[JENKINS:SECURITY-2784] Stored XSS vulnerabilities in multiple plugins providing additional parameter types

Severity High

Affected Packages 32

Fixed Packages 4

CVEs 16

Multiple plugins do not escape the name and description of the parameter types they provide:

Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183)
CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 / CVE-2022-34184)
Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)
Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186)
Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187)
Hidden Parameter Plugin 0.0.4 and earlier (SECURITY-2755 / CVE-2022-34188)
Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)
Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190)
NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191)
ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192)
Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193)
Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194)
Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195)
REST List Parameter Plugin 1.5.2 and earlier (SECURITY-2730 / CVE-2022-34196)
Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197)
Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198)

This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission.

Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation.
Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the link:/security/advisory/2017-02-01/#persisted-cross-site-scripting-vulnerability-in-parameter-names-and-descriptions[SECURITY-353 / CVE-2017-2601] fix.
Additionally, several plugins have previously been updated to list parameters in a way that prevents exploitation by default, see link:/security/advisory/2022-04-12/#SECURITY-2617[SECURITY-2617 in the 2022-04-12 security advisory for a list].

The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified:

REST List Parameter Plugin 1.6.0
Hidden Parameter Plugin 0.0.5

As of publication of this advisory, there is no fix available for the following plugins:

Agent Server Parameter 1.1 and earlier (SECURITY-2731 / CVE-2022-34183)
CRX Content Package Deployer 1.9 and earlier (SECURITY-2727 / CVE-2022-34184)
Date Parameter Plugin 0.0.4 and earlier (SECURITY-2711 / CVE-2022-34185)
Dynamic Extended Choice Parameter 1.0.1 and earlier (SECURITY-2712 / CVE-2022-34186)
Filesystem List Parameter 0.0.7 and earlier (SECURITY-2716 / CVE-2022-34187)
Image Tag Parameter 1.10 and earlier (SECURITY-2721 / CVE-2022-34189)
Maven Metadata for CI server 2.1 and earlier (SECURITY-2714 / CVE-2022-34190)
NS-ND Integration Performance Publisher 4.8.0.77 and earlier (SECURITY-2736 / CVE-2022-34191)
ontrack Jenkins 4.0.0 and earlier (SECURITY-2733 / CVE-2022-34192)
Package Version 1.0.1 and earlier (SECURITY-2735 / CVE-2022-34193)
Readonly Parameter 1.0.0 and earlier (SECURITY-2719 / CVE-2022-34194)
Repository Connector 2.2.0 and earlier (SECURITY-2666 / CVE-2022-34195)
Sauce OnDemand 1.204 and earlier (SECURITY-2724 / CVE-2022-34197)
Stash Branch Parameter 0.3.0 and earlier (SECURITY-2725 / CVE-2022-34198)

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/StashBranchParameter	<= 0.3.0
pkg:maven/org.jenkins-ci.plugins/sauce-ondemand	<= 1.204
pkg:maven/org.jenkins-ci.plugins/rest-list-parameter	<= 1.5.2
pkg:maven/org.jenkins-ci.plugins/repository-connector	<= 2.2.0
pkg:maven/org.jenkins-ci.plugins/readonly-parameters	<= 1.0.0
pkg:maven/org.jenkins-ci.plugins/packageversion	<= 1.0.1
pkg:maven/org.jenkins-ci.plugins/ontrack	<= 4.0.0
pkg:maven/org.jenkins-ci.plugins/maven-metadata-plugin	<= 2.1
pkg:maven/org.jenkins-ci.plugins/image-tag-parameter	<= 1.10
pkg:maven/org.jenkins-ci.plugins/hidden-parameter	<= 0.0.4
pkg:maven/org.jenkins-ci.plugins/filesystem-list-parameter-plugin	<= 0.0.7
pkg:maven/org.jenkins-ci.plugins/dynamic_extended_choice_parameter	<= 1.0.1
pkg:maven/org.jenkins-ci.plugins/date-parameter	<= 0.0.4
pkg:maven/org.jenkins-ci.plugins/crx-content-package-deployer	<= 1.9
pkg:maven/org.jenkins-ci.plugins/cavisson-ns-nd-integration	<= 4.8.0.77
pkg:maven/org.jenkins-ci.plugins/agent-server-parameter	<= 1.1
pkg:github/jenkinsci/stashbranchparameter-plugin	<= 0.3.0
pkg:github/jenkinsci/sauce-ondemand-plugin	<= 1.204
pkg:github/jenkinsci/rest-list-parameter-plugin	<= 1.5.2
pkg:github/jenkinsci/repository-connector-plugin	<= 2.2.0
pkg:github/jenkinsci/readonly-parameters-plugin	<= 1.0.0
pkg:github/jenkinsci/packageversion-plugin	<= 1.0.1
pkg:github/jenkinsci/ontrack-plugin	<= 4.0.0
pkg:github/jenkinsci/maven-metadata-plugin-plugin	<= 2.1
pkg:github/jenkinsci/image-tag-parameter-plugin	<= 1.10
pkg:github/jenkinsci/hidden-parameter-plugin	<= 0.0.4
pkg:github/jenkinsci/filesystem-list-parameter-plugin-plugin	<= 0.0.7
pkg:github/jenkinsci/dynamic_extended_choice_parameter-plugin	<= 1.0.1
pkg:github/jenkinsci/date-parameter-plugin	<= 0.0.4
pkg:github/jenkinsci/crx-content-package-deployer-plugin	<= 1.9
pkg:github/jenkinsci/cavisson-ns-nd-integration-plugin	<= 4.8.0.77
pkg:github/jenkinsci/agent-server-parameter-plugin	<= 1.1

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/rest-list-parameter	= 1.6.0
pkg:maven/org.jenkins-ci.plugins/hidden-parameter	= 0.0.5
pkg:github/jenkinsci/rest-list-parameter-plugin	= 1.6.0
pkg:github/jenkinsci/hidden-parameter-plugin	= 0.0.5

ID

JENKINS:SECURITY-2784

Severity

high

Published

2022-06-22T00:00:00
(2 years ago)

Modified

2022-06-22T00:00:00
(2 years ago)

Rights

Jenkins Security Team

Other Advisories

Source	Name	URL
Plugin repository	agent-server-parameter repository	https://github.com/jenkinsci/agent-server-parameter-plugin
Plugin repository	crx-content-package-deployer repository	https://github.com/jenkinsci/crx-content-package-deployer-plugin
Plugin repository	date-parameter repository	https://github.com/jenkinsci/date-parameter-plugin
Plugin repository	dynamic_extended_choice_parameter repository	https://github.com/jenkinsci/dynamic_extended_choice_parameter-plugin
Plugin repository	filesystem-list-parameter-plugin repository	https://github.com/jenkinsci/filesystem-list-parameter-plugin-plugin
Plugin repository	hidden-parameter repository	https://github.com/jenkinsci/hidden-parameter-plugin
Plugin repository	image-tag-parameter repository	https://github.com/jenkinsci/image-tag-parameter-plugin
Plugin repository	maven-metadata-plugin repository	https://github.com/jenkinsci/maven-metadata-plugin-plugin
Plugin repository	cavisson-ns-nd-integration repository	https://github.com/jenkinsci/cavisson-ns-nd-integration-plugin
Plugin repository	ontrack repository	https://github.com/jenkinsci/ontrack-plugin
Plugin repository	packageversion repository	https://github.com/jenkinsci/packageversion-plugin
Plugin repository	readonly-parameters repository	https://github.com/jenkinsci/readonly-parameters-plugin
Plugin repository	repository-connector repository	https://github.com/jenkinsci/repository-connector-plugin
Plugin repository	rest-list-parameter repository	https://github.com/jenkinsci/rest-list-parameter-plugin
Plugin repository	sauce-ondemand repository	https://github.com/jenkinsci/sauce-ondemand-plugin
Plugin repository	StashBranchParameter repository	https://github.com/jenkinsci/StashBranchParameter-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/StashBranchParameter	org.jenkins-ci.plugins	StashBranchParameter	<= 0.3.0
Affected	pkg:maven/org.jenkins-ci.plugins/sauce-ondemand	org.jenkins-ci.plugins	sauce-ondemand	<= 1.204
Affected	pkg:maven/org.jenkins-ci.plugins/rest-list-parameter	org.jenkins-ci.plugins	rest-list-parameter	<= 1.5.2
Fixed	pkg:maven/org.jenkins-ci.plugins/rest-list-parameter	org.jenkins-ci.plugins	rest-list-parameter	= 1.6.0
Affected	pkg:maven/org.jenkins-ci.plugins/repository-connector	org.jenkins-ci.plugins	repository-connector	<= 2.2.0
Affected	pkg:maven/org.jenkins-ci.plugins/readonly-parameters	org.jenkins-ci.plugins	readonly-parameters	<= 1.0.0
Affected	pkg:maven/org.jenkins-ci.plugins/packageversion	org.jenkins-ci.plugins	packageversion	<= 1.0.1
Affected	pkg:maven/org.jenkins-ci.plugins/ontrack	org.jenkins-ci.plugins	ontrack	<= 4.0.0
Affected	pkg:maven/org.jenkins-ci.plugins/maven-metadata-plugin	org.jenkins-ci.plugins	maven-metadata-plugin	<= 2.1
Affected	pkg:maven/org.jenkins-ci.plugins/image-tag-parameter	org.jenkins-ci.plugins	image-tag-parameter	<= 1.10
Affected	pkg:maven/org.jenkins-ci.plugins/hidden-parameter	org.jenkins-ci.plugins	hidden-parameter	<= 0.0.4
Fixed	pkg:maven/org.jenkins-ci.plugins/hidden-parameter	org.jenkins-ci.plugins	hidden-parameter	= 0.0.5
Affected	pkg:maven/org.jenkins-ci.plugins/filesystem-list-parameter-plugin	org.jenkins-ci.plugins	filesystem-list-parameter-plugin	<= 0.0.7
Affected	pkg:maven/org.jenkins-ci.plugins/dynamic_extended_choice_parameter	org.jenkins-ci.plugins	dynamic_extended_choice_parameter	<= 1.0.1
Affected	pkg:maven/org.jenkins-ci.plugins/date-parameter	org.jenkins-ci.plugins	date-parameter	<= 0.0.4
Affected	pkg:maven/org.jenkins-ci.plugins/crx-content-package-deployer	org.jenkins-ci.plugins	crx-content-package-deployer	<= 1.9
Affected	pkg:maven/org.jenkins-ci.plugins/cavisson-ns-nd-integration	org.jenkins-ci.plugins	cavisson-ns-nd-integration	<= 4.8.0.77
Affected	pkg:maven/org.jenkins-ci.plugins/agent-server-parameter	org.jenkins-ci.plugins	agent-server-parameter	<= 1.1
Affected	pkg:github/jenkinsci/stashbranchparameter-plugin	jenkinsci	stashbranchparameter-plugin	<= 0.3.0
Affected	pkg:github/jenkinsci/sauce-ondemand-plugin	jenkinsci	sauce-ondemand-plugin	<= 1.204
Affected	pkg:github/jenkinsci/rest-list-parameter-plugin	jenkinsci	rest-list-parameter-plugin	<= 1.5.2
Fixed	pkg:github/jenkinsci/rest-list-parameter-plugin	jenkinsci	rest-list-parameter-plugin	= 1.6.0
Affected	pkg:github/jenkinsci/repository-connector-plugin	jenkinsci	repository-connector-plugin	<= 2.2.0
Affected	pkg:github/jenkinsci/readonly-parameters-plugin	jenkinsci	readonly-parameters-plugin	<= 1.0.0
Affected	pkg:github/jenkinsci/packageversion-plugin	jenkinsci	packageversion-plugin	<= 1.0.1
Affected	pkg:github/jenkinsci/ontrack-plugin	jenkinsci	ontrack-plugin	<= 4.0.0
Affected	pkg:github/jenkinsci/maven-metadata-plugin-plugin	jenkinsci	maven-metadata-plugin-plugin	<= 2.1
Affected	pkg:github/jenkinsci/image-tag-parameter-plugin	jenkinsci	image-tag-parameter-plugin	<= 1.10
Affected	pkg:github/jenkinsci/hidden-parameter-plugin	jenkinsci	hidden-parameter-plugin	<= 0.0.4
Fixed	pkg:github/jenkinsci/hidden-parameter-plugin	jenkinsci	hidden-parameter-plugin	= 0.0.5
Affected	pkg:github/jenkinsci/filesystem-list-parameter-plugin-plugin	jenkinsci	filesystem-list-parameter-plugin-plugin	<= 0.0.7
Affected	pkg:github/jenkinsci/dynamic_extended_choice_parameter-plugin	jenkinsci	dynamic_extended_choice_parameter-plugin	<= 1.0.1
Affected	pkg:github/jenkinsci/date-parameter-plugin	jenkinsci	date-parameter-plugin	<= 0.0.4
Affected	pkg:github/jenkinsci/crx-content-package-deployer-plugin	jenkinsci	crx-content-package-deployer-plugin	<= 1.9
Affected	pkg:github/jenkinsci/cavisson-ns-nd-integration-plugin	jenkinsci	cavisson-ns-nd-integration-plugin	<= 4.8.0.77
Affected	pkg:github/jenkinsci/agent-server-parameter-plugin	jenkinsci	agent-server-parameter-plugin	<= 1.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date