This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the agent name.
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the upstream job’s display name shown as part of a build cause. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the job display name.
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the job name in the 'Keep this build forever' badge tooltip. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure job names.
As job names do not generally support the character set needed for XSS, this is believed to be difficult to exploit in common configurations.
Jenkins 2.245, LTS 2.235.2 escapes the job name in the 'Keep this build forever' badge tooltip.
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
Jenkins 2.245, LTS 2.235.2 escapes the href attribute of these links.
matrix-project
Matrix Project Plugin 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Agent/Configure permission.
Matrix Project Plugin 1.17 escapes the node names shown in these tooltips.
matrix-project
Matrix Project Plugin 1.16 and earlier does not escape the axis names shown in tooltips on the overview page of builds with multiple axes. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission.
Matrix Project Plugin 1.17 escapes the axis names shown in these tooltips.
matrix-auth
Matrix Authorization Strategy Plugin 2.6.1 and earlier does not escape user names shown in the permission table. This results in a stored cross-site scripting (XSS) vulnerability. When using project-based matrix authorization, this vulnerability can be exploited by a user with Job/Configure or Agent/Configure permission, otherwise by users with Overall/Administer permission.
Matrix Authorization Strategy Plugin 2.6.2 escapes user names in the permission table.
deployer-framework
Deployer Framework Plugin is a framework plugin allowing other plugins to provide a way to deploy artifacts. Deployer Framework Plugin 1.2 and earlier does not escape the URL displayed in the build home page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to provide the location.
The exploitability of this vulnerability depends on the specific implementation using Deployer Framework Plugin. The Jenkins security team is not aware of any exploitable implementation.
Deployer Framework Plugin 1.3 escapes the URL.
gitlab-oauth
GitLab Authentication Plugin 1.5 and earlier does not differentiate between user names and hierarchical group names when performing authorization. This allows an attacker with permissions to create groups in GitLab to gain the privileges granted to another user or group.
GitLab Authentication Plugin 1.6 performs user name and group name authorization checks using the appropriate GitLab APIs.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: