-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
85 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| --- | ||
| layout: advisory | ||
| title: Jenkins Security Advisory 2024-05-24 | ||
| kind: plugins | ||
| issues: | ||
| - id: SECURITY-3250 | ||
| reporter: Yaroslav Afenkin, CloudBees, Inc. | ||
| title: Stored XSS vulnerability in PLUGIN_NAME | ||
| cve: CVE-2024-28793 | ||
| cvss: | ||
| severity: High | ||
| vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | ||
| description: |- | ||
| PLUGIN_NAME 2.0.4 and earlier does not escape the Rational Team Concert (RTC) server URI on the build page when showing changes. | ||
|
|
||
| This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | ||
|
|
||
| PLUGIN_NAME 2.0.5 escapes the Rational Team Concert (RTC) server URI on the build page when showing changes. | ||
| plugins: | ||
| - name: teamconcert-git | ||
| previous: 2.0.4 | ||
| fixed: 2.0.5 | ||
| - id: SECURITY-3278 | ||
| reporter: Yaroslav Afenkin, CloudBees, Inc. | ||
| title: XXE vulnerabilities in PLUGIN_NAME | ||
| cve: CVE-2024-4189 (LrScriptResultsParser.java), CVE-2024-4184 (XpathReader.java), | ||
| CVE-2024-4690 (others) | ||
| cvss: | ||
| severity: High | ||
| vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N | ||
| description: |- | ||
| PLUGIN_NAME 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity (XXE) attacks. | ||
|
|
||
| This allows attackers able to control the input files for PLUGIN_NAME build steps and post-build steps to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. | ||
|
|
||
| PLUGIN_NAME 24.1.1-beta disables external entity resolution for its XML parsers. | ||
|
|
||
| NOTE: The fix is currently available only as a beta release. | ||
| Beta releases will not appear in the regular update center but can be found in the experimental update center. | ||
| For more information on how to install a beta release, see this link:/doc/developer/publishing/releasing-experimental-updates/#using-the-experimental-update-center[documentation]. | ||
| plugins: | ||
| - name: hp-application-automation-tools-plugin | ||
| previous: 24.1.0 | ||
| fixed: 24.1.1-beta | ||
| - id: SECURITY-3277 | ||
| reporter: Yaroslav Afenkin, CloudBees, Inc. | ||
| title: Missing permission checks in PLUGIN_NAME | ||
| cve: CVE-2024-4211 (ALM jobs configurations), CVE-2024-4691 (ALM Octane configurations), | ||
| CVE-2024-4692 (Service Virtualization configurations) | ||
| cvss: | ||
| severity: Medium | ||
| vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | ||
| description: |- | ||
| PLUGIN_NAME 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. | ||
|
|
||
| This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations. | ||
|
|
||
| PLUGIN_NAME 24.1.1-beta requires Item/Configure permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations. | ||
|
|
||
| NOTE: The fix is currently available only as a beta release. | ||
| Beta releases will not appear in the regular update center but can be found in the experimental update center. | ||
| For more information on how to install a beta release, see this link:/doc/developer/publishing/releasing-experimental-updates/#using-the-experimental-update-center[documentation]. | ||
| plugins: | ||
| - name: hp-application-automation-tools-plugin | ||
| previous: 24.1.0 | ||
| fixed: 24.1.1-beta | ||
| - id: SECURITY-3070 | ||
| reporter: Daniel Beck, CloudBees, Inc. | ||
| title: Path traversal vulnerability in PLUGIN_NAME | ||
| cve: CVE-2024-5273 | ||
| cvss: | ||
| severity: Medium | ||
| vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | ||
| description: |- | ||
| PLUGIN_NAME 1.2 and earlier does not perform path validation of the workspace directory while serving report files. | ||
|
|
||
| Additionally, PLUGIN_NAME does not support distributed builds. | ||
|
|
||
| This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path. | ||
|
|
||
| As of publication of this advisory, there is no fix. | ||
| link:/security/plugins/#unresolved[Learn why we announce this.] | ||
| plugins: | ||
| - name: report-info | ||
| previous: '1.2' |