Jenkins Security Advisory: XXE and Plaintext Password Vulnerabilities in Plugins

Jenkins Security Advisory 2023-07-12 Vulnerabilities Announced The following Jenkins deliverables have vulnerabilities: Active Directory Plugin Assembla Auth Plugin Benchmark Evaluator Plugin Datadog Plugin ElasticBox CI Plugin External Monitor Job Type Plugin mabl Plugin MathWorks Polyspace Plugin OpenShift Login Plugin Oracle Cloud Infrastructure Compute Plugin Orka by MacStadium Plugin Pipeline restFul API Plugin Rebuilder Plugin SAML Single Sign On(SSO) Plugin Sumologic Publisher Plugin Test Results Aggregator Plugin Descriptions XXE Vulnerability in External Monitor Job Type Plugin SEVERITY-3133 / CVE-2023-37942 Severity (CVSS): High Affected Plugin: external-monitor-job Description: External Monitor Job Type Plugin v206.v9a_94f0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. Password Transmitted in Plain Text by Active Directory Plugin SEVERITY-3059 / CVE-2023-37943 Severity (CVSS): Low Affected Plugin: active-directory Description: Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain"). Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTLS" options and always performs the connection test to Active Directory unencrypted. This allows attackers to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. Severity SECURITY-2988: Medium SECURITY-2998: High SECURITY-2999: Medium SECURITY-3033: Medium SECURITY-3044: Medium SECURITY-3059: Low SECURITY-3117: Medium SECURITY-3119: Medium SECURITY-3122: Medium SECURITY-3124: Medium SECURITY-3127: High SECURITY-3128: Medium SECURITY-3130: Medium SECURITY-3131: Medium SECURITY-3133: High SECURITY-3137 (1): Medium SECURITY-3137 (2): Medium SECURITY-3164: Medium Affected Versions Active Directory Plugin up to and including 2.30 Assembla Auth Plugin up to and including 1.14 Benchmark Evaluator Plugin up to and including 1.0.1 Datadog Plugin up to and including 5.4.1 ElasticBox CI Plugin up to and including 5.0.1 External Monitor Job Type Plugin up to and including 206.v9a_94f0b_4a_10 MathWorks Polyspace Plugin up to and including 1.0.5 OpenShift Login Plugin up to and including 1.1.0.227.v27e08dfb_1a_20 Oracle Cloud Infrastructure Compute Plugin up to and including 1.0.16 Orka by MacStadium Plugin up to and including 1.33 Pipeline restFul API Plugin up to and including 0.11 Rebuilder Plugin up to and including 320.v5a_0933a_e7d61 SAML Single Sign On(SSO) Plugin up to and including 2.3.0 Sumologic Publisher Plugin up to and including 2.2.1 Test Results Aggregator Plugin up to and including 1.2.13 Fix Active Directory Plugin should be updated to version 2.30.1 Datadog Plugin should be updated to version 5.4.2 ElasticBox CI Plugin should be updated to version 5.0.2 External Monitor Job Type Plugin should be updated to version 207.v98a_a_37a_85525 mabl Plugin should be updated to version 0.0.47 MathWorks Polyspace Plugin should be updated to version 1.1.0 OpenShift Login Plugin should be updated to version 1.1.0.230.v5d7030b_f5432 Oracle Cloud Infrastructure Compute Plugin should be updated to version 1.0.17 Orka by MacStadium Plugin should be updated to version 1.34 Pipeline restFul API Plugin should be updated to version 0.12 Rebuilder Plugin should be updated to version 321.v5a_0933a_e7d61 SAML Single Sign On(SSO) Plugin should be updated to version 2.3.1 Sumologic Publisher Plugin should be updated to version 2.2.2 Test Results Aggregator Plugin should be updated to version 1.2.14 Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: Alvaro Muñoz (@pwnjtester), GitHub Security Lab for SECURITY-3119, SECURITY-3126, SECURITY-3127, SECURITY-3128, SECURITY-3130, SECURITY-3131 GitLab, Inc. for SECURITY-3164

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: XXE and Plaintext Password Vulnerabilities in Plugins