This advisory announces vulnerabilities in the following Jenkins deliverables:
uno-choice
Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5.3 escapes reference parameter values.
configurationslicing
Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs.
Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.
repository-connector
Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.
claim
Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.
| Everyone with a Jenkins account can change their own display name. |
Claim Plugin 2.18.2 escapes the user display name shown in claims.
claim
Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to change claims.
Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.
support-core
Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).
In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.
Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.
As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.
artifact-repository-parameter
Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Artifact Repository Parameter Plugin 1.0.1 escapes parameter names and descriptions.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: