Jenkins Security Advisory 2024-05-24

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Team Concert Git Plugin

SECURITY-3250 / CVE-2024-28793
Severity (CVSS): High
Affected plugin: teamconcert-git
Description:

Team Concert Git Plugin 2.0.4 and earlier does not escape the Rational Team Concert (RTC) server URI on the build page when showing changes.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

Team Concert Git Plugin 2.0.5 escapes the Rational Team Concert (RTC) server URI on the build page when showing changes.

XXE vulnerabilities in OpenText Application Automation Tools Plugin

SECURITY-3278 / CVE-2024-4189 (LrScriptResultsParser.java), CVE-2024-4184 (XpathReader.java), CVE-2024-4690 (others)
Severity (CVSS): High
Affected plugin: hp-application-automation-tools-plugin
Description:

OpenText Application Automation Tools Plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity (XXE) attacks.

This allows attackers able to control the input files for OpenText Application Automation Tools Plugin build steps and post-build steps to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

OpenText Application Automation Tools Plugin 24.1.1-beta disables external entity resolution for its XML parsers.

The fix is currently available only as a beta release. Beta releases will not appear in the regular update center but can be found in the experimental update center. For more information on how to install a beta release, see this documentation.

Missing permission checks in OpenText Application Automation Tools Plugin

SECURITY-3277 / CVE-2024-4211 (ALM jobs configurations), CVE-2024-4691 (ALM Octane configurations), CVE-2024-4692 (Service Virtualization configurations)
Severity (CVSS): Medium
Affected plugin: hp-application-automation-tools-plugin
Description:

OpenText Application Automation Tools Plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations.

OpenText Application Automation Tools Plugin 24.1.1-beta requires Item/Configure permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations.

The fix is currently available only as a beta release. Beta releases will not appear in the regular update center but can be found in the experimental update center. For more information on how to install a beta release, see this documentation.

Path traversal vulnerability in Report Info Plugin

SECURITY-3070 / CVE-2024-5273
Severity (CVSS): Medium
Affected plugin: report-info
Description:

Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files.

Additionally, Report Info Plugin does not support distributed builds.

This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path.

As of publication of this advisory, there is no fix. Learn why we announce this.

Severity

Affected Versions

  • OpenText Application Automation Tools Plugin up to and including 24.1.0
  • Report Info Plugin up to and including 1.2
  • Team Concert Git Plugin up to and including 2.0.4

Fix

  • OpenText Application Automation Tools Plugin should be updated to version 24.1.1-beta
  • Team Concert Git Plugin should be updated to version 2.0.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

  • Report Info Plugin

Learn why we announce these issues.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-3070
  • Yaroslav Afenkin, CloudBees, Inc. for SECURITY-3250, SECURITY-3277, SECURITY-3278