Researchers should take extra care in deploying data-science applications to the cloud, as cybercriminals are already targeting popular data-science tools such as Jupyter Notebook.

Always looking for an easy compromise, attackers are now scanning for data-science applications — such as Jupyter Notebook and JupyterLab — along with cloud servers and containers for misconfigurations, cloud-protection firm Aqua Security stated in an advisory published on April 13.

The two popular data science applications — used frequently with Python and R for data analysis — are generally secure by default, but a small fraction of instances are misconfigured, allowing attackers to access the servers with no password, according to the Aqua Security's researchers. In addition, after setting up its own server as a honeypot, the company detected in-the-wild attacks that attempted to install cryptomining tools and ransomware onto accessible instances of the software.

Signs that there are attackers targeting data-science environments is worrisome, considering that the researchers setting up those environment are largely uninformed about cybersecurity, says Assaf Morag, lead data analyst with Aqua Security.

"We know, based on our experience with application security, that developers are starting to learn more about security, but what about data scientists?" he says. "Are they gaining a proper education? My training is as a data scientist, and there were no focus on data security."

**Looking for Misconfigurations**  
In the past, threat actors have frequently scanned the Internet for servers running insecurely configured application. Last year, for example, a misconfigured Git server using default login credentials allowed attackers to steal source code for Nissan's mobile apps, market-research tools, and vehicle-connected services. Over the past five years, a significant number of data breaches have been caused by misconfigured storage servers — such as Amazon's Simple Storage Service (S3) buckets — that were found by attackers.

Research conducted in 2020 found that misconfigured cloud services, containers, and servers are attacked within hours of appearing online. The research, which used an insecurely configured Elasticsearch instance, was targeted by 175 scans over 11 days, increasing to 435 requests over the subsequent 2 weeks, including searches for particular terms such as "password" and "wallet."

The attacks on data-science tools used similar tactics, as seen through the lens of its honeypots, Aqua Security stated in its advisory.

"Most of the attacks got initial access via misconfigured environments," the company stated. "After gaining access, adversaries attempted to achieve persistence by creating a new user in the notebook or adding Secure Shell (SSH) keys. Then, most of the attacks executed a cryptominer, trying to get a quick gain."

The problem is that a small minority of the instances are configured to allow anyone to access the notebook server. During the research, for example, the Aqua Security researchers saw a novel attempt at using access gained through Jupyter Notebook to run a Python-based crypto-ransomware program.

"Normally, access to the online application should be restricted, either with a token or password or by limiting ingress traffic," Aqua Security wrote in the ransomware advisory. "However, sometimes these notebooks are left exposed to the internet with no authentication means, allowing anyone to easily access the notebook via a web browser."

**Lock Down Data Tools**  
Overall, data scientists and the Jupyter Project appear to be doing a credible job in securing the software. In total, less than 1% of the approximately 10,000 of instances of Jupyter Notebook are configured for open access, according to scans using the Shodan search engine. The fact that attackers are targeting the servers, however, should prompt defenders to focus on ensuring that the data-science tools are locked down, says Aqua Security's Morag.

"There will always be a zero-day or another misconfiguration that users did not know about, like Log4shell or Spring4 shell," he says. "While those do not apply to Jupyter Notebook, they show that you need to have another layer of protection. If you rely on the network to protect you, it is not enough these days, I think."

The Aqua research is not the first to expose vulnerabilities and misconfigurations of data-science tools. In 2021, researchers from cloud-security firm Wiz.io found that Microsoft created an insecure implementation for linking Jupyter Notebook instances to Azure Cosmos DB databases, allowing attackers to create a connection between an instance of Jupyter Notebook and the database service, which then allowed the attacker to access all other databases using the same service.

Attackers' strategy of targeting a new community of technical users is not new. Threat actors have already started targeting machine-learning researchers and the data behind artificial-intelligence and machine-learning systems, according to experts.

Data Scientists, Watch Out: Attackers Have Your Number

Organizations can defend themselves from future unknows attacks by implementing targeted security hardening measures, turning on built-in security protections, and leveraging existing technology stack to achieve microsegmentation and credential hygiene.

Black swan events are considered incidents with high impact and low frequency that are impossible to predict. Whether you consider them black swan cyber events or not, the SolarWinds attack and the Log4Shell exploit stressed some of the key ways in which organizations can prepare themselves and prevent crises.  

Here are three common misconceptions around prevention of such events. 

**Misconception No. 1: There's nothing we can do about zero days and supply-chain attacks.**

One of the common misconceptions is that it's almost impossible to protect environments from critical zero-day vulnerabilities or supply-chain attacks, as they are highly stealthy and cannot be predicted. At best, this misconception will shift efforts toward enhancing the detection and response capabilities. At worst, it will promote a sense of helplessness when dealing with such events.

Contrary to common perception, these events are not the "unknown unknowns." Organizations can deploy and adjust their defenses strategically, often using their existing teams and security stack, and protect themselves from such attacks.

A simple yet powerful example is preventing egress Internet traffic from servers. Even though it may sound like a basic security practice, real-world experience demonstrates that it's not implemented by even relatively mature organizations.

Blocking servers from reaching out to the Internet will prevent attacks (or dramatically slow down attackers), where the exploit depends on the server to initiate connection to the attacker's command and control infrastructure, whether through reverse shells, malicious code in a third-party software such as SolarWinds, or a vulnerability such as Log4Shell. This leads us to the realization that even a basic security control can stop both the SolarWinds supply chain attack, one of the most sophisticated attacks in recent years, as well as mitigate the Log4Shell vulnerability, one of the most potent and ubiquitous vulnerabilities discovered recently.

Investigating and learning common tactics, techniques, and procedures (TTPs) and modus operandi of the latest breaches and exploits can provide organizations with valuable insights on how to improve and prioritize defenses in a way that will mitigate the use of future exploits.

**Misconception No. 2: Once attackers infiltrate an environment, they will fully compromise it.  
**Another misconception is that these novel exploits will inevitably allow attackers to do more than just infiltrate the perimeter.

Targeted security enhancement initiatives can be implemented to make the environment much more resilient to lateral movement and privilege escalation techniques, keeping attackers at bay, not able to leverage their initial footholds to gain access to core assets. This approach will also provide defenders with more time to detect and eliminate attacks in their early stages.

*   **Lateral** **m****ovement:** Microsegmentation is a daunting task. Many organizations procrastinate on implementing such projects as they require mapping all internal traffic, creating granular allow-lists of ports and hosts, buying expensive solutions, and investing crucial resources in deploying and then maintaining such environments. However, many of the advantages of microsegmentation can be achieved without going the full distance.
    
    Restricting ingress traffic on interactive (e.g., RDP, SSH) and noninteractive (e.g., SMB, WinRM, RPC) management protocols, by using host-based firewall policies on both servers and workstations, and then limiting management traffic to specific dedicated segments or jump boxes, can help achieve the core value provided by microsegmentation.
    
    While sometimes traffic on noninteractive management protocols toward servers is required for operational or applicative purposes, in many cases it's not required between different workstations or between servers in the DMZ. Adopting a focused deny-list approach at first will yield an immediate risk reduction, to a point where it will gradually become very challenging to move laterally within the network.
    

*   **Privilege** **e****scalation****:** One of the major challenges in reducing the risk of materializing attacks in the network is credential hygiene and prevention of privilege escalation. Nevertheless, similar to the approach taken above, focusing on high-value measures derived from real-world use of known and common TTPs can provide significant value for defenders.
    
    To achieve this, constantly search for exposed clear-text credentials, set long and complex passwords for service accounts, avoid using domain admin accounts for daily activities, and use built-in Microsoft security features such as Protected Users, LAPS, LSA Protection, and Credential Guard.
    
    Credential hygiene issues are a major contributing factor in almost every single attack that Sygnia responded to in the last couple of years. Securing privileged identities should be top priority in any security road map for 2022.
    

**Misconception No. 3: Patching is the only solution we have for novel vulnerabilities.  
**Often when a new vulnerability is published, the main (and sometimes the only) recommendation suggested by numerous advisories is patching, as if patching is the only action organizations can initiate to contain the risk. Patching is crucial, but it can take time for large enterprises to fully understand their exposure and apply patches in production environments. Occasionally, a few days after patching, new vulnerabilities are discovered by the security industry because of the attention the system or the application is drawing. Patching will not always mitigate all gaps.

Understanding the way in which the exploit is executed — and the dependencies on which the exploit is relying to execute — is imperative in responding to such events. What may be considered as only a workaround to mitigate the vulnerability can sometimes prove to be a lifesaver for organizations.

**Leverage and Optimize Your Security Stack  
**Contrary to common belief, organizations _can_ prevent or reduce the impact of novel exploits such as Log4Shell or highly sophisticated attacks like SolarWinds.

This can be achieved by organizations leveraging _and_ optimizing their current security stack, implementing surgical hardening measures, and using built-in security features that can be turned on easily without requiring additional spend.

The Misconceptions of 2021's Black Swan Cyber Events

Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2.

**Description**

Grunt is a JavaScript task runner, a tool used to automatically perform frequent tasks such as minification, compilation, unit testing, and linting. In GruntJS, file.copy operations in GruntJS are not protected against symlink traversal for both source and destination directories.

**Scenario 1 - Restricted File Read**

If a local attacker has write access to the source directory of file.copy, they can create a symlink to a restricted file. When the source directory is then copied from, either by the root user or a GruntJS task / cronjob running as root, the symlink is resolved and the contents of the restricted file will be copied to the destination directory with default umask permissions rw-r--r--, the directory will also be copied with permissions drwxr-xr-x. allowing them to read the restricted file.

**Proof of Concept**

1: As a lower-privileged user:

    mkdir src
    ln -s /etc/shadow src/shadow
    

2: As root execute the following PoC

    grunt = require('grunt')
    grunt.file.copy("src", "dest")
    

3: The lower privileged user can read the contents of the /etc/shadow file in the dest directory

    cat dest/shadow
    

**Scenario 2 - Restricted File Write**

If an attacker has write access to both the source directory and the destination directory (if it has already been created) of file.copy, they can create a symlink to a restricted file in the destination directory and a file of the same name in the source directory. When the destination directory is then copied to, either by the root user or a cronjob running as root, the symlink is resolved to a restricted file and the file of the same name in source is copied to the resolved file path of the symlink in destination

**Proof of Concept**

1: As a lower-privileged user:

    mkdir src
    mkdir dest
    ln -s /etc/shadow2 dest/shadow2
    echo "<overwrite shadow file here>" > src/shadow2
    

2: As root execute the following PoC

    grunt = require('grunt')
    grunt.file.copy("src", "dest")
    

3: The /etc/shadow2 file is overwritten

    <overwrite shadow file here>
    

**Comparison with cp command**

The standard cp command on all Linux systems copies the symlink object in directories instead of resolving it.

**Impact**

If a local attacker has write access to the source directory and read access to the directory containing the destination directory, they are able to abuse the file.copy operation to expose restricted files such as /etc/shadow which contains all the hashed passwords of users on the Linux system, they can they escalate their privileges by cracking the password or even SSH private keys. If an attacker has write access to the source and destination directories, they are able to abuse the file.copy operation to overwrite restricted files such as /etc/shadow with their own shadow file and replace the root password with their own or even sign their own pair of SSH keys and replace the SSH public key with their own, guaranteeing them to escalate their privileges.

**Recommended Fix**

For directories, the file.copy should copy the symlink object rather than resolve it just like the standard cp command on Linux systems. Additionally, if a file in a destination directory is a symlink, then it should not be overwritten so as to prevent unintended consequences.

**Occurrences**

CVE-2022-0436: Path Traversal in grunt

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service.

**Vaikutus**

Critical

**Overview**

**Proprietary Code CVEs**

**Description**

**CVSS Base Score**

**CVSS Vector String**

CVE-2022-24411

Dell PowerScale OneFS 8.2.2 and later contain an elevation of privilege vulnerability. A local attacker with ISI\_PRIV\_LOGIN\_SSH and/or ISI\_PRIV\_LOGIN\_CONSOLE may potentially exploit this vulnerability, leading to elevation of privilege. This may potentially allow users to circumvent PowerScale Compliance Mode guarantees.

7.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2022-24412

Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unauthenticated remote attacker may potentially exploit this vulnerability, leading to denial-of-service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23161

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service.

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-23160

Dell PowerScale OneFS 8.2.x - 9.3.0 contain an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user may potentially exploit this vulnerability, leading to gaining write permissions on read-only files. 

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CVE-2022-23159

Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI\_PRIV\_LOGIN\_SSH and/or ISI\_PRIV\_LOGIN\_CONSOLE and ISI\_PRIV\_AUTH\_PROVIDERS privileges may potentially exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity.

4.8

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H

CVE-2022-23163

Dell PowerScale OneFS 8.2.x - 9.3.0.x contain a denial of service vulnerability. A local attacker with minimal privileges may potentially exploit this vulnerability, leading to denial of service/data unavailability.

4.7

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE-2022-24413

Dell PowerScale OneFS 8.2.2-9.3.x contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem may potentially exploit this vulnerability, leading to data loss.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

 

**Third-Party Component**

**CVE**

**More information**

Apache Portable Runtime

CVE-2017-12613

CVE-2021-35940

Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.

**Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen**

**CVEs Addressed** 

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-24411

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-24412

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23161

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2017-12613

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23160

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23159

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23163

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-24413

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

**CVEs Addressed** 

**Affected Versions**

**Updated Versions**

**Link to Update**

CVE-2022-24411

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

PowerScale OneFS Downloads Area

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-24412

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23161

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2017-12613

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23160

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23159

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-23163

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

CVE-2022-24413

8.2.2, 9.0.0, 9.1.1.x, and 9.2.0.x.

Upgrade your version of OneFS

9.1.0.x, 9.2.1.x, and 9.3.0.x.

Download and install the latest RUP

**Keinoja ongelman kiertämiseen tai lieventämiseen**

**CVEs addressed**

**Workaround or Mitigation**

CVE-2022-24411

none

CVE-2022-24412

Disable netbios support if enabled (default setting: disabled):

1.  Open an SSH connection on any node in the cluster and log on using the "root" account.
2.  Run the following command:

#isi smb settings global modify --support-netbios no

3.  To verify that the service is disabled, run the following command:

#isi smb settings global view | grep NetBIOS

If the service is disabled, the following output is displayed:

#Support NetBIOS: No

CVE-2022-23161

Configure a valid FQDN in the SmartConnect service name field for every SmartConnect subnet on the cluster:

#isi network subnets modify <subnet> --sc-service-name cluster-sc.example.com

CVE-2017-12613

none

CVE-2022-23160

Configure SMB share permissions of any SyncIQ target directory to prevent writes.

CVE-2022-23159

none

CVE-2022-23163

none

CVE-2022-24413

none

**Versiohistoria**

**Revision**

**Date**

**Description**

1.0

2022-03-03

Initial

1.1

2022-03-04

Corrected Impact

**Asiaan liittyvät tiedot**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

12 heinäk. 2022

CVE-2022-23161: DSA-2022-024: Dell EMC PowerScale OneFS Security Update for Multiple Vulnerabilities

A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.

**Description**

Pacemakers daemon pcsd allows authentication via PAMs pam_authenticate. Unfortunately the authorization via pam_acct_mgmt has been omitted. Therefore unprivileged expired accounts that have been denied access can still login.

**Proof of Concept**

You can expire an account with chage -E0 <username>

**Impact**

Since disabling an account in PAM still allows to login via ssh-keys, it's common to set accounts to expire if you want to deny access. So accounts who technically don't have any privilege are still allowed to login here. This also counts for accounts with expired passwords. A fix is supplied in the report.

CVE-2022-1049: Improper Authorization in pcs

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Hello gophers,

Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements client authentication support for signature algorithms based on SHA-2 for use with existing RSA keys.

Previously, a client would fail to authenticate with RSA keys to servers that reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default and—starting today March 15, 2022—github.com for recently uploaded keys.

We are providing this announcement as the error (“ssh: unable to authenticate”) might otherwise be difficult to troubleshoot.

Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also fixes a potential security issue where an attacker could cause a crash in a golang.org/x/crypto/ssh server under these conditions:

*   The server has been configured by passing a Signer to ServerConfig.AddHostKey.
    
*   The Signer passed to AddHostKey does not also implement AlgorithmSigner.
    
*   The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
    

Servers that only use Signer implementations provided by the ssh package are unaffected. This is CVE-2022-27191.

Alla prossima,

Filippo for the Go Security team

CVE-2022-27191: An update of golang.org/x/crypto/ssh might be necessary

In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.

CVE-2022-24302: Changelog — Paramiko documentation

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AWS Credentials Plugin
*   Dashboard View Plugin
*   dbCharts Plugin
*   Environment Dashboard Plugin
*   Extended Choice Parameter Plugin
*   Favorite Plugin
*   Folder-based Authorization Strategy Plugin
*   GitLab Authentication Plugin
*   global-build-stats Plugin
*   incapptic connect uploader Plugin
*   kubernetes-cd Plugin
*   List Git Branches Parameter Plugin
*   Parameterized Trigger Plugin
*   Release Helper Plugin
*   Semantic Versioning Plugin
*   Vmware vRealize CodeStream Plugin

**Descriptions****Sensitive parameter values captured in build metadata files by Parameterized Trigger Plugin**

**SECURITY-2185 / CVE-2022-27195**  
**Severity (CVSS):** Low  
**Affected plugin: parameterized-trigger**  
**Description:**

Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

Parameterized Trigger Plugin 2.43.1 does not store captured environment variables in build.xml files.

Existing build.xml files are not automatically updated to remove captured environment variables. They need to be manually cleaned up. To help with this, the plugin will report environment variables stored in build.xml as unloadable data in the Old Data Monitor, that allows discarding this data. Build records are only loaded from disk when needed however, so some builds stored in Jenkins may not immediately appear there.

**Stored XSS vulnerability in Favorite Plugin**

**SECURITY-2557 / CVE-2022-27196**  
**Severity (CVSS):** High  
**Affected plugin: favorite**  
**Description:**

Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions.

Favorite Plugin 2.4.1 escapes the names of jobs in the favorite column.

**Stored XSS vulnerability in Dashboard View Plugin**

**SECURITY-2559 / CVE-2022-27197**  
**Severity (CVSS):** High  
**Affected plugin: dashboard-view**  
**Description:**

Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet’s Iframe source URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL.

Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page.

In case of problems, the Java system property hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue can be used to customize the sandbox attribute value. The Java system property hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox can be used to disable the sandbox completely.

**CSRF vulnerability and missing permission checks in AWS Credentials Plugin**

**SECURITY-2351 / CVE-2022-27198 (CSRF), CVE-2022-27199 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-credentials**  
**Description:**

AWS Credentials Plugin 189.v3551d5642995 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in AWS Credentials Plugin 191.vcb\_f183ce58b\_9.

**Stored XSS vulnerability in Folder-based Authorization Strategy Plugin**

**SECURITY-2646 / CVE-2022-27200**  
**Severity (CVSS):** Medium  
**Affected plugin: folder-auth**  
**Description:**

Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

Folder-based Authorization Strategy Plugin 1.4 escapes the names of roles shown on the configuration form.

**Agent-to-controller security bypass in Semantic Versioning Plugin**

**SECURITY-2124 / CVE-2022-27201**  
**Severity (CVSS):** High  
**Affected plugin: semantic-versioning-plugin**  
**Description:**

Semantic Versioning Plugin defines a controller/agent message that processes a given file as XML and returns version information. The XML parser is not configured to prevent XML external entity (XXE) attacks, which is only a problem if XML documents are parsed on the Jenkins controller.

Semantic Versioning Plugin 1.13 and earlier does not restrict execution of the controller/agent message to agents, and implements no limitations about the file path that can be parsed. This allows attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

Semantic Versioning Plugin 1.14 does not allow the affected controller/agent message to be submitted by agents for execution on the controller.

**Stored XSS vulnerability in Extended Choice Parameter Plugin**

**SECURITY-2232 / CVE-2022-27202**  
**Severity (CVSS):** High  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier does not escape the value and description of Extended Choice Parameters with parameter type 'Radio Buttons' or 'Check Boxes'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Arbitrary JSON and property file read vulnerability in Extended Choice Parameter Plugin**

**SECURITY-1351 / CVE-2022-27203**  
**Severity (CVSS):** Medium  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

**CSRF vulnerability and missing permission checks in Extended Choice Parameter Plugin allow SSRF**

**SECURITY-1350 / CVE-2022-27204 (CSRF), CVE-2022-27205 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier does not perform a permission check on form validation methods. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Client Secret stored in plain text by GitLab Authentication Plugin**

**SECURITY-1891 / CVE-2022-27206**  
**Severity (CVSS):** Low  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

**Stored XSS vulnerability in global-build-stats Plugin**

**SECURITY-1886 / CVE-2022-27207**  
**Severity (CVSS):** Medium  
**Affected plugin: global-build-stats**  
**Description:**

global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**Arbitrary file read vulnerability in kubernetes-cd Plugin**

**SECURITY-2096 / CVE-2022-27208**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin contributes the 'Kubernetes configuration (kubeconfig)' credential type.

kubernetes-cd Plugin 2.3.1 and earlier allows users with Credentials/Create or Credentials/Update permission to read arbitrary files on the Jenkins controller by defining a 'From a file on the Jenkins master' Kubeconfig source for such a credential.

**Missing permission checks in kubernetes-cd Plugin allow enumerating credentials IDs**

**SECURITY-2636 / CVE-2022-27209**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin 2.3.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in kubernetes-cd Plugin allow capturing credentials**

**SECURITY-2681 / CVE-2022-27210 (CSRF), CVE-2022-27211 (permission check)**  
**Severity (CVSS):** High  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin 2.3.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Stored XSS vulnerability in List Git Branches Parameter Plugin**

**SECURITY-2167 / CVE-2022-27212**  
**Severity (CVSS):** High  
**Affected plugin: list-git-branches-parameter**  
**Description:**

List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name or default value of the 'List Git branches (and more)' parameter. Additionally, List Git Branches Parameter Plugin explicitly disables a protection mechanism introduced in Jenkins 2.44 and LTS 2.32.2 to prevent exploitation of unescaped parameter names.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Environment Dashboard Plugin**

**SECURITY-2252 / CVE-2022-27213**  
**Severity (CVSS):** High  
**Affected plugin: environment-dashboard**  
**Description:**

Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

**CSRF vulnerability and missing permission checks in Release Helper Plugin**

**SECURITY-2274 / CVE-2022-27214 (CSRF), CVE-2022-27215 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: release-helper**  
**Description:**

Release Helper Plugin 1.3.3 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Passwords stored in plain text by dbCharts Plugin**

**SECURITY-2159 / CVE-2022-27216**  
**Severity (CVSS):** Low  
**Affected plugin: dbCharts**  
**Description:**

dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

**Passwords stored in plain text by Vmware vRealize CodeStream Plugin**

**SECURITY-2238 / CVE-2022-27217**  
**Severity (CVSS):** Medium  
**Affected plugin: vmware-vrealize-codestream**  
**Description:**

Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Personal tokens stored in plain text by incapptic connect uploader Plugin**

**SECURITY-2273 / CVE-2022-27218**  
**Severity (CVSS):** Medium  
**Affected plugin: incapptic-connect-uploader**  
**Description:**

incapptic connect uploader Plugin 1.15 and earlier stores personal tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Severity**

*   SECURITY-1350: Medium
*   SECURITY-1351: Medium
*   SECURITY-1886: Medium
*   SECURITY-1891: Low
*   SECURITY-2096: Medium
*   SECURITY-2124: High
*   SECURITY-2159: Low
*   SECURITY-2167: High
*   SECURITY-2185: Low
*   SECURITY-2232: High
*   SECURITY-2238: Medium
*   SECURITY-2252: High
*   SECURITY-2273: Medium
*   SECURITY-2274: Medium
*   SECURITY-2351: Medium
*   SECURITY-2557: High
*   SECURITY-2559: High
*   SECURITY-2636: Medium
*   SECURITY-2646: Medium
*   SECURITY-2681: High

**Affected Versions**

*   **AWS Credentials Plugin** up to and including 189.v3551d5642995
*   **Dashboard View Plugin** up to and including 2.18
*   **dbCharts Plugin** up to and including 0.5.2
*   **Environment Dashboard Plugin** up to and including 1.1.10
*   **Extended Choice Parameter Plugin** up to and including 346.vd87693c5a\_86c
*   **Favorite Plugin** up to and including 2.4.0
*   **Folder-based Authorization Strategy Plugin** up to and including 1.3
*   **GitLab Authentication Plugin** up to and including 1.13
*   **global-build-stats Plugin** up to and including 1.5
*   **incapptic connect uploader Plugin** up to and including 1.15
*   **kubernetes-cd Plugin** up to and including 2.3.1
*   **List Git Branches Parameter Plugin** up to and including 0.0.9
*   **Parameterized Trigger Plugin** up to and including 2.43
*   **Release Helper Plugin** up to and including 1.3.3
*   **Semantic Versioning Plugin** up to and including 1.13
*   **Vmware vRealize CodeStream Plugin** up to and including 1.2

**Fix**

*   **AWS Credentials Plugin** should be updated to version 191.vcb\_f183ce58b\_9
*   **Dashboard View Plugin** should be updated to version 2.18.1
*   **Favorite Plugin** should be updated to version 2.4.1
*   **Folder-based Authorization Strategy Plugin** should be updated to version 1.4
*   **Parameterized Trigger Plugin** should be updated to version 2.43.1
*   **Semantic Versioning Plugin** should be updated to version 1.14

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   dbCharts Plugin
*   Environment Dashboard Plugin
*   Extended Choice Parameter Plugin
*   GitLab Authentication Plugin
*   global-build-stats Plugin
*   incapptic connect uploader Plugin
*   kubernetes-cd Plugin
*   List Git Branches Parameter Plugin
*   Release Helper Plugin
*   Vmware vRealize CodeStream Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2124, SECURITY-2681
*   **Gunther Rademacher** for SECURITY-2185
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2096
*   **Justin Philip** for SECURITY-2252
*   **Kevin Guerroudj** for SECURITY-2232, SECURITY-2238
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2636, SECURITY-2646
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2557
*   **Matt Sicker, CloudBees, Inc. and, independently, Marc Heyries** for SECURITY-1891
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1350, SECURITY-1351
*   **Quentin Parra** for SECURITY-2273, SECURITY-2274
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2159
*   **Son Nguyen (@s0nnguy3n\_), and, independently, Kevin Guerroudj** for SECURITY-2167
*   **Wadeck Follonier, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2559
*   **Wadeck Follonier, CloudBees, Inc., and, independently, Kevin Guerroudj** for SECURITY-1886

CVE-2022-27203: Jenkins Security Advisory 2022-03-15

A missing permission check in Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   CloudBees AWS Credentials Plugin
*   Dashboard View Plugin
*   dbCharts Plugin
*   Environment Dashboard Plugin
*   Extended Choice Parameter Plugin
*   Favorite Plugin
*   Folder-based Authorization Strategy Plugin
*   GitLab Authentication Plugin
*   global-build-stats Plugin
*   incapptic connect uploader Plugin
*   kubernetes-cd Plugin
*   List Git Branches Parameter Plugin
*   Parameterized Trigger Plugin
*   Release Helper Plugin
*   Semantic Versioning Plugin
*   Vmware vRealize CodeStream Plugin

**Descriptions****Sensitive parameter values captured in build metadata files by Parameterized Trigger Plugin**

**SECURITY-2185 / CVE-2022-27195**  
**Severity (CVSS):** Low  
**Affected plugin: parameterized-trigger**  
**Description:**

Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

Parameterized Trigger Plugin 2.43.1 does not store captured environment variables in build.xml files.

Existing build.xml files are not automatically updated to remove captured environment variables. They need to be manually cleaned up. To help with this, the plugin will report environment variables stored in build.xml as unloadable data in the Old Data Monitor, that allows discarding this data. Build records are only loaded from disk when needed however, so some builds stored in Jenkins may not immediately appear there.

**Stored XSS vulnerability in Favorite Plugin**

**SECURITY-2557 / CVE-2022-27196**  
**Severity (CVSS):** High  
**Affected plugin: favorite**  
**Description:**

Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions.

Favorite Plugin 2.4.1 escapes the names of jobs in the favorite column.

**Stored XSS vulnerability in Dashboard View Plugin**

**SECURITY-2559 / CVE-2022-27197**  
**Severity (CVSS):** High  
**Affected plugin: dashboard-view**  
**Description:**

Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet’s Iframe source URL.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views.

Dashboard View Plugin 2.18.1 performs URL validation for the Iframe Portlet’s Iframe source URL.

Additionally, Dashboard View Plugin 2.18.1 sets the sandbox attribute for the iframe to restrict the included page.

In case of problems, the Java system property hudson.plugins.view.dashboard.core.IframePortlet.sandboxAttributeValue can be used to customize the sandbox attribute value. The Java system property hudson.plugins.view.dashboard.core.IframePortlet.doNotUseSandbox can be used to disable the sandbox completely.

**CSRF vulnerability and missing permission checks in CloudBees AWS Credentials Plugin**

**SECURITY-2351 / CVE-2022-27198 (CSRF), CVE-2022-27199 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: aws-credentials**  
**Description:**

CloudBees AWS Credentials Plugin 189.v3551d5642995 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in CloudBees AWS Credentials Plugin 191.vcb\_f183ce58b\_9.

**Stored XSS vulnerability in Folder-based Authorization Strategy Plugin**

**SECURITY-2646 / CVE-2022-27200**  
**Severity (CVSS):** Medium  
**Affected plugin: folder-auth**  
**Description:**

Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

Folder-based Authorization Strategy Plugin 1.4 escapes the names of roles shown on the configuration form.

**Agent-to-controller security bypass in Semantic Versioning Plugin**

**SECURITY-2124 / CVE-2022-27201**  
**Severity (CVSS):** High  
**Affected plugin: semantic-versioning-plugin**  
**Description:**

Semantic Versioning Plugin defines a controller/agent message that processes a given file as XML and returns version information. The XML parser is not configured to prevent XML external entity (XXE) attacks, which is only a problem if XML documents are parsed on the Jenkins controller.

Semantic Versioning Plugin 1.13 and earlier does not restrict execution of the controller/agent message to agents, and implements no limitations about the file path that can be parsed. This allows attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

Semantic Versioning Plugin 1.14 does not allow the affected controller/agent message to be submitted by agents for execution on the controller.

**Stored XSS vulnerability in Extended Choice Parameter Plugin**

**SECURITY-2232 / CVE-2022-27202**  
**Severity (CVSS):** High  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier does not escape the value and description of Extended Choice Parameters with parameter type 'Radio Buttons' or 'Check Boxes'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Arbitrary JSON and property file read vulnerability in Extended Choice Parameter Plugin**

**SECURITY-1351 / CVE-2022-27203**  
**Severity (CVSS):** Medium  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

**CSRF vulnerability and missing permission checks in Extended Choice Parameter Plugin allow SSRF**

**SECURITY-1350 / CVE-2022-27204 (CSRF), CVE-2022-27205 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: extended-choice-parameter**  
**Description:**

Extended Choice Parameter Plugin 346.vd87693c5a\_86c and earlier does not perform a permission check on form validation methods. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Client Secret stored in plain text by GitLab Authentication Plugin**

**SECURITY-1891 / CVE-2022-27206**  
**Severity (CVSS):** Low  
**Affected plugin: gitlab-oauth**  
**Description:**

GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

**Stored XSS vulnerability in global-build-stats Plugin**

**SECURITY-1886 / CVE-2022-27207**  
**Severity (CVSS):** Medium  
**Affected plugin: global-build-stats**  
**Description:**

global-build-stats Plugin 1.5 and earlier does not escape multiple fields in the chart configuration on the 'Global Build Stats' page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

**Arbitrary file read vulnerability in kubernetes-cd Plugin**

**SECURITY-2096 / CVE-2022-27208**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin contributes the 'Kubernetes configuration (kubeconfig)' credential type.

kubernetes-cd Plugin 2.3.1 and earlier allows users with Credentials/Create or Credentials/Update permission to read arbitrary files on the Jenkins controller by defining a 'From a file on the Jenkins master' Kubeconfig source for such a credential.

**Missing permission checks in kubernetes-cd Plugin allow enumerating credentials IDs**

**SECURITY-2636 / CVE-2022-27209**  
**Severity (CVSS):** Medium  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin 2.3.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in kubernetes-cd Plugin allow capturing credentials**

**SECURITY-2681 / CVE-2022-27210 (CSRF), CVE-2022-27211 (permission check)**  
**Severity (CVSS):** High  
**Affected plugin: kubernetes-cd**  
**Description:**

kubernetes-cd Plugin 2.3.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Stored XSS vulnerability in List Git Branches Parameter Plugin**

**SECURITY-2167 / CVE-2022-27212**  
**Severity (CVSS):** High  
**Affected plugin: list-git-branches-parameter**  
**Description:**

List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name or default value of the 'List Git branches (and more)' parameter. Additionally, List Git Branches Parameter Plugin explicitly disables a protection mechanism introduced in Jenkins 2.44 and LTS 2.32.2 to prevent exploitation of unescaped parameter names.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Stored XSS vulnerability in Environment Dashboard Plugin**

**SECURITY-2252 / CVE-2022-27213**  
**Severity (CVSS):** High  
**Affected plugin: environment-dashboard**  
**Description:**

Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

**CSRF vulnerability and missing permission checks in Release Helper Plugin**

**SECURITY-2274 / CVE-2022-27214 (CSRF), CVE-2022-27215 (permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: release-helper**  
**Description:**

Release Helper Plugin 1.3.3 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Passwords stored in plain text by dbCharts Plugin**

**SECURITY-2159 / CVE-2022-27216**  
**Severity (CVSS):** Low  
**Affected plugin: dbCharts**  
**Description:**

dbCharts Plugin 0.5.2 and earlier stores JDBC connection passwords unencrypted in its global configuration file hudson.plugins.dbcharts.DbChartPublisher.xml on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

**Passwords stored in plain text by Vmware vRealize CodeStream Plugin**

**SECURITY-2238 / CVE-2022-27217**  
**Severity (CVSS):** Medium  
**Affected plugin: vmware-vrealize-codestream**  
**Description:**

Vmware vRealize CodeStream Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Personal tokens stored in plain text by incapptic connect uploader Plugin**

**SECURITY-2273 / CVE-2022-27218**  
**Severity (CVSS):** Medium  
**Affected plugin: incapptic-connect-uploader**  
**Description:**

incapptic connect uploader Plugin 1.15 and earlier stores personal tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

**Severity**

*   SECURITY-1350: Medium
*   SECURITY-1351: Medium
*   SECURITY-1886: Medium
*   SECURITY-1891: Low
*   SECURITY-2096: Medium
*   SECURITY-2124: High
*   SECURITY-2159: Low
*   SECURITY-2167: High
*   SECURITY-2185: Low
*   SECURITY-2232: High
*   SECURITY-2238: Medium
*   SECURITY-2252: High
*   SECURITY-2273: Medium
*   SECURITY-2274: Medium
*   SECURITY-2351: Medium
*   SECURITY-2557: High
*   SECURITY-2559: High
*   SECURITY-2636: Medium
*   SECURITY-2646: Medium
*   SECURITY-2681: High

**Affected Versions**

*   **CloudBees AWS Credentials Plugin** up to and including 189.v3551d5642995
*   **Dashboard View Plugin** up to and including 2.18
*   **dbCharts Plugin** up to and including 0.5.2
*   **Environment Dashboard Plugin** up to and including 1.1.10
*   **Extended Choice Parameter Plugin** up to and including 346.vd87693c5a\_86c
*   **Favorite Plugin** up to and including 2.4.0
*   **Folder-based Authorization Strategy Plugin** up to and including 1.3
*   **GitLab Authentication Plugin** up to and including 1.13
*   **global-build-stats Plugin** up to and including 1.5
*   **incapptic connect uploader Plugin** up to and including 1.15
*   **kubernetes-cd Plugin** up to and including 2.3.1
*   **List Git Branches Parameter Plugin** up to and including 0.0.9
*   **Parameterized Trigger Plugin** up to and including 2.43
*   **Release Helper Plugin** up to and including 1.3.3
*   **Semantic Versioning Plugin** up to and including 1.13
*   **Vmware vRealize CodeStream Plugin** up to and including 1.2

**Fix**

*   **CloudBees AWS Credentials Plugin** should be updated to version 191.vcb\_f183ce58b\_9
*   **Dashboard View Plugin** should be updated to version 2.18.1
*   **Favorite Plugin** should be updated to version 2.4.1
*   **Folder-based Authorization Strategy Plugin** should be updated to version 1.4
*   **Parameterized Trigger Plugin** should be updated to version 2.43.1
*   **Semantic Versioning Plugin** should be updated to version 1.14

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   dbCharts Plugin
*   Environment Dashboard Plugin
*   Extended Choice Parameter Plugin
*   GitLab Authentication Plugin
*   global-build-stats Plugin
*   incapptic connect uploader Plugin
*   kubernetes-cd Plugin
*   List Git Branches Parameter Plugin
*   Release Helper Plugin
*   Vmware vRealize CodeStream Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2124, SECURITY-2681
*   **Gunther Rademacher** for SECURITY-2185
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2096
*   **Justin Philip** for SECURITY-2252
*   **Kevin Guerroudj** for SECURITY-2232, SECURITY-2238
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2636, SECURITY-2646
*   **Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2557
*   **Matt Sicker, CloudBees, Inc. and, independently, Marc Heyries** for SECURITY-1891
*   **Oleg Nenashev, CloudBees, Inc.** for SECURITY-1350, SECURITY-1351
*   **Quentin Parra** for SECURITY-2273, SECURITY-2274
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2159
*   **Son Nguyen (@s0nnguy3n\_), and, independently, Kevin Guerroudj** for SECURITY-2167
*   **Wadeck Follonier, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2559
*   **Wadeck Follonier, CloudBees, Inc., and, independently, Kevin Guerroudj** for SECURITY-1886

CVE-2022-27205: Jenkins Security Advisory 2022-03-15

Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission.

Tag

#ssh