Rewterz Threat Advisory – Multiple Jenkins Plugins Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2024-28160 CVSS:8

Jenkins iceScrum Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2024-28159 CVSS:4.3

Jenkins Subversion Partial Release Manager Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validaiton. By sending a specially crafted request, an attacker could exploit this vulnerability to trigger a build.

CVE-2024-28158 CVSS:5.3

Jenkins Subversion Partial Release Manager Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to trigger a build. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-28157 CVSS:8

Jenkins GitBucket Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2024-28156 CVSS:8

Jenkins Build Monitor View Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2024-2216 CVSS:6.3

Jenkins docker-build-step Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially crafted request, an attacker could exploit this vulnerability to connect to an attacker-specified TCP or Unix socket URL.

CVE-2024-2215 CVSS:6.3

Jenkins docker-build-step Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to an attacker-specified TCP or Unix socket URL. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2024-28162 CVSS:5.4

Jenkins Delphix Plugin is vulnerable to a man-in-the-middle attack, caused by improper SSL/TLS certificate validation. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.

CVE-2024-28161 CVSS:4.8

Jenkins Delphix Plugin is vulnerable to a man-in-the-middle attack, caused by SSL/TLS certificate validation is disabled by default. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.

CVE-2024-28155 CVSS:4.3

Jenkins AppSpider Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission validation. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain information about available scan config names, engine group names, and client names, and use this information to launch further attacks against the affected system.

CVE-2024-28154 CVSS:4.3

Jenkins MQ Notifier Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by the expose of sensitive information in build logs. By gaining access to the log file, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.

CVE-2024-28153 CVSS:8.8

Jenkins OWASP Dependency-Check Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2024-28152 CVSS:6.3

Jenkins Bitbucket Branch Source Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by incorrect trust policy behavior for pull requests from forks. By sending a specially crafted request, an attacker could exploit this vulnerability to submit pull requests from forks to change the Pipeline behavior.

CVE-2024-28151 CVSS:4.3

Jenkins HTML Publisher Plugin could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user request. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system.

CVE-2024-28150 CVSS:8

Jenkins HTML Publisher Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2024-28149 CVSS:8

Jenkins HTML Publisher Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. 

Impact

• Gain Access
• Security Bypass
• Information Disclosure
• Cross-Site Scripting

Indicators Of Compromise

CVE

• CVE-2024-28160
• CVE-2024-28159
• CVE-2024-28158
• CVE-2024-28157
• CVE-2024-28156
• CVE-2024-2216
• CVE-2024-2215
• CVE-2024-28162
• CVE-2024-28161
• CVE-2024-28155
• CVE-2024-28154
• CVE-2024-28153
• CVE-2024-28152
• CVE-2024-28151
• CVE-2024-28150
• CVE-2024-28149

Affected Vendors

Jenkins

Affected Products

• Jenkins iceScrum Plugin 1.1.6
• Jenkins Subversion Partial Release Manager Plugin 1.0.1
• Jenkins GitBucket Plugin 0.8
• Jenkins Build Monitor View Plugin 1.14-860.vd06ef2568b_3f
• Jenkins docker-build-step Plugin 2.11
• Jenkins Delphix Plugin 3.1.0
• Jenkins Delphix Plugin 3.0.2
• Jenkins AppSpider Plugin 1.0.16
• Jenkins MQ Notifier Plugin 1.4.0
• Jenkins OWASP Dependency-Check Plugin 5.4.5
• Jenkins Bitbucket Branch Source Plugin 866.vdea_7dcd3008e
• Jenkins HTML Publisher Plugin 1.32

Remediation

Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information. 

Jenkins Security Advisory