ghsa-g74w-93cp-5p3p
Vulnerability from github
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.
As a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user’s private credentials store.
Pipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.
This also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.
Administrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See this help page on cloudbees.com to learn more.
To re-enable the Blue Ocean Credentials Provider, set the Java system property io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled
to true
. Doing so is discouraged, as that will restore the unsafe behavior.
While Credentials Plugin provides the Configure Credential Providers UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.
Administrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at Manage Jenkins » Configure Credential Providers and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "io.jenkins.blueocean:blueocean-pipeline-scm-api" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.25.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-30952" ], "database_specific": { "cwe_ids": [ "CWE-522" ], "github_reviewed": true, "github_reviewed_at": "2022-06-02T14:57:49Z", "nvd_published_at": "2022-05-17T15:15:00Z", "severity": "MODERATE" }, "details": "When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provider allows pipelines to access a specific credential from the per-user credentials store in Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier.\n\nAs a result, attackers with Job/Configure permission can rewrite job configurations in a way that lets them access and capture any attacker-specified credential from any user\u2019s private credentials store.\n\nPipeline SCM API for Blue Ocean Plugin 1.25.4 deprecates the Blue Ocean Credentials Provider and disables it by default. As a result, all jobs initially set up using the Blue Ocean pipeline creation wizard and configured to use the credential specified at that time will no longer be able to access the credential, resulting in failures to scan repositories, checkout from SCM, etc. unless the repository is public and can be accessed without credentials.\n\nThis also applies to newly created pipelines after Pipeline SCM API for Blue Ocean Plugin has been updated to 1.25.4.\n\nAdministrators should reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store. See [this help page on cloudbees.com](https://cloudbees.com/r/blue-ocean-credentials-removal) to learn more.\n\nTo re-enable the Blue Ocean Credentials Provider, set the Java system property `io.jenkins.blueocean.rest.impl.pipeline.credential.BlueOceanCredentialsProvider.enabled` to `true`. Doing so is discouraged, as that will restore the unsafe behavior.\n\nWhile Credentials Plugin provides the _Configure Credential Providers_ UI to enable or disable certain credentials providers, enabling the Blue Ocean Credentials Provider there is not enough in Pipeline SCM API for Blue Ocean Plugin 1.25.4. Both the UI and system property need to enable the Blue Ocean Credentials Provider.\n\nAdministrators not immediately able to update Blue Ocean are advised to disable the Blue Ocean Credentials Provider through the UI at _Manage Jenkins_ \u00bb _Configure Credential Providers_ and to reconfigure affected pipelines to use a credential from the Jenkins credential store or a folder credential store.", "id": "GHSA-g74w-93cp-5p3p", "modified": "2023-12-15T09:39:34Z", "published": "2022-05-18T00:00:40Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952" }, { "type": "WEB", "url": "https://github.com/jenkinsci/blueocean-plugin/commit/c4beeda0b574c297ac664511029feed0a15abaf1" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/blueocean-plugin/tree/master/blueocean-pipeline-scm-api" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Insufficiently Protected Credentials in Jenkins Pipeline SCM API for Blue Ocean Plugin" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.