This advisory announces vulnerabilities in the following Jenkins deliverables:
git-parameter
Git Parameter Plugin 0.9.12 and earlier does not escape the repository field on the 'Build with Parameters' page.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Git Parameter Plugin 0.9.13 escapes the repository field on the 'Build with Parameters' page.
Parameterized-Remote-Trigger
Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration.
This secret can be viewed by attackers with access to the Jenkins controller file system.
Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.
database
Database Plugin 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to execute arbitrary SQL scripts.
Database Plugin 1.7 removes the database console.
database
Database Plugin 1.6 and earlier does not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password.
Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Database Plugin 1.7 requires POST requests and Overall/Administer permission for the affected form validation method.
vmanager-plugin
Cadence vManager Plugin 3.0.4 and earlier does not escape build descriptions in tooltips.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.
Cadence vManager Plugin 3.0.5 removes affected tooltips.
build-failure-analyzer
Build Failure Analyzer Plugin 1.27.0 and earlier does not escape matching text in a form validation response.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to provide console output for builds used to test build log indications.
Build Failure Analyzer Plugin 1.27.1 escapes matching text in the affected form validation response.
valgrind
Valgrind Plugin 0.28 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
valgrind
Valgrind Plugin 0.28 and earlier does not escape content in Valgrind XML reports.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Valgrind XML report contents.
As of publication of this advisory, there is no fix.
klocwork
Klocwork Analysis Plugin 2020.2.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows a user able to control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
jsgames
JSGames Plugin 0.2 and earlier evaluates part of a URL as code.
This results in a reflected cross-site scripting (XSS) vulnerability.
As of publication of this advisory, there is no fix.
tfs
tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration.
This secret can be viewed by attackers with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
soapui-pro-functional-testing
ReadyAPI Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files as part of its configuration.
These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system.
ReadyAPI Functional Testing Plugin 1.4 stores project passwords encrypted once affected job configurations are saved again.
soapui-pro-functional-testing
ReadyAPI Functional Testing Plugin stores project passwords in job config.xml files on the Jenkins controller as part of its configuration.
While these passwords are stored encrypted on disk since ReadyAPI Functional Testing Plugin 1.4, they are transmitted in plain text as part of the global configuration form by ReadyAPI Functional Testing Plugin 1.5 and earlier. These passwords can be viewed by attackers with Extended Read permission.
This only affects Jenkins before 2.236, including 2.235.x LTS, as Jenkins 2.236 introduces a security hardening that transparently encrypts and decrypts data used for a Jenkins password form field.
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: