[ASA-202101-41] jenkins: multiple issues

Morten Linderud foxboron at archlinux.org
Thu Jan 28 22:00:58 UTC 2021


Arch Linux Security Advisory ASA-202101-41
==========================================

Severity: High
Date    : 2021-01-20
CVE-ID  : CVE-2021-21602 CVE-2021-21603 CVE-2021-21604 CVE-2021-21605
          CVE-2021-21606 CVE-2021-21607 CVE-2021-21608 CVE-2021-21609
          CVE-2021-21610 CVE-2021-21611
Package : jenkins
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1446

Summary
=======

The package jenkins before version 2.275-1 is vulnerable to multiple
issues including cross-site scripting, directory traversal, incorrect
calculation, arbitrary filesystem access, denial of service,
information disclosure and insufficient validation.

Resolution
==========

Upgrade to 2.275-1.

# pacman -Syu "jenkins>=2.275-1"

The problems have been fixed upstream in version 2.275.

Workaround
==========

None.

Description
===========

- CVE-2021-21602 (arbitrary filesystem access)

A security issue was found in Jenkins before version 2.275. The file
browser for workspaces, archived artifacts, and
$JENKINS_HOME/userContent/ follows symbolic links to locations outside
the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1
and earlier. This allows attackers with Job/Workspace permission and
the ability to control workspace contents (e.g., with Job/Configure
permission or the ability to change SCM contents) to create symbolic
links that allow them to access files outside workspaces using the
workspace browser.

- CVE-2021-21603 (cross-site scripting)

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape
notification bar response contents (typically shown after form
submissions via Apply button). This results in a cross-site scripting
(XSS) vulnerability exploitable by attackers able to influence
notification bar contents. Jenkins 2.275, LTS 2.263.2 escapes the
content shown in notification bars.

- CVE-2021-21604 (incorrect calculation)

Jenkins provides XML REST APIs to configure views, jobs, and other
items. When deserialization fails because of invalid data, Jenkins
2.274 and earlier, LTS 2.263.1 and earlier stores invalid object
references created through these endpoints in the Old Data Monitor. If
an administrator discards the old data, some erroneous data submitted
to these endpoints may be persisted. This allows attackers with
View/Create, Job/Create, Agent/Create, or their respective */Configure
permissions to inject crafted content into Old Data Monitor that
results in the instantiation of potentially unsafe objects when
discarded by an administrator. Jenkins 2.275, LTS 2.263.2 does not
record submissions from users in Old Data Monitor anymore.

- CVE-2021-21605 (directory traversal)

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with
Agent/Configure permission to choose agent names that cause Jenkins to
override unrelated config.xml files. If the global config.xml file is
replaced, Jenkins will start up with unsafe legacy defaults after a
restart. Jenkins 2.275, LTS 2.263.2 ensures that agent names are
considered valid names for items to prevent this problem.

- CVE-2021-21606 (information disclosure)

Jenkins provides a feature for jobs to store and track fingerprints of
files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and
earlier provides a REST API to check where a given fingerprint was used
by which builds. This endpoint does not fully validate that the
provided fingerprint ID is properly formatted before checking for the
XML metadata for that fingerprint on the controller file system. This
allows attackers with Overall/Read permission to check for the
existence of XML files on the controller file system where the relative
path can be constructed as 32 characters. Jenkins 2.275, LTS 2.263.2
validates that a fingerprint ID is properly formatted before checking
for its existence.

- CVE-2021-21607 (denial of service)

Jenkins renders several different graphs for features like agent and
label usage statistics, memory usage, or various plugin-provided
statistics. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not
limit the graph size provided as query parameters. This allows
attackers to request or to have legitimate Jenkins users request
crafted URLs that rapidly use all available memory in Jenkins,
potentially leading to out of memory errors. Jenkins 2.275, LTS 2.263.2
limits the maximum size of graphs to an area of 10 million pixels. If a
larger size is requested, the default size for the graph will be
rendered instead.

- CVE-2021-21608 (cross-site scripting)

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape
button labels in the Jenkins UI. This results in a cross-site scripting
vulnerability exploitable by attackers with the ability to control
button labels. An example of buttons with a user-controlled label are
the buttons of the Pipeline input step. Jenkins 2.275, LTS 2.263.2
escapes button labels in the Jenkins UI.

- CVE-2021-21609 (insufficient validation)

Jenkins includes a static list of URLs that are always accessible even
without Overall/Read permission, such as the login form. These URLs are
excluded from an otherwise universal permission check. Jenkins 2.274
and earlier, LTS 2.263.1 and earlier does not correctly compare
requested URLs with that list. This allows attackers without
Overall/Read permission to access plugin-provided URLs with any of the
following prefixes if no other permissions are required: accessDenied,
error, instance-identity, login, logout, oops, securityRealm, signup
and tcpSlaveAgentListener.  For example, a plugin contributing the path
loginFoo/ would have URLs in that space accessible without the default
Overall/Read permission check. The Jenkins security team is not aware
of any affected plugins as of the publication of this advisory. The
comparison of requested URLs with the list of always accessible URLs
has been fixed to only allow access to the specific listed URLs in
Jenkins 2.275, LTS 2.263.2.

- CVE-2021-21610 (cross-site scripting)

Jenkins allows administrators to choose the markup formatter to use for
descriptions of jobs, builds, views, etc. displayed in Jenkins. When
editing such a description, users can choose to have Jenkins render a
formatted preview of the description they entered. Jenkins 2.274 and
earlier, LTS 2.263.1 and earlier does not implement any restrictions
for the URL rendering the formatted preview of markup passed as a query
parameter. This results in a reflected cross-site scripting (XSS)
vulnerability if the configured markup formatter does not prohibit
unsafe elements (JavaScript) in markup, like Anything Goes Formatter
Plugin. Jenkins 2.275, LTS 2.263.2 requires that preview URLs are
accessed using POST and sets Content-Security-Policy headers that
prevent execution of unsafe elements when the URL is accessed directly.

- CVE-2021-21611 (cross-site scripting)

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape
display names and IDs of item types shown on the New Item page. This
results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to specify display names or IDs of item
types. Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item
types shown on the New Item page.

Impact
======

An attacker can access sensitive information, influence the contents of
varios display items, instantiate unsafe objects, override
configuration files, perform a denial of service, execute unsafe
elements.

References
==========

https://www.jenkins.io/security/advisory/2021-01-13/
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1452
https://github.com/jenkinsci/jenkins/commit/71d2ecf1a4e5303e80815eaa3935c4f2fa3d9104
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1889
https://github.com/jenkinsci/jenkins/commit/f5d98421604e44f398e7de9d222b191a705608af
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-1923
https://github.com/jenkinsci/jenkins/commit/f1056bd814fc1f19ea241a101d649b8c143807e7
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2021
https://github.com/jenkinsci/jenkins/commit/b19b34db4b24b163d4edc53ccb84f41a3589cb08
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2023
https://github.com/jenkinsci/jenkins/commit/f576b2eb4375f2bb076ce477cee27a946b65f22a
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2025
https://github.com/jenkinsci/jenkins/commit/a890d68699ad6ca0c8fbc297a1d4b7ebf23f384b
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2035
https://github.com/jenkinsci/jenkins/commit/8c451b08886561a914ef0c30cbb9d40ea33a9bbe
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2047
https://github.com/jenkinsci/jenkins/commit/fe9091fc74d55a56fd36544f3038d47c8cb331a4
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2153
https://github.com/jenkinsci/jenkins/commit/89ec0c40b68cd1e4e9f9ef5ebcafd87e7fa16589
https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2171
https://security.archlinux.org/CVE-2021-21602
https://security.archlinux.org/CVE-2021-21603
https://security.archlinux.org/CVE-2021-21604
https://security.archlinux.org/CVE-2021-21605
https://security.archlinux.org/CVE-2021-21606
https://security.archlinux.org/CVE-2021-21607
https://security.archlinux.org/CVE-2021-21608
https://security.archlinux.org/CVE-2021-21609
https://security.archlinux.org/CVE-2021-21610
https://security.archlinux.org/CVE-2021-21611
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20210128/95876da5/attachment.sig>


More information about the arch-security mailing list