Unauthenticated users can create a build that runs a malicious git push command. This will result in a new branch being created in the remote repository. Git Branch Source Plugin 3.2.4 and earlier did not enforce permissions, so any user could create a branch in the repository. This could lead to a situation where a malicious third party pushed a malicious branch into the repository. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. The Tuleap project then had a branch that was a malicious git push command, but where an attacker could not be explicitly identified. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. The Tuleap project then had a branch that was a malicious git push command, but where an attacker could not be explicitly identified. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. Such a situation could allow a malicious person to push a malicious commit to the Tuleap project, where an attacker could not be identified

Background on Jenkins

Jenkins is an open source continuous integration project that supports building, testing, and deploying software projects in a repeatable and reliable manner. Jenkins builds upon the concepts of a pull request model with the Git SCM to automate the build process. Other features include remote repository access (including multiple remotes), multi-language support, workspace management and many more integrations. It has become an industry standard in terms of its reliability, robustness and features.
In this blog post we would like to provide information about CVE-2022-43421: Unauthenticated users can create a build that runs a malicious git push command. This will result in a new branch being created in the remote repository. Git Branch Source Plugin 3.2.4 and earlier did not enforce permissions, so any user could create a branch in the repository. This could lead to a situation where a malicious third party pushed a malicious branch into the repository. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. The Tuleap project then had a branch that was a malicious git push command, but where an attacker could not be explicitly identified. An attacker could then push a malicious commit to that branch. This could result in a situation where the Jenkins master was pushing a malicious commit to the Tuleap project. The Tuleap project then had a branch that was invalid due to user permissions

Important Notes Regarding CVE-2022-43421

This vulnerability is not exploitable on Tuleap 7.x, because the CVE-2022-43421 vulnerability could only be exploited by users who have limited permissions. This vulnerability is not exploitable on Tuleap 8.x, because the CVE-2022-43421 vulnerability could only be exploited by users who have limited permissions. This vulnerability was fixed in Jenkins 3.2.8 and earlier, and it is not possible to exploit this vulnerability from Jenkins master anymore.
Tuleap Project version: 6.1 and earlier
Tuleap project version: 7.0, 7.1, 7.2 and later

Timeline

Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:41:00 UTC

References