This advisory announces vulnerabilities in the following Jenkins deliverables:
oidc-provider
In OpenID Connect Provider Plugin, claim templates can use environment variables for jobs and builds for dynamic content.
The default claim template for build ID tokens uses the JOB_URL environment variable for the sub (Subject) claim.
In OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables.
When certain other plugins are installed which allow arbitrary environment variables to be overridden (e.g., Environment Injector Plugin), this allows attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services.
In OpenID Connect Provider Plugin 111.v29fd614b_3617 the generation of build ID Tokens ignores environment variables if they have been overridden.
cloudbees-jenkins-advisor
Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses.
Health Advisor by CloudBees Plugin 374.376.v3a_41a_a_142efe escapes responses from the Jenkins Health Advisor server.
vmanager-plugin
Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Cadence vManager Plugin 4.0.1-288.v8804b_ea_a_cb_7f requires POST requests and Item/Configure permission for the affected form validation method.
dingding-notifications
DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.
As of publication of this advisory, there is no fix. Learn why we announce this.
wso2id-oauth
In WSO2 Oauth Plugin 1.0 and earlier authentication claims are accepted without validation by the "WSO2 Oauth" security realm.
This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.
Sessions created this way do not have any additional authorities, i.e., memberships in groups. Even the "authenticated" group membership is absent. The impact of successfully creating a session this way depends on the authorization strategy and how it is configured. Commonly used authorization strategies behave as described below:
The authorization strategy "Logged-in users can do anything" determines that users who logged in this way are not the anonymous user, and are granted Overall/Administer permission.
The authorization strategy "Role-based strategy" provided by Role-based Authorization Strategy Plugin grants attackers permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups). Permissions that would be granted through groups would not be granted.
The authorization strategies "Matrix-based security" and "Project-based Matrix Authorization Strategy" provided by Matrix Authorization Strategy Plugin grant permissions assigned directly to the specified user (or ambiguous permissions applicable to both users and groups, typically predating version 3.0 of the plugin). Permissions that would be granted through groups would not be granted.
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: