Request a Demo
Rewterz
Rewterz Threat Alert -APT-C-35 aka Donot Team – Active IOCs
March 22, 2023
Rewterz
Rewterz Threat Update – Cyber Threat Intelligence Advisory – 23rd March Pakistan Day
March 22, 2023

Rewterz Threat Advisory -Multiple Jenkins Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-28684 CVSS:7.1

Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28683 CVSS:7.1

Jenkins Phabricator Differential Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28682 CVSS:7.1

Jenkins Performance Publisher Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28681 CVSS:7.1

Jenkins Crap4J Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28680 CVSS:8

Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28679 CVSS:8

Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28678 CVSS:8

Jenkins Cppcheck Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28677 CVSS:8

Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-28676 CVSS:8.8

Jenkins Convert To Pipeline Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to create a Pipeline based on a Freestyle project. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28675 CVSS:4.3

Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-28674 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to a previously configured Octoperf server. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28673 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission check in an HTTP endpoint. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to enumerate credentials IDs, and use this information to launch further attacks against the affected system.

CVE-2023-28672 CVSS:7.1

Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission check in a connection test HTTP endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to connect to an attacker-specified URL.

CVE-2023-28671 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to an attacker-specified URL. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28670 CVSS:8

Jenkins Pipeline Aggregator View Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28669 CVSS:8

Jenkins JaCoCo Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28668 CVSS:5.9

Jenkins Role-based Authorization Strategy Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to grant permissions even after permissions have been disabled.

Impact

  • Information Disclosure
  • Cross-Site Scripting
  • Code Execution
  • Security Bypass

Indicators Of Compromise

CVE

  • CVE-2023-28684
  • CVE-2023-28683
  • CVE-2023-28682
  • CVE-2023-28681
  • CVE-2023-28680
  • CVE-2023-28679
  • CVE-2023-28678
  • CVE-2023-28677
  • CVE-2023-28676
  • CVE-2023-28675
  • CVE-2023-28674
  • CVE-2023-28673
  • CVE-2023-28672
  • CVE-2023-28671
  • CVE-2023-28670
  • CVE-2023-28669
  • CVE-2023-28668

Affected Vendors

Jenkins

Affected Products

  • Jenkins remote-jobs-view-plugin Plugin 0.0.3
  • Jenkins Phabricator Differential Plugin 2.1.5
  • Jenkins Performance Publisher Plugin 8.09
  • Jenkins Visual Studio Code Metrics Plugin 1.7
  • Jenkins Crap4J Plugin 0.9
  • Jenkins Cppcheck Plugin 1.26
  • Jenkins OctoPerf Load Testing Plugin 4.5.2
  • Jenkins Pipeline Aggregator View Plugin 1.13
  • Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51

Remediation

Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information.

Jenkins Security Advisory