Jenkins Security Advisory 2022-11-15

Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.

Script Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals. Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used.

Administrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.

JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links.

This is done in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

JUnit Plugin 1160.vf1f01a_a_ea_b_7f no longer converts URLs to clickable links.

Pipeline Utility Steps Plugin implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library.

Pipeline Utility Steps Plugin 2.13.0 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library with the vulnerability CVE-2022-33980.

This vulnerability allows attackers able to configure Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

Pipeline Utility Steps Plugin 2.13.1 bundles version 2.8.0 of the Apache Commons Configuration library, which disables the problematic prefix interpolators by default.

Pipeline Utility Steps Plugin implements a readProperties Pipeline step that supports interpolation of variables using the Apache Commons Configuration library.

Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default.

This allows attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

Pipeline Utility Steps Plugin 2.13.2 restricts the set of prefix interpolators enabled by default to base64Decoder:, base64Encoder:, date:, urlDecoder:, and urlEncoder:.

Administrators can set the Java system property org.jenkinsci.plugins.pipeline.utility.steps.conf.ReadPropertiesStepExecution.CUSTOM_PREFIX_INTERPOLATOR_LOOKUPS to customize which prefix interpolators are enabled.

Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names.

Naginator Plugin 1.18.2 escapes display names of source builds.

Support Core Plugin defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information.

Support Core Plugin 1206.v14049fa_b_d860 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission.

Support Core Plugin 1206.1208.v9b_7a_1d48db_0f deprecates the Support/DownloadBundle permission. The Overall/Administer permission is now required to download support bundles.

Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This password can be viewed by attackers with access to the Jenkins controller file system.

Reverse Proxy Auth Plugin 1.7.4 stores the LDAP manager password encrypted once its configuration is saved again.

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a part of webhook URLs, which will act as authentication for the webhook endpoint. As a result, all webhook URLs in the plugin will be different after updating the plugin.

Administrators can set the Java system property org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN to true to disable this fix.

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 no longer disables SSL/TLS certificate and hostname validation globally.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

As of publication of this advisory, there is no fix. Learn why we announce this.

Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers to to control XML input files for the 'Report Violations' post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.

Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows unauthenticated attackers to read arbitrary files with .xml extension on the Jenkins controller file system.

As of publication of this advisory, there is no fix. Learn why we announce this.

XP-Dev Plugin provides a webhook endpoint at /xpdev-webhook that can be used to trigger builds configured to use a specified repository.

In XP-Dev Plugin 1.0 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

As of publication of this advisory, there is no fix. Learn why we announce this.

loader.io Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

Delete log Plugin 1.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Item/Read permission to delete build logs.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control the contents of the report file for the 'Publish CCCC Report' post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Publish SourceMonitor results' post-build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

OSF Builder Suite : : XML Linter 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML files that get processed by the 'OSF Builder Suite : : XML Linter' build step to have agent processes parse a crafted file that uses external entities for extraction of secrets from the Jenkins agent or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix. Learn why we announce this.

JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to control XML input files for the 'Record Japex test report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

As of publication of this advisory, there is no fix. Learn why we announce this.

Associated Files Plugin 0.2.1 and earlier does not escape names of associated files.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix. Learn why we announce this.