Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0055 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing     Kubernetes application platform solution designed for on-premise or private     cloud deployments.

    This advisory contains the container images for Red Hat OpenShift Container Platform 4.10.3. See the     following advisory for the RPM packages for this release:

    https://access.redhat.com/errata/RHSA-2022:0055

    Space precludes documenting all of the container images in this advisory. See the following Release Notes     documentation, which will be updated shortly for this release, for details about these changes:

    https://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html

    Security Fix(es):

    * Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153     fix (CVE-2014-3577)
    * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716)
    * jenkins-2-plugins/git: stored XSS vulnerability (CVE-2021-21684)
    * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717)
    * cri-o: pod with access to 'hostIPC' and 'hostNetwork' kernel namespace allows sysctl from the list of     safe sysctls to be applied to the host (CVE-2022-0532)
    * opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    You may download the oc tool and use it to inspect release image metadata as follows:

    (For x86_64 architecture)

      $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-x86_64

    The image digest is sha256:7ffe4cd612be27e355a640e5eec5cd8f923c1400d969fd590f806cffdaabcc56

    (For s390x architecture)

      $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-s390x

    The image digest is sha256:4cf21a9399da1ce8427246f251ae5dedacfc8c746d2345f9cfe039ed9eda3e69

    (For ppc64le architecture)

      $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.10.3-ppc64le

    The image digest is sha256:4ee571da1edf59dfee4473aa4604aba63c224bf8e6bcf57d048305babbbde93c

    All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available     at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.249.x prior to 2.249.33.0.1, 2.277.x prior to 2.277.42.0.1, or 2.x prior to 2.303.2.5. It is, therefore, affected by multiple vulnerabilities, including the following:

  - org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and     HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in     the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows     man-in-the-middle attackers to spoof SSL servers via a 'CN=' string in a field in the distinguished name     (DN) of a certificate, as demonstrated by the 'foo,CN=www.apache.org' string in the O field.
    (CVE-2014-3577)

  - Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a     trailing dot character, potentially replacing the configuration and data of other entities on Windows.
    (CVE-2021-21682)

  - The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files     as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read     permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of     arbitrary files. (CVE-2021-21683)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of the Jenkins Git Plugin running on the remote web server is prior to 4.8.3. It is, therefore, affected by a cross-site scripting vulnerability due to it not escaping the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.303.2 or Jenkins weekly prior to 2.315. It is, therefore, affected by multiple vulnerabilities:

  - Jenkins 2.314 and earlier, LTS 2.303.1 and earlier accepts names of jobs and other entities with a     trailing dot character, potentially replacing the configuration and data of other entities on Windows.
    (CVE-2021-21682)

  - org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and     HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in     the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-     middle attackers to spoof SSL servers via a CN= string in a field in the distinguished name (DN) of a     certificate, as demonstrated by the foo,CN=www.apache.org string in the O field. (CVE-2014-3577)

  - The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files     as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read     permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of     arbitrary files. (CVE-2021-21683)

  - Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit     notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS)     vulnerability. (CVE-2021-21684)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
158870	RHEL 7 / 8 : OpenShift Container Platform 4.10.3 (RHSA-2022:0055)	Nessus	Red Hat Local Security Checks	medium
155661	Jenkins Enterprise and Operations Center < 2.249.33.0.1 / 2.277.42.0.1 / 2.303.2.5 Multiple Vulnerabilities (CloudBees Security Advisory 2021-10-06)	Nessus	CGI abuses	medium
155627	Jenkins Git Plugin < 4.8.3 XSS	Nessus	CGI abuses	medium
154055	Jenkins LTS < 2.303.2 / Jenkins weekly < 2.315 Multiple Vulnerabilities	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2021-21684

medium

Tenable Plugins

medium

medium

medium

medium