A recent security advisory from Jenkins reported that they had fixed 24 vulnerabilities affecting multiple Jenkins plugins.
This Flaw includes 5 High, 18 Medium, and 1 Low severity vulnerabilities.
Patches have been released for some of the affected plugins, while others are still under development.
Affected Plugins and their Versions
The list of affected Jenkins plugins includes,
- Active Directory Plugin up to and including 2.30
- Assembla Auth Plugin up to and including 1.14
- Benchmark Evaluator Plugin up to and including 1.0.1
- Datadog Plugin up to and including 5.4.1
- ElasticBox CI Plugin up to and including 5.0.1
- External Monitor Job Type Plugin up to and including 206.v9a_94ff0b_4a_10
- mabl Plugin up to and including 0.0.46
- MathWorks Polyspace Plugin up to and including 1.0.5
- OpenShift Login Plugin up to and including 1.1.0.227.v27e08dfb_1a_20
- Oracle Cloud Infrastructure Compute Plugin up to and including 1.0.16
- Orka by MacStadium Plugin up to and including 1.33
- Pipeline restFul API Plugin up to and including 0.11
- Rebuilder Plugin up to and including 320.v5a_0933a_e7d61
- SAML Single Sign On(SSO) Plugin up to and including 2.3.0
- Sumologic Publisher Plugin up to and including 2.2.1
- Test Results Aggregator Plugin up to and including 1.2.13
CVE(s):
The list of CVEs, severity, and their related affected plugin are as mentioned below,
CVE ID | Severity | Description | Affected Plugin |
CVE-2023-37946 | High | Session fixation vulnerability in OpenShift Login Plugin | OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier |
CVE-2023-37957 | High | CSRF vulnerability in Pipeline restFul API Plugin | Pipeline restFul API Plugin 0.11 and earlier |
CVE-2023-37952, CVE-2023-37953 | High | CSRF vulnerability and missing permission checks in mabl Plugin allow capturing credentials | mabl Plugin 0.0.46 and earlier |
CVE-2023-37942 | High | XXE vulnerability in External Monitor Job Type Plugin | External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier |
CVE-2023-37961 | Medium | CSRF vulnerability in Assembla Auth Plugin | Assembla Auth Plugin 1.14 and earlier |
CVE-2023-37947 | Medium | Open redirect vulnerability in OpenShift Login Plugin | OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 and earlier |
CVE-2023-37954 | Medium | CSRF vulnerability in Rebuilder Plugin | Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier |
CVE-2023-37948 | Medium | Missing SSH host key validation in Oracle Cloud Infrastructure Compute Plugin | Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier |
CVE-2023-37958, CVE-2023-37959 | Medium | CSRF vulnerability and missing permission checks in Sumologic Publisher Plugin | Sumologic Publisher Plugin 2.2.1 and earlier |
CVE-2023-37962, CVE-2023-37963 | Medium | CSRF vulnerability and missing permission checks in Benchmark Evaluator Plugin | Benchmark Evaluator Plugin 1.0.1 and earlier |
CVE-2023-37955, CVE-2023-37956 | Medium | CSRF vulnerability and missing permission check in Test Results Aggregator Plugin | Test Results Aggregator Plugin 1.2.13 and earlier |
CVE-2023-37960 | Medium | Arbitrary file read vulnerability in MathWorks Polyspace Plugin | MathWorks Polyspace Plugin 1.0.5 and earlier |
CVE-2023-37949 | Medium | Missing permission check in Orka by MacStadium Plugin allows capturing credentials | Orka by MacStadium Plugin 1.33 and earlier |
CVE-2023-37944 | Medium | Missing permission check in Datadog Plugin allows capturing credentials | Datadog Plugin 5.4.1 and earlier |
CVE-2023-37964, CVE-2023-37965 | Medium | CSRF vulnerability and missing permission checks in ElasticBox CI Plugin allow capturing credentials | ElasticBox CI Plugin 5.0.1 and earlier |
CVE-2023-37950 | Medium | Missing permission check in mabl Plugin allows enumerating credentials IDs | mabl Plugin 0.0.46 and earlier |
CVE-2023-37951 | Medium | Exposure of system-scoped credentials in mabl Plugin | mabl Plugin 0.0.46 and earlier |
CVE-2023-37945 | Medium | Missing permission check in SAML Single Sign On(SSO) Plugin | SAML Single Sign On(SSO) Plugin 2.3.0 and earlier |
CVE-2023-37943 | Low | Password transmitted in plain text by Active Directory Plugin | Active Directory Plugin 2.30.1 and earlier |
High Severity Vulnerabilities
CVE-2023-37946: Session Fixation Vulnerability
This vulnerability exists due to improper session management in the OpenShift Login Plugin due to which previous sessions are not invalidated. This can allow threat actors to gain administrator access with social engineering techniques.
The CVSS Score for this vulnerability is yet to be confirmed.
CVE-2023-37957: CSRF vulnerability in Pipeline
This vulnerability exists due to the lack of POST requests to an HTTP endpoint which results in Cross-Site Request Forgery (CSRF).
An attacker can connect to Jenkins with an attacker-specified URL resulting in the impersonation of a victim with a newly generated JCLI token. The CVSS Score for this vulnerability is yet to be confirmed.
CVE-2023-37952, CVE-2023-37953: CSRF Vulnerability and Missing Permission
A vulnerability exists as several HTTP endpoints do not perform permission checks which allows threat actors to obtain the connection to Jenkins with Overall/Read permissions through attacker-specified URL and credential IDs collected with another method.
In addition to this, these endpoints do not require POST requests which result in Cross-Site Request Forgery. The CVSS Score for these vulnerabilities is yet to be confirmed.
CVE-2023-37942: XXE vulnerability in External Monitor
This vulnerability exists due to the misconfiguration of the XML parser, which prevents External XML Entity (XXE) attacks.
This allows threat actors to parse a crafted HTTP request with XML data that results in the extraction of sensitive information from Jenkins Controller or Server-Side Request Forgery (SSRF).
The CVSS Score for this vulnerability is yet to be confirmed.
Fixed Plugins
Jenkins has fixed some of the affected plugins, which include,
- Active Directory Plugin should be updated to version 2.30.1
- Datadog Plugin should be updated to version 5.4.2
- External Monitor Job Type Plugin should be updated to version 207.v98a_a_37a_85525
- mabl Plugin should be updated to version 0.0.47
- OpenShift Login Plugin should be updated to version 1.1.0.230.v5d7030b_f5432
- Oracle Cloud Infrastructure Compute Plugin should be updated to version 1.0.17
- Orka by MacStadium Plugin should be updated to version 1.34
- SAML Single Sign On(SSO) Plugin should be updated to version 2.3.1
Unfixed Plugins
The plugins for which fixes are not available include,
- Assembla Auth Plugin
- Benchmark Evaluator Plugin
- ElasticBox CI Plugin
- MathWorks Polyspace Plugin
- Pipeline restFul API Plugin
- Rebuilder Plugin
- Sumologic Publisher Plugin
- Test Results Aggregator Plugin
Users of these Jenkins plugins are advised to upgrade to the latest versions to avoid unauthorized access to systems. Other plugins are still being fixed, and patches are yet to be made available.
More details about all these vulnerabilities can be found on the Jenkins Security Advisory Page.