At the end of August 2023, Jenkins announced it experienced 79% growth between June 2021 and June 2023. With an estimated 44% market share, Jenkins is a critical technology automating CI/CD pipelines.
As a technology pervasive across the developer community, the Jenkins vulnerabilities announced on August 6, 2023, will likely attract attackers seeking to infiltrate the software supply chain. Problematically, since these vulnerabilities are in plugins, the various third-parties are primarily responsible for providing security updates.
What are the affected Jenkins plug-ins?
According to the announcement, the following technologies have vulnerabilities associated with them:
- Assembla Auth Plugin: Enables OAuth authentication for Assembla users
- AWS CodeCmmit Trigger Plugin: Triggers jobs on repo update events by AWS CodeCommit through SQS and SNS
- Azure AD Plugin: Enables Azure Active Directory (Azure AD) authentication and authorization
- Bitbucket Push and Pull Request Plugin: Triggers builds on Bitbucket’s push and pull requests events
- Frugal Testing Plugin: Allows running automatic load test scripts
- Google Login Plugin: Enables Jenkins login using a Google account
- Ivy Plugin: Configures build to trigger other builds based on dependency configuration via Apache Ivy
- Job Configuration History Plugin: saves copies of all job and system configurations
- Pipeline Maven Integration Plugin: Provides an advanced set of features that simplify Pipeline script creation when using Apache Maven
- Qualys Container Scanning Connector Plugin: Enables container images assessment in existing CI/CD processes
- SSH2 Easy Plugin: Enables remote execution of Linux commands, shell, and SFTP upload/download with SSH2 remote server
- TAP Plugin: Supports Test Anything Protocol (TAP) test result files to Jenkins
High Severity Vulnerabilities
The security advisory lists five high-severity vulnerabilities. Two of these vulnerabilities did not have fixes available when Jenkins published its announcement.
IVY Plugin – No Current Fix as of 9/6/23
2.5 and earlier bundles versions of Apache Ivy contain CVE-2022-46751, which allows attackers to control the input file for a post-build step to have Jenkins parse a crafted XML document that uses external entities for extracting secrets from the Jenkins controller or server-side request forgery.
TAP Plugin – No Current Fix as of 9/6/23
2.3 and earlier contain CVE-2023-41940, failing to escape TAP file contents and resulting in stored XSS vulnerability attackers can exploit.
Job Configuration History Plugin – Remediation Available
This plugin has two High severity CVEs:
- CVE-2023-41930 (path traversal)/CVE-2023-41931 (XSS): 1227.v7a_79fc4dc01f and earlier fail to restrict the name query parameter when rendering a history entry that, when combined with the exploitable cross-site scripting (XSS) vulnerability enables
- CVE-2023-41932 (path traversal)/CVE-2023-41933 (XXE): 1227.v7a_79fc4dc01f and earlier fails to restrict the timestamp query parameters and when combined with the failure to configure XML parser attackers can exploit these to extract secrets.
According to the Jenkins security advisory, Job Configuration History Plugin 1229.v3039470161a_d remediates these vulnerabilities.
Qualys Container Scanning Connector Plugin – Remediation Available
This vulnerability has a CVE pending.
126.96.36.199 and earlier fail to perform a correct permission check that attackers can exploit to:
- Enumerate credentials IDs of credentials stored in Jenkins
- Connect to attacker-specified web server using attacker-specified credentials
According to the Jenkins security advisory, Qualys Container Scanning Connector Plugin 188.8.131.52 remediates this vulnerability.
Medium Severity Vulnerabilities
The security advisory lists eleven medium-severity vulnerabilities. Eight of these vulnerabilities did not have fixes available when Jenkins published its announcement.
AWS CodeCommit Trigger Plugin – No Current Fix as of 9/6/23
3.0.12 and earlier contain the following vulnerabilities:
- CVE-2023-41941: fails to perform permission check in an HTTP endpoint, meaning attackers can exploit this to enumerate credentials IDs of AWS credentials stored in Jenkins and used in attacks exploiting other vulnerabilities
- CVE-2023-41942 (CSRF), CVE-2023-41943 (permission check): fails to perform permission check in an HTTP endpoint, meaning attackers can exploit this to clear the SQS queue, and fails to require POST requests, resulting in CSRF vulnerability
- CVE-2023-41944: fails to escape the queue name parameter passed to a form validation URL when rendering an error message, resulting in an HTML injection vulnerability
Assembla Auth Plugin – No Current Fix as of 9/6/23
1.14 and earlier contain CVE-2023-41945, failing to verify permissions granted are enabled, which means users with EDIT permissions also gain Overall/Manage and Overall/SystemRead permissions.
Jenkins also notes that the plugin grants the following deprecated permissions to users with EDIT access that allow arbitrary code execution in Jenkins before 2.222:
Frugal Testing Plugin – No Current Fix as of 9/6/23
1.1 and earlier contain CVE-2023-41946 (CSRF)/CVE-2023-41947 (permission check), failing to perform permission checks in several HTTP endpoints that attackers can exploit to:
- Connect to Frugal Testing using attacker-specified credentials
- Retrieve test IDs and names from Frugal Testing if valid credentials correspond to the attacker-specified username
Endpoint failure to require POST requests results in CSRF vulnerability.
Ivy Plugin – No Current Fix as of 9/6/23
2.5 and earlier contain CVE-2023-41938, meaning they fail to require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability that attackers can exploit to delete disabled modules.
SSH2 Easy Plugin – Remediation Available
1.4 and earlier contain CVE-2023-41939, failing to verify that permissions configured to be granted are enabled, which means users may have excess access.
SSH2 Easy Plugin 1.6 removes the affected features without replacement.
Pipeline Maven – Remediation Available
1330.v18e473854496 and earlier contain CVE-2023-41934, failing to properly mask the usernames of credentials.
Pipeline Maven Integration Plugin 1331.v003efa_fd6e81 remediates this issue.
Bitbucket Push and Pull Request Plugin – Remediation Available
2.4.0 through 2.8.3 contain CVE-2023-41937, meaning they trust values in the webhook payload, so attackers can exploit this to capture Bitbucket credentials stored in Jenkins.
Bitbucket Push and Pull Request Plugin 2.8.4 remediates this vulnerability.
Low Severity Vulnerabilities
The security advisory lists two low-severity vulnerabilities. Both of these have remediations available.
Azure AD Plugin – Remediation Available
396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, contain CVE-2023-41935,
failing to use a constant time comparison that attackers could potentially exploit to use statistical methods to obtain a valid nonce.
Azure AD Plugin 397.v907382dd9b_98 remediates this vulnerability.
Google Login Plugin – Remediation Available
1.7 and earlier contain CVE-2023-41936, failing to use a contant-time comparison that attackers could potentially exploit to use statistical methods to obtain a valid token.
Google Login Plugin 1.8 remediates this vulnerability.
Quiet AI: Use Context to Rapidly Identify Whether Attackers Can Exploit Vulnerabilities
With Qwiet AI’s preZero platform, you can identify and remediate your application’s most critical and impactful vulnerabilities. Our Code Property Graph (CPG) breaks down code into its fundamental parts to have a comprehensive component inventory while helping you determine whether attackers can exploit a vulnerability based on your unique source code. Our lightning-fast scans can help you discover source code vulnerabilities quickly. To understand how malicious actors evolve their supply chain attacks, you can use Qwiet Blacklight, the only threat intelligence feed focused on application security.
Try Qwiet AI’s preZero platform for free to see how it can help you mitigate malicious Python package risks.