Jenkins plugins Multiple Vulnerabilities (2022-11-15)

critical Nessus Plugin ID 179362

Synopsis

An application running on a remote web server host is affected by multiple vulnerabilities

Description

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

- Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

- Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

- Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns
- resolve dns records - url - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default. (CVE-2022-33980)

- Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. (CVE-2022-45381)

- Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. (CVE-2022-45382)

- An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows attackers with Support/DownloadBundle permission to download a previously created support bundle containing information limited to users with Overall/Administer permission. (CVE-2022-45383)

- Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system. (CVE-2022-45384)

- A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. (CVE-2022-45385)

- Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system. (CVE-2022-45392)

- Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
(CVE-2022-45391)

- Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features. (CVE-2022-38666)

- Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2022-45386)

- Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. (CVE-2022-45387)

- Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system. (CVE-2022-45388)

- A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository. (CVE-2022-45389)

- A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. (CVE-2022-45390)

- A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows attackers to delete build logs. (CVE-2022-45393)

- A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read permission to delete build logs. (CVE-2022-45394)

- Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2022-45395)

- Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2022-45396)

- Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2022-45397)

- A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. (CVE-2022-45398)

- A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to delete recorded Jenkins Cluster Statistics. (CVE-2022-45399)

- Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. (CVE-2022-45400)

- Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
(CVE-2022-45401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update Jenkins plugins to the following versions:
- Associated Files Plugin: See vendor advisory
- BART Plugin: See vendor advisory
- CCCC Plugin: See vendor advisory
- CloudBees Docker Hub/Registry Notification Plugin to version 2.6.2.1 or later
- Cluster Statistics Plugin: See vendor advisory
- Config Rotator Plugin: See vendor advisory
- Delete log Plugin: See vendor advisory
- JAPEX Plugin: See vendor advisory
- JUnit Plugin to version 1160.vf1f01a_a_ea_b_7f or later
- loader.io Plugin: See vendor advisory
- Naginator Plugin to version 1.18.2 or later
- NS-ND Integration Performance Publisher Plugin: See vendor advisory
- OSF Builder Suite : : XML Linter Plugin: See vendor advisory
- Pipeline Utility Steps Plugin to version 2.13.2 or later
- Reverse Proxy Auth Plugin to version 1.7.4 or later
- Script Security Plugin to version 1190.v65867a_a_47126 or later
- SourceMonitor Plugin: See vendor advisory
- Support Core Plugin to version 1206.1208.v9b_7a_1d48db_0f or later
- Violations Plugin: See vendor advisory
- XP-Dev Plugin: See vendor advisory

See vendor advisory for more details.

See Also

https://jenkins.io/security/advisory/2022-11-15

Plugin Details

Severity: Critical

ID: 179362

File Name: jenkins_security_advisory_2022-11-15_plugins.nasl

Version: 1.3

Type: combined

Agent: windows, macosx, unix

Family: CGI abuses

Published: 8/4/2023

Updated: 10/3/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-33980

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-45400

Vulnerability Information

CPE: cpe:/a:cloudbees:jenkins, cpe:/a:jenkins:jenkins

Required KB Items: installed_sw/Jenkins

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/15/2022

Vulnerability Publication Date: 7/6/2022

Reference Information

CVE: CVE-2022-33980, CVE-2022-38666, CVE-2022-45379, CVE-2022-45380, CVE-2022-45381, CVE-2022-45382, CVE-2022-45383, CVE-2022-45384, CVE-2022-45385, CVE-2022-45386, CVE-2022-45387, CVE-2022-45388, CVE-2022-45389, CVE-2022-45390, CVE-2022-45391, CVE-2022-45392, CVE-2022-45393, CVE-2022-45394, CVE-2022-45395, CVE-2022-45396, CVE-2022-45397, CVE-2022-45398, CVE-2022-45399, CVE-2022-45400, CVE-2022-45401