Arch Linux Security Advisory ASA-202101-41 ========================================== Severity: High Date : 2021-01-20 CVE-ID : CVE-2021-21602 CVE-2021-21603 CVE-2021-21604 CVE-2021-21605 CVE-2021-21606 CVE-2021-21607 CVE-2021-21608 CVE-2021-21609 CVE-2021-21610 CVE-2021-21611 Package : jenkins Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1446 Summary ======= The package jenkins before version 2.275-1 is vulnerable to multiple issues including cross-site scripting, directory traversal, incorrect calculation, arbitrary filesystem access, denial of service, information disclosure and insufficient validation. Resolution ========== Upgrade to 2.275-1. # pacman -Syu "jenkins>=2.275-1" The problems have been fixed upstream in version 2.275. Workaround ========== None. Description =========== - CVE-2021-21602 (arbitrary filesystem access) A security issue was found in Jenkins before version 2.275. The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser. - CVE-2021-21603 (cross-site scripting) Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button). This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents. Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars. - CVE-2021-21604 (incorrect calculation) Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted. This allows attackers with View/Create, Job/Create, Agent/Create, or their respective */Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator. Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore. - CVE-2021-21605 (directory traversal) Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem. - CVE-2021-21606 (information disclosure) Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system. This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters. Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence. - CVE-2021-21607 (denial of service) Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters. This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors. Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead. - CVE-2021-21608 (cross-site scripting) Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step. Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI. - CVE-2021-21609 (insufficient validation) Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list. This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required: accessDenied, error, instance-identity, login, logout, oops, securityRealm, signup and tcpSlaveAgentListener. For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check. The Jenkins security team is not aware of any affected plugins as of the publication of this advisory. The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2. - CVE-2021-21610 (cross-site scripting) Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin. Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly. - CVE-2021-21611 (cross-site scripting) Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types. Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page. Impact ====== An attacker can access sensitive information, influence the contents of varios display items, instantiate unsafe objects, override configuration files, perform a denial of service, execute unsafe elements. References ========== https://www.jenkins.io/security/advisory/2021-01-13/ https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452 https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889 https://github.com/jenkinsci/jenkins/commit/f5d98421604e44f398e7de9d222b191a... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923 https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021 https://github.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023 https://github.com/jenkinsci/jenkins/commit/f576b2eb4375f2bb076ce477cee27a94... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025 https://github.com/jenkinsci/jenkins/commit/a890d68699ad6ca0c8fbc297a1d4b7eb... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035 https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40e... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047 https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153 https://github.com/jenkinsci/jenkins/commit/89ec0c40b68cd1e4e9f9ef5ebcafd87e... https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171 https://security.archlinux.org/CVE-2021-21602 https://security.archlinux.org/CVE-2021-21603 https://security.archlinux.org/CVE-2021-21604 https://security.archlinux.org/CVE-2021-21605 https://security.archlinux.org/CVE-2021-21606 https://security.archlinux.org/CVE-2021-21607 https://security.archlinux.org/CVE-2021-21608 https://security.archlinux.org/CVE-2021-21609 https://security.archlinux.org/CVE-2021-21610 https://security.archlinux.org/CVE-2021-21611