[JENKINS:SECURITY-2973-1] Agent-to-controller security bypass in `semantic-versioning-plugin`
semantic-versioning-plugin
defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity (XXE) attacks.
semantic-versioning-plugin
1.14 and earlier does not restrict execution of the controller/agent message to agents, and implements no limitations about the file path that can be parsed.
This allows attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
This is due to an incomplete fix of link:/security/advisory/2022-03-15/#SECURITY-2124[SECURITY-2124].
NOTE: This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.
See the link:/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3[LTS upgrade guide].
semantic-versioning-plugin
1.15 does not allow the affected controller/agent message to be submitted by agents for execution on the controller.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/semantic-versioning-plugin | <= 1.14 |
pkg:github/jenkinsci/semantic-versioning-plugin-plugin | <= 1.14 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/semantic-versioning-plugin | = 1.15 |
pkg:github/jenkinsci/semantic-versioning-plugin-plugin | = 1.15 |
- ID
- JENKINS:SECURITY-2973-1
- Severity
- high
- Published
-
2023-01-24T00:00:00
(20 months ago) - Modified
-
2023-01-24T00:00:00
(20 months ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | semantic-versioning-plugin repository | https://github.com/jenkinsci/semantic-versioning-plugin-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/semantic-versioning-plugin | org.jenkins-ci.plugins | semantic-versioning-plugin | <= 1.14 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/semantic-versioning-plugin | org.jenkins-ci.plugins | semantic-versioning-plugin | = 1.15 | |||
Affected | pkg:github/jenkinsci/semantic-versioning-plugin-plugin | jenkinsci | semantic-versioning-plugin-plugin | <= 1.14 | |||
Fixed | pkg:github/jenkinsci/semantic-versioning-plugin-plugin | jenkinsci | semantic-versioning-plugin-plugin | = 1.15 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |