CVE-2022-20621 Jenkins Metrics Plugin 4.0.2.8 and earlier stores an access key unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

The access key for the Jenkins server is exposed and can be used by attackers to push malicious code to the Jenkins server.





Update your installations to version 4.0.2.9 or later as soon as possible.
As of Jenkins version 4.0.2.9, the configuration file for the Jenkins Metrics Plugin is now encrypted with the password specified in the Global Settings of the plugin.

Jenkins Remote Code Execution Vulnerability

A Jenkins remote code execution (RCE) vulnerability has been discovered that enables attackers to push malicious code to the Jenkins server.
The CVE-2022-20621 was found by a security researcher for which there is no patch yet.
To update your installations to version 4.0.2.9 or later as soon as possible, follow these steps:
1. Download the latest version of Jenkins from the official website and install it on the server where you want to use it.
2. Update the plugins in your installation folder with the fixed versions from the official websites of their respective providers:
Jenkins Metrics Plugin - https://wiki.jenkins-ci.org/display/JENKINS/CVE-2020-13075
Jenkins Slave Plugin - https://wiki.jenkins-ci.org/display/JENKINS/CVE-2020-13078
3. Create a new password for your Global Settings of each plugin in order to encrypt them automatically with each new installation or configuration change:
Metrics Plugin:  Global settings -> Advanced > Password -> Enter the password you want to use here -> Save & Apply Settings  (the plugin should now be encrypted)
Slave Plugin:  Global settings -> Advanced > Password -> Enter the password you want to use here -> Save & Apply Settings
4. If you have any open source plugins installed, you'll need to update them by checking their developer

CVE-2023-20622

Jenkins is vulnerable to a path traversal vulnerability that allows attackers to access any directory on the Jenkins server via the web interface.

Update your installations to version 4.0.2.9 or later as soon as possible.

How to check if you are vulnerable?

If you are running Jenkins version 2.0 or earlier, the access key for the Jenkins server is exposed and can be used by an attacker to push malicious code to the Jenkins server. If you are running Jenkins version 3.0 or later and you are using a password to encrypt your configuration file, this issue is patched in 4.0.2.9 and later versions of Jenkins.

The access key for the Jenkins server is exposed and can be used by attackers to push malicious code to the Jenkins server, but this issue has been patched in version 4.0.2.9

Timeline

Published on: 01/12/2022 20:15:00 UTC
Last modified on: 01/18/2022 19:27:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1624
• http://www.openwall.com/lists/oss-security/2022/01/12/6
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20621