Multiple Critical Vulnerabilities Detected in Jenkins
Multiple vulnerabilities have been detected in Jenkins – an open-source software developed with Java to automate the Continuous Integration process – allowing threat actors to perform XSS and CSRF attacks. Jenkins continually develops and tests software projects, making it easy for developers to integrate changes into the project.
Details of the vulnerabilities rated as critical are given below;
- The vulnerability, tracked as CVE-2022-34784, is a cross-site scripting (XSS) vulnerability that affects the build-metrics plugin used by Jenkins and can be exploited by threat actors with build/update permissions.
- CVE-2022-34787 is a cross-site scripting (XSS) vulnerability found in the Project Inheritance plugin used by Jenkins.
- CVE-2022-34788 is a cross-site scripting (XSS) execution vulnerability found in the Matrix Reloaded plugin used by Jenkins.
- CVE-2022-34790 is a cross-site scripting (XSS) vulnerability found in the eXtreme Feedback Panel plugin used by Jenkins.
- The vulnerability tracked as CVE-2022-34792 is found in the Recipe plugin used by Jenkins and allows threat actors to perform cross-site request forgery (CSRF) and XXE (XML External Entity) injection attacks on the affected system.
- The vulnerability tracked as CVE-2022-34791 resides in the Email Parameter plugin used by Jenkins and allows threat actors to perform cross-site scripting (XSS) attacks on affected installations.
- CVE-2022-34783 is a cross-site scripting (XSS) vulnerability found in the Plot plugin used by Jenkins.
- CVE-2022-34777 is a stored cross-site scripting (XSS) vulnerability found in the GitLab plugin used by Jenkins.
- CVE-2022-34786 is a cross-site scripting (XSS) vulnerability found in the Rich Text Publisher plugin used by Jenkins.
- CVE-2022-34778 is a cross-site scripting (XSS) vulnerability found in the TestNG Results plugin used by Jenkins.
- CVE-2022-34795 is a stored cross-site scripting (XSS) vulnerability found in the Deployment Dashboard plugin used by Jenkins.
An update that fixes the security vulnerabilities detected in these Jenkins plugins has not been released yet. Successful exploitation of vulnerabilities can allow remote threat actors to obtain sensitive information, change the web page’s appearance, and carry out phishing attacks. In this context, it is recommended to follow the updates that fix the vulnerabilities and apply them immediately if they are published.
[Exploit Details]: Critical RCE Vulnerability Found in ManageEngine ADAudit Plus
In March 2022, an unauthenticated remote code execution (RCE) vulnerability was identified affecting the Zoho ManageEngine ADAudit Plus solution, which organizations use to monitor changes in Active Directory. (Reference Link)
The security vulnerability tracked as CVE-2022-28219 is caused by a combination of Untrusted Java Deserialization, Path Traversal, and XEE (XML External Entity) issues. Apart from allowing remote code execution on affected systems, the vulnerability can be exploited in some cases to compromise domain administrator accounts.
Active Directory management-related products (ADManager Plus, ADSelfService Plus, ADAudit Plus) are widely used by institutions/organizations.
These applications create an attractive attack surface for threat actors because of their privileged access to Active Directory. Details of the PoC code and applications for exploiting the vulnerability affecting ADAudit Plus have been published by security researchers.
Applications such as ADAudit Plus that integrate with Active Directory must store credentials to connect to it. ADAudit Plus keeps these credentials encrypted in its database. It is possible to reverse the encryption for clear access to these credentials. If these credentials are compromised, it gives a lot of privilege to the threat actors. ADAudit Plus makes it easy for users to connect to AD with their domain administrator credentials, and users use this easy way instead of creating a special service account with limited privileges. By manipulating this feature, threat actors can completely compromise the AD domain through ADAudit Plus.
In order not to be the target of attacks that can be carried out by exploiting the vulnerability, institutions/organizations using ADAudit Plus are urgently recommended to upgrade to ADAudit Plus 7060 or a later version to fix the security vulnerability.
GitLab Releases Security Updates Fixing Critical Vulnerabilities
GitLab has released fixes and updates that fix critical vulnerabilities as part of the June security updates.
Some of the security vulnerabilities that have been fixed with the released updates and rated as critical, high, and medium are as follows;
- Vulnerability tracked as CVE-2022-2185 (critical) exists due to incorrect input validation in Project Imports. As a result, a remote privileged user can import a maliciously crafted project, causing remote code execution on the vulnerable system.
- The XSS vulnerability tracked as CVE-2022-2235 (high) is due to insufficient sanitization of user-supplied data in ZenTao integration. As a result, a remote threat actor can direct targets to open a specially crafted link and run arbitrary HTML and script code in the user’s browser in the context of the vulnerable website.
- The security vulnerability tracked as CVE-2022-2229 (high) is caused by incorrect authorization. A remote threat actor can extract the value of an unprotected variable whose name it knows in public or private projects of which it is a member.
These vulnerabilities affected all GitLab CE/EE versions between 13.7.0 and 15.1.0 (inclusive) and were fixed in the released versions 15.1.1, 15.0.4, and 14.10.5. Users using vulnerable GitLab versions are advised to apply the released updates immediately.