Rewterz Threat Advisory -Multiple Jenkins Products Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-28684 CVSS:7.1

Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28683 CVSS:7.1

Jenkins Phabricator Differential Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28682 CVSS:7.1

Jenkins Performance Publisher Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28681 CVSS:7.1

Jenkins Crap4J Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations by the XML parser. By using a specially crafted XML report file, an attacker could exploit this vulnerability to obtain secrets from the Jenkins controller or perform server-side request forgery attacks.

CVE-2023-28680 CVSS:8

Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28679 CVSS:8

Jenkins Mashup Portlets Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28678 CVSS:8

Jenkins Cppcheck Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28677 CVSS:8

Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-28676 CVSS:8.8

Jenkins Convert To Pipeline Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to create a Pipeline based on a Freestyle project. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28675 CVSS:4.3

Jenkins Convert To Pipeline Plugin could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a command injection flaw. By using a specially crafted configuration that injects Pipeline script, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2023-28674 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to a previously configured Octoperf server. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28673 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission check in an HTTP endpoint. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to enumerate credentials IDs, and use this information to launch further attacks against the affected system.

CVE-2023-28672 CVSS:7.1

Jenkins OctoPerf Load Testing Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission check in a connection test HTTP endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to connect to an attacker-specified URL.

CVE-2023-28671 CVSS:4.3

Jenkins OctoPerf Load Testing Plugin is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to connect to an attacker-specified URL. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVE-2023-28670 CVSS:8

Jenkins Pipeline Aggregator View Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28669 CVSS:8

Jenkins JaCoCo Plugin is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2023-28668 CVSS:5.9

Jenkins Role-based Authorization Strategy Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to grant permissions even after permissions have been disabled.

Impact

• Information Disclosure
• Cross-Site Scripting
• Code Execution
• Security Bypass

Indicators Of Compromise

CVE

• CVE-2023-28684
• CVE-2023-28683
• CVE-2023-28682
• CVE-2023-28681
• CVE-2023-28680
• CVE-2023-28679
• CVE-2023-28678
• CVE-2023-28677
• CVE-2023-28676
• CVE-2023-28675
• CVE-2023-28674
• CVE-2023-28673
• CVE-2023-28672
• CVE-2023-28671
• CVE-2023-28670
• CVE-2023-28669
• CVE-2023-28668

Affected Vendors

Jenkins

Affected Products

• Jenkins remote-jobs-view-plugin Plugin 0.0.3
• Jenkins Phabricator Differential Plugin 2.1.5
• Jenkins Performance Publisher Plugin 8.09
• Jenkins Visual Studio Code Metrics Plugin 1.7
• Jenkins Crap4J Plugin 0.9
• Jenkins Cppcheck Plugin 1.26
• Jenkins OctoPerf Load Testing Plugin 4.5.2
• Jenkins Pipeline Aggregator View Plugin 1.13
• Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fa_e51

Remediation

Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information.

Jenkins Security Advisory