Jenkins Security Advisory 2025-01-22

GitLab Plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token credentials and Secret text credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credential IDs in GitLab Plugin 1.9.7 requires Overall/Administer permission.

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Bitbucket Server Integration Plugin implements this extension point to support OAuth 1.0 authentication.

In Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.

Bitbucket Server Integration Plugin 4.1.4 restricts which URLs it disables cross-site request forgery (CSRF) protection for to the URLs that needs it.

OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive.

On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.453.v4d7765c854f4 introduces an advanced configuration option to manage username case sensitivity, with default to case-sensitive.

Zoom Plugin 1.3 and earlier stores Zoom integration tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Zoom Plugin 1.4 stores Zoom integration tokens encrypted once job configurations are saved again.

Zoom Plugin requires Zoom integration tokens for Zoom Build Notifier post-build actions.

In Zoom Plugin 1.5 and earlier the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

Zoom Plugin 1.6 masks Zoom integration tokens displayed on the job configuration form.

Eiffel Broadcaster Plugin allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential.

Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key. This allows attackers able to create a credential with the same ID as a legitimate one in a different credentials store, to sign an event published to RabbitMQ with the legitimate certificate credentials.

Eiffel Broadcaster Plugin 2.10.3 removes the cache.

Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted (typically optional permissions, like Overall/Manage) to access functionality they’re no longer entitled to.

As of publication of this advisory, there is no fix. Learn why we announce this.

Azure Service Fabric Plugin 1.6 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

Additionally, those HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability, allowing attackers to connect to a previously configured Service Fabric URL using attacker-specified credentials IDs.

As of publication of this advisory, there is no fix. Learn why we announce this.