Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

At the end of August 2023, Jenkins announced it experienced 79% growth between June 2021 and June 2023. With an estimated 44% market share, Jenkins is a critical technology automating CI/CD pipelines. 

As a technology pervasive across the developer community, the Jenkins vulnerabilities announced on August 6, 2023, will likely attract attackers seeking to infiltrate the software supply chain. Problematically, since these vulnerabilities are in plugins, the various third-parties are primarily responsible for providing security updates. 

What are the affected Jenkins plug-ins?

According to the announcement, the following technologies have vulnerabilities associated with them:

  • Assembla Auth Plugin: Enables OAuth authentication for Assembla users 
  • AWS CodeCmmit Trigger Plugin: Triggers jobs on repo update events by AWS CodeCommit through SQS and SNS
  • Azure AD Plugin: Enables Azure Active Directory (Azure AD) authentication and authorization
  • Bitbucket Push and Pull Request Plugin: Triggers builds on Bitbucket’s push and pull requests events
  • Frugal Testing Plugin: Allows running automatic load test scripts 
  • Google Login Plugin: Enables Jenkins login using a Google account
  • Ivy Plugin: Configures build to trigger other builds based on dependency configuration via Apache Ivy
  • Job Configuration History Plugin: saves copies of all job and system configurations
  • Pipeline Maven Integration Plugin: Provides an advanced set of features that simplify Pipeline script creation when using Apache Maven
  • Qualys Container Scanning Connector Plugin: Enables container images assessment in existing CI/CD processes
  • SSH2 Easy Plugin: Enables remote execution of Linux commands, shell, and SFTP upload/download with SSH2 remote server
  • TAP Plugin: Supports Test Anything Protocol (TAP) test result files to Jenkins

 

High Severity Vulnerabilities

The security advisory lists five high-severity vulnerabilities. Two of these vulnerabilities did not have fixes available when Jenkins published its announcement. 

IVY Plugin – No Current Fix as of 9/6/23

2.5 and earlier bundles versions of Apache Ivy contain CVE-2022-46751, which allows attackers to control the input file for a post-build step to have Jenkins parse a crafted XML document that uses external entities for extracting secrets from the Jenkins controller or server-side request forgery.

TAP Plugin – No Current Fix as of 9/6/23

2.3 and earlier contain CVE-2023-41940, failing to escape TAP file contents and resulting in stored XSS vulnerability attackers can exploit. 

Job Configuration History Plugin – Remediation Available

This plugin has two High severity CVEs:

  • CVE-2023-41930 (path traversal)/CVE-2023-41931 (XSS): 1227.v7a_79fc4dc01f and earlier fail to restrict the name query parameter when rendering a history entry that, when combined with the exploitable cross-site scripting (XSS) vulnerability enables
  • CVE-2023-41932 (path traversal)/CVE-2023-41933 (XXE): 1227.v7a_79fc4dc01f and earlier fails to restrict the timestamp query parameters and when combined with the failure to configure XML parser attackers can exploit these to extract secrets. 

According to the Jenkins security advisory, Job Configuration History Plugin 1229.v3039470161a_d remediates these vulnerabilities. 

Qualys Container Scanning Connector Plugin – Remediation Available

This vulnerability has a CVE pending.

1.6.2.6 and earlier fail to perform a correct permission check that attackers can exploit to:

  • Enumerate credentials IDs of credentials stored in Jenkins
  • Connect to attacker-specified web server using attacker-specified credentials

According to the Jenkins security advisory, Qualys Container Scanning Connector Plugin 1.6.2.7 remediates this vulnerability.

 

Medium Severity Vulnerabilities

The security advisory lists eleven medium-severity vulnerabilities. Eight of these vulnerabilities did not have fixes available when Jenkins published its announcement.

AWS CodeCommit Trigger Plugin – No Current Fix as of 9/6/23

3.0.12 and earlier contain the following vulnerabilities:

  • CVE-2023-41941: fails to perform permission check in an HTTP endpoint, meaning attackers can exploit this to enumerate credentials IDs of AWS credentials stored in Jenkins and used in attacks exploiting other vulnerabilities
  • CVE-2023-41942 (CSRF), CVE-2023-41943 (permission check): fails to perform  permission check in an HTTP endpoint, meaning attackers can exploit this to clear the SQS queue, and fails to require POST requests, resulting in CSRF vulnerability
  • CVE-2023-41944: fails to escape the queue name parameter passed to a form validation URL when rendering an error message, resulting in an HTML injection vulnerability 

Regarding CVE-2023-41944, the security advisory notes that Jenkins 2.275 and LTS 2.263.2 contain a security hardening for form validation responses that prevent JavaScript execution.

Assembla Auth Plugin – No Current Fix as of 9/6/23

1.14 and earlier contain CVE-2023-41945, failing to verify permissions granted are enabled, which means users with EDIT permissions also gain Overall/Manage and Overall/SystemRead permissions.

Jenkins also notes that the plugin grants the following deprecated permissions to users with EDIT access that allow arbitrary code execution in Jenkins before 2.222:

  • Overall/RunScripts 
  • Overall/UploadPlugins 
  • Overall/ConfigureUpdateCenter

Frugal Testing Plugin – No Current Fix as of 9/6/23

1.1 and earlier contain CVE-2023-41946 (CSRF)/CVE-2023-41947 (permission check), failing to perform permission checks in several HTTP endpoints that attackers can exploit to:

  • Connect to Frugal Testing using attacker-specified credentials
  • Retrieve test IDs and names from Frugal Testing if valid credentials correspond to the attacker-specified username

Endpoint failure to require POST requests results in CSRF vulnerability. 

Ivy Plugin – No Current Fix as of 9/6/23

2.5 and earlier contain CVE-2023-41938, meaning they fail to require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability that attackers can exploit to delete disabled modules. 

SSH2 Easy Plugin – Remediation Available

1.4 and earlier contain CVE-2023-41939, failing to verify that permissions configured to be granted are enabled, which means users may have excess access. 

SSH2 Easy Plugin 1.6 removes the affected features without replacement.

Pipeline Maven – Remediation Available

1330.v18e473854496 and earlier contain CVE-2023-41934, failing to properly mask the usernames of credentials. 

Pipeline Maven Integration Plugin 1331.v003efa_fd6e81 remediates this issue. 

 

Bitbucket Push and Pull Request Plugin – Remediation Available

2.4.0 through 2.8.3 contain CVE-2023-41937, meaning they trust values in the webhook payload, so attackers can exploit this to capture Bitbucket credentials stored in Jenkins. 

Bitbucket Push and Pull Request Plugin 2.8.4 remediates this vulnerability. 

 

Low Severity Vulnerabilities

The security advisory lists two low-severity vulnerabilities. Both of these have remediations available. 

Azure AD Plugin – Remediation Available

396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, contain CVE-2023-41935,

failing to use a constant time comparison that attackers could potentially exploit to use statistical methods to obtain a valid nonce. 

Azure AD Plugin 397.v907382dd9b_98 remediates this vulnerability. 

 

Google Login Plugin – Remediation Available

1.7 and earlier contain CVE-2023-41936, failing to use a contant-time comparison that attackers could potentially exploit to use statistical methods to obtain a valid token. 

Google Login Plugin 1.8 remediates this vulnerability. 

 

Quiet AI: Use Context to Rapidly Identify Whether Attackers Can Exploit Vulnerabilities 

With Qwiet AI’s preZero platform, you can identify and remediate your application’s most critical and impactful vulnerabilities. Our Code Property Graph (CPG) breaks down code into its fundamental parts to have a comprehensive component inventory while helping you determine whether attackers can exploit a vulnerability based on your unique source code. Our lightning-fast scans can help you discover source code vulnerabilities quickly. To understand how malicious actors evolve their supply chain attacks, you can use Qwiet Blacklight, the only threat intelligence feed focused on application security. 

 

Try Qwiet AI’s preZero platform for free to see how it can help you mitigate malicious Python package risks.

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

Read Next

AppSec DevOps
January 30, 2024 4 min to read

Handling Session Management in Web Applications

Back in 1893, the Lizzie Borden murders, where the Massachusetts woman was accused of killing both her parents with an ax, captivated the public and news media. Eventually found not guilty, one fundamental question perplexed police officers and the jury. Every door inside the Borden house had its own lock and corresponding key, an attempt […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers
January 16, 2024 4 min to read

Paying Off Your Loans: Technical Debt and Security Debt i...

Whether it’s school or car loans, you know that paying off your debt makes your life easier. It can improve your credit score, giving you more financial security. As a developer, you may also suffer from technical debt that impacts your application’s security. In a world where time to delivery is critical, you may make […]

READ MORE
AppSec Cybersecurity Cybersecurity for Developers DevOps Engineering
January 11, 2024 4 min to read

Understanding and Implementing HTTPS Strict Transport Sec...

Introduction Within the cascading bytes and bits of digital communications, developers forge pathways of data, threading information through the vast expanse of the internet. However, threats lurking within these pathways seek to intercept, manipulate, and exploit this data. This article ventures into HTTPS and Strict Transport Security (HSTS), offering developers a guide to comprehend, implement, […]

READ MORE

Read Next

AppSec Cybersecurity DevOps Engineering
September 7, 2023 5 min to read

Handling JWT Safely: Mitigating Common Security Risks

Introduction The world of application development is a balance between providing features and ensuring security. One tool that stands as a bridge between functionality and security is the JSON Web Token (JWT). While powerful and versatile, like all tools, it requires understanding and caution in its implementation. A Primer on JWTs JWT is a concise, […]

READ MORE
Cybersecurity
December 1, 2021 5 min to read

Keeping the wrench out of the gears: 5 tips for achieving...

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

READ MORE
Cybersecurity
March 15, 2022 7 min to read

Secure Software Summit: The State of OSS Supply Chain Sec...

  The Open Source Software (OSS) Supply Chain is under attack. As evidenced by the recent Log4Shell vulnerability, the OSS supply chain is increasingly a focus for attackers seeking to exploit weak links in security. A number of research reports have recorded a significant increase in so-called “next-gen software supply chain attacks” over the past […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In