This advisory announces vulnerabilities in the following Jenkins deliverables:
script-security
,
workflow-cps
Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.
Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:
In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).
In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).
These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
These vulnerabilities have been fixed:
Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).
Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).
Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change. |
pipeline-groovy-lib
,
workflow-cps-global-lib
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin (formerly Pipeline: Shared Groovy Libraries Plugin) define the library
Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries.
The return value of this step can be used to instantiate classes defined in the loaded library.
In Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier and in Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier, the library
step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type.
This is similar to SECURITY-582 in the 2017-08-07 security advisory, but in a different plugin.
This vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Pipeline: Groovy Libraries Plugin 613.v9c41a_160233f rejects improper calls to sandbox-generated synthetic constructors when using the library
step.
Pipeline: Deprecated Groovy Libraries Plugin 588.v576c103a_ff86 no longer contains the library
step.
It has been moved into the Pipeline: Groovy Libraries Plugin.
pipeline-input-step
Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the input
step.
This ID is used for the URLs that process user interactions for the given input
step (proceed or abort) and is not correctly encoded.
This allows attackers able to configure Pipelines to have Jenkins build URLs from input
step IDs that would bypass the CSRF protection of any target URL in Jenkins when the input
step is interacted with.
Pipeline: Input Step Plugin 456.vd8a_957db_5b_e9 limits the characters that can be used for the ID of input
steps in Pipelines to alphanumeric characters and URL-safe punctuation.
Pipelines with input
steps having IDs with prohibited characters will fail with an error.
This includes Pipelines that have already been started but not finished before Jenkins is restarted to apply this update. |
Pipeline: Declarative Plugin provides an input directive that is internally using the input step, and specifies a non-default ID if not user-defined.
Pipeline: Declarative Plugin 2.2114.v2654ca_721309 and earlier may specify values incompatible with this new restriction on legal values:
input directives in a stage use the stage name (which may include prohibited characters) and input directives in a matrix will use a value generated from the matrix axis values (which always includes prohibited characters).
Administrators are advised to update Pipeline: Input Step Plugin and Pipeline: Declarative Plugin at the same time, ideally while no Pipelines are running.
|
pipeline-stage-view
Pipeline: Stage View Plugin provides a visualization of Pipeline builds.
It also allows users to interact with input
steps from Pipeline: Input Step Plugin.
Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of input
steps when using it to generate URLs to proceed or abort Pipeline builds.
This allows attackers able to configure Pipelines to specify input
step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
Pipeline: Stage View Plugin 2.27 correctly encodes the ID of input
steps when using it to generate URLs to proceed or abort Pipeline builds.
This vulnerability is only exploitable with Pipeline: Input Step Plugin 451.vf1a_a_4f405289 or older due to the fix for SECURITY-2880. |
workflow-support
Pipeline: Supporting APIs Plugin provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it.
Pipeline: Supporting APIs Plugin 838.va_3a_087b_4055b and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Pipelines.
Pipeline: Supporting APIs Plugin 839.v35e2736cfd5c properly encodes URLs of these hyperlinks in build logs.
mercurial
Mercurial Plugin provides a webhook endpoint at /mercurial/notifyCommit
that can be used to notify Jenkins of changes to an SCM repository.
This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository.
It can be accessed with GET requests and without authentication.
In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.
Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.
gitlab-plugin
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
GitLab Plugin 1.5.36 uses a constant-time comparison when validating the webhook token.
generic-webhook-trigger
Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.
job-import-plugin
Job Import Plugin 3.5 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in Job Import Plugin 3.6 requires Job Import/Import Jobs permission.
nunit
NUnit Plugin 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results.
This allows attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller.
NUnit Plugin 0.28 changes the message type from agent-to-controller to controller-to-agent, preventing execution on the controller.
repo
REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control which repo
binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
REPO Plugin 1.16.0 disables external entity resolution for its XML parser.
katalon
Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments.
It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments. Attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) can invoke arbitrary OS commands.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide. |
Katalon Plugin 1.0.33 changes the message type to controller-to-agent, preventing execution on the controller.
katalon
Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Katalon Plugin 1.0.33 properly performs permission checks when accessing the affected HTTP endpoints.
katalon
Katalon Plugin 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Katalon Plugin 1.0.34 requires POST requests for the affected HTTP endpoints.
katalon
Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml
files on the Jenkins controller as part of its configuration.
These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Katalon Plugin 1.0.33 no longer stores the API keys directly, instead accessing them through its Credentials Plugin integration, once affected job configurations are saved again.
contrast-continuous-application-security
Contrast Continuous Application Security Plugin 3.9 and earlier does not escape data returned from the Contrast service when generating a report.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control or modify Contrast service API responses.
Contrast Continuous Application Security Plugin 3.10 escapes the affected data.
tuleap-git-branch-source
Tuleap Git Branch Source Plugin provides a webhook endpoint at /tuleap-hook/
that can be used to trigger Tuleap projects configured with a specified repository.
In Tuleap Git Branch Source Plugin 3.2.4 and earlier, this endpoint can be accessed without authentication.
This allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value.
Tuleap Git Branch Source Plugin 3.2.5 requires a token to access the webhook endpoint.
compuware-topaz-utilities
compuware-topaz-utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed.
It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide. |
compuware-topaz-utilities Plugin 1.0.9 restricts execution of the agent/controller message to agents.
compuware-scm-downloader
compuware-scm-downloader Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed.
It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide. |
compuware-scm-downloader Plugin 2.0.13 restricts execution of the agent/controller message to agents.
compuware-xpediter-code-coverage
compuware-xpediter-code-coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed.
It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.
This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide. |
compuware-xpediter-code-coverage Plugin 1.0.8 restricts execution of the agent/controller message to agents.
custom-checkbox-parameter
Custom Checkbox Parameter Plugin 1.4 and earlier does not escape the name and description of the parameter types it provides.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Exploitation of this vulnerability requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see SECURITY-2617 in the 2022-04-12 security advisory for a list.
As of publication of this advisory, there is no fix. Learn why we announce this.
s3explorer
S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file s3explorer.xml
on the Jenkins controller as part of its configuration.
While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix. Learn why we announce this.
compuware-topaz-for-total-test
compuware-topaz-for-total-test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
compuware-topaz-for-total-test
compuware-topaz-for-total-test Plugin 2.4.8 and earlier implements two agent/controller messages that do not limit where they can be executed.
RemoteSystemProperties
allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process (CVE-2022-43428).
GetRemoteUTF8FileContents
allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system (CVE-2022-43429).
These vulnerabilities are only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide. |
As of publication of this advisory, there is no fix. Learn why we announce this.
compuware-topaz-for-total-test
compuware-topaz-for-total-test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix. Learn why we announce this.
compuware-strobe-measurement
compuware-strobe-measurement Plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
As of publication of this advisory, there is no fix. Learn why we announce this.
xframium
Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts, unless a Resource Root URL is specified.
XFramium Builder Plugin 1.0.22 and earlier globally disables the Content-Security-Policy
header for static files served by Jenkins as soon as it is loaded.
This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected. |
As of publication of this advisory, there is no fix. Learn why we announce this.
screenrecorder
Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts, unless a Resource Root URL is specified.
ScreenRecorder Plugin 0.7 and earlier programmatically updates the Java system property allowing administrators to customize the Content-Security-Policy
header for static files served by Jenkins to include media-src: 'self'
.
On a Jenkins instance with default configuration, this effectively disables all other directives in the default rule set, including script-src
.
This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected. |
As of publication of this advisory, there is no fix. Learn why we announce this.
neuvector-vulnerability-scanner
Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts, unless a Resource Root URL is specified.
NeuVector Vulnerability Scanner Plugin 1.20 and earlier globally disables the Content-Security-Policy
header for static files served by Jenkins whenever the 'NeuVector Vulnerability Scanner' build step is executed.
This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected. |
As of publication of this advisory, there is no fix. Learn why we announce this.
fireline
Jenkins sets the Content-Security-Policy
header to static files served by Jenkins (specifically DirectoryBrowserSupport
), such as workspaces, /userContent
, or archived artifacts, unless a Resource Root URL is specified.
360 FireLine Plugin 1.7.2 and earlier globally disables the Content-Security-Policy
header for static files served by Jenkins whenever the 'Execute FireLine' build step is executed, if the option 'Open access to HTML with JS or CSS' is checked.
This allows cross-site scripting (XSS) attacks by users with the ability to control files in workspaces, archived artifacts, etc.
Jenkins instances with Resource Root URL configured are unaffected. |
As of publication of this advisory, there is no fix. Learn why we announce this.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: