Jenkins Security Advisory 2024-10-02

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Exposure of multi-line secrets through error messages in Jenkins

SECURITY-3451 / CVE-2024-47803
Severity (CVSS): Medium
Description:

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

Item creation restriction bypass vulnerability in Jenkins

SECURITY-3448 / CVE-2024-47804
Severity (CVSS): Medium
Description:

Jenkins provides APIs for fine-grained control of item creation:

  • Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2).

  • Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.

Encrypted values of credentials revealed to users with Extended Read permission in Credentials Plugin

SECURITY-3373 / CVE-2024-47805
Severity (CVSS): Medium
Affected plugin: credentials
Description:

Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.

This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.

This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the Secret type used for inline secrets and some credentials types.

Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.

This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.

Lack of audience claim validation in OpenId Connect Authentication Plugin

SECURITY-3441 (1) / CVE-2024-47806
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

Lack of issuer claim validation in OpenId Connect Authentication Plugin

SECURITY-3441 (2) / CVE-2024-47807
Severity (CVSS): High
Affected plugin: oic-auth
Description:

OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

When using the "Manual entry" configuration mode, the new "Issuer" field must be populated after updating to protect from this issue. When using "Discovery via well-known endpoint", the Issuer will be set automatically.

Severity

Affected Versions

  • Jenkins weekly up to and including 2.478
  • Jenkins LTS up to and including 2.462.2
  • Credentials Plugin up to and including 1380.va_435002fa_924
  • OpenId Connect Authentication Plugin up to and including 4.354.v321ce67a_1de8

Fix

  • Jenkins weekly should be updated to version 2.479
  • Jenkins LTS should be updated to version 2.462.3
  • Credentials Plugin should be updated to version 1381.v2c3a_12074da_b_
  • OpenId Connect Authentication Plugin should be updated to version 4.355.v3a_fb_fca_b_96d4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Antonio Muñiz, CloudBees, Inc. for SECURITY-3448
  • James Nord, CloudBees, Inc. for SECURITY-3441 (1), SECURITY-3441 (2)
  • Kevin Guerroudj, CloudBees, Inc. for SECURITY-3373
  • Olivier Lamy, CloudBees, Inc. for SECURITY-3451