This advisory announces vulnerabilities in the following Jenkins deliverables:
Config File Provider Plugin 3.7.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Config File Provider Plugin 3.7.1 disables external entity resolution for its XML parser.
Config File Provider Plugin 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of system-scoped credentials IDs in Config File Provider Plugin 3.7.1 requires Overall/Administer permission.
Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.
This is due to an incomplete fix of SECURITY-938.
Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.
Config File Provider Plugin 3.7.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to enumerate configuration file IDs.
An enumeration of configuration file IDs in Config File Provider Plugin 3.7.1 requires the appropriate permissions.
Templating Engine Plugin 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin.
This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM.
Templating Engine Plugin 2.2 integrates with Script Security Plugin to protect its pipeline configurations.
CloudBees CD Plugin 1.1.21 and earlier does not perform a permission check in an HTTP endpoint.
This allows attackers with Item/Read permission to schedule builds of projects without having Item/Build permission.
CloudBees CD Plugin 1.1.22 requires Item/Build permission to schedule builds via its HTTP endpoint.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: