Jenkins Security Advisory 2021-08-31

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

RCE vulnerability in Code Coverage API Plugin

SECURITY-2376 / CVE-2021-21677
Severity (CVSS): High
Affected plugin: code-coverage-api
Description:

Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 deserialization protection to Java objects it deserializes from disk.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to control agent processes.

Code Coverage API Plugin 1.4.1 configures its Java object deserialization to only deserialize safe types.

SAML Plugin allows bypassing CSRF protection for any URL

SECURITY-2469 / CVE-2021-21678
Severity (CVSS): High
Affected plugin: saml
Description:

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. SAML Plugin implements this extension point for the URL that users are redirected to after login.

In SAML Plugin 2.0.7 and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in SAML Plugin 1.1.3.

SAML Plugin 2.0.8 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the one URL that needs it.

Azure AD Plugin allows bypassing CSRF protection for any URL

SECURITY-2470 / CVE-2021-21679
Severity (CVSS): High
Affected plugin: azure-ad
Description:

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Azure AD Plugin implements this extension point for URLs used by a JavaScript component.

In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.

Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.

XXE vulnerability in Nested View Plugin

SECURITY-2411 / CVE-2021-21680
Severity (CVSS): High
Affected plugin: nested-view
Description:

Nested View Plugin 1.20 and earlier does not configure its XML transformer to prevent XML external entity (XXE) attacks.

This allows attackers able to configure views to have Jenkins parse a crafted view XML definition that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Nested View Plugin 1.21 disables external entity resolution for its XML transformer.

Password stored in plain text by Nomad Plugin

SECURITY-2396 / CVE-2021-21681
Severity (CVSS): Low
Affected plugin: nomad
Description:

Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

Severity

Affected Versions

  • Azure AD Plugin up to and including 179.vf6841393099e
  • Code Coverage API Plugin up to and including 1.4.0
  • Nested View Plugin up to and including 1.20
  • Nomad Plugin up to and including 0.7.4
  • SAML Plugin up to and including 2.0.7

Fix

  • Azure AD Plugin should be updated to version 180.v8b1e80e6f242
  • Code Coverage API Plugin should be updated to version 1.4.1
  • Nested View Plugin should be updated to version 1.21
  • Nomad Plugin should be updated to version 0.7.5
  • SAML Plugin should be updated to version 2.0.8

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Brian Hysell, Synopsys Software Integrity Group for SECURITY-2411
  • Daniel Beck, CloudBees, Inc. for SECURITY-2469, SECURITY-2470