Jenkins Security Advisory 2021-02-24

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Active Choices Plugin

SECURITY-2192 / CVE-2021-21616

Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5.3 escapes reference parameter values.

CSRF vulnerability in Configuration Slicing Plugin

SECURITY-2003 / CVE-2021-21617

Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs.

Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.

Stored XSS vulnerability in Repository Connector Plugin

SECURITY-2183 / CVE-2021-21618

Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.

XSS vulnerability in Claim Plugin

SECURITY-2188 (1) / CVE-2021-21619

Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.

Note
Everyone with a Jenkins account can change their own display name.

Claim Plugin 2.18.2 escapes the user display name shown in claims.

CSRF vulnerability in Claim Plugin

SECURITY-2188 (2) / CVE-2021-21620

Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to change claims.

Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.

Support bundles can include user session IDs in Support Core Plugin

SECURITY-2150 / CVE-2021-21621

Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).

In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.

Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.

As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.

Stored XSS vulnerability in Artifact Repository Parameter Plugin

SECURITY-2168 / CVE-2021-21622

Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Artifact Repository Parameter Plugin 1.0.1 escapes parameter names and descriptions.

Severity

Affected Versions

  • Active Choices Plugin up to and including 2.5.2
  • Artifact Repository Parameter Plugin up to and including 1.0.0
  • Claim Plugin up to and including 2.18.1
  • Configuration Slicing Plugin up to and including 1.51
  • Repository Connector Plugin up to and including 2.0.2
  • Support Core Plugin up to and including 2.72

Fix

  • Active Choices Plugin should be updated to version 2.5.3
  • Artifact Repository Parameter Plugin should be updated to version 1.0.1
  • Claim Plugin should be updated to version 2.18.2
  • Configuration Slicing Plugin should be updated to version 1.52
  • Repository Connector Plugin should be updated to version 2.0.3
  • Support Core Plugin should be updated to version 2.72.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. and Matt Sicker, CloudBees, Inc. for SECURITY-2003
  • Son Nguyen (@s0nnguy3n_) for SECURITY-2168, SECURITY-2183
  • Wadeck Follonier, CloudBees, Inc. for SECURITY-2150, SECURITY-2188 (1), SECURITY-2188 (2), SECURITY-2192