

- A cross-site request forgery (CSRF) vulnerability in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers to clear the SQS queue. (CVE-2023-41942)

- Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability.
(CVE-2023-41944)

- Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. (CVE-2023-41945)

- A cross-site request forgery (CSRF) vulnerability in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username.
(CVE-2023-41946)

- A missing permission check in Jenkins Frugal Testing Plugin 1.1 and earlier allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified credentials.
(CVE-2023-41947)

- Path traversal allows exploiting XSS vulnerability in Job Configuration History Plugin (CVE-2023-41931)

- Improper masking of credentials in Pipeline Maven Integration Plugin (CVE-2023-41934)

- Stored XSS vulnerability in TAP Plugin (CVE-2023-41940)

- Missing permission check in AWS CodeCommit Trigger Plugin allows enumerating credentials IDs (CVE-2023-41941)

- CSRF vulnerability and missing permission check in AWS CodeCommit Trigger Plugin (CVE-2023-41943)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
- Assembla Auth Plugin: See vendor advisory
- AWS CodeCommit Trigger Plugin: See vendor advisory
- Azure AD Plugin: See vendor advisory
- Bitbucket Push and Pull Request Plugin to version 2.8.4 or later
- Frugal Testing Plugin: See vendor advisory
- Google Login Plugin to version 1.8 or later
- Ivy Plugin: See vendor advisory
- Job Configuration History Plugin to version 1229.v3039470161a_d or later
- Pipeline Maven Integration Plugin to version 1331.v003efa_fd6e81 or later
- Qualys Container Scanning Connector Plugin to version 1.6.2.7 or later
- SSH2 Easy Plugin to version 1.6 or later
- TAP Plugin: See vendor advisory

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2023-09-06

Plugin Details

Severity: High

ID: 180576

File Name: jenkins_security_advisory_2023-09-06_plugins.nasl

Version: 1.5

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 9/7/2023

Updated: 10/3/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-41945

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:jenkins:jenkins, cpe:/a:cloudbees:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Ease: No known exploits are available

Patch Publication Date: 9/6/2023

Vulnerability Publication Date: 8/21/2023

Reference Information

CVE: CVE-2022-46751, CVE-2023-41930, CVE-2023-41931, CVE-2023-41932, CVE-2023-41933, CVE-2023-41934, CVE-2023-41935, CVE-2023-41936, CVE-2023-41937, CVE-2023-41938, CVE-2023-41939, CVE-2023-41940, CVE-2023-41941, CVE-2023-41942, CVE-2023-41943, CVE-2023-41944, CVE-2023-41945, CVE-2023-41946, CVE-2023-41947