This advisory announces multiple vulnerabilities in Jenkins, CloudBees Jenkins Platform and CloudBees Jenkins Solutions.

Session fixation vulnerability in Google Login Plugin - SECURITY-442

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user’s pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new one.

Google Login Plugin should be updated to version 1.3.1

Open redirect vulnerability in Google Login Plugin - SECURITY-684

Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks. Google Login Plugin now only performs redirects to relative URLs.

Google Login Plugin should be updated to version 1.3.1

Email Extension Plugin showed plain text SMTP password in configuration form field - SECURITY-729

Email Extension Plugin stores an SMTP password in the global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Email Extension now encrypts the SMTP password transmitted to administrators viewing the global configuration form.

Email Extension Plugin should be updated to version 2.62

Stored XSS vulnerability in S3 Publisher Plugin - SECURITY-730 S3

Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly.

S3 publisher Plugin should be updated to version 0.11.0

Path traversal vulnerability allows arbitrary file writing in HTML Publisher Plugin - SECURITY-784

HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins master without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the build directory. Non-alphanumeric characters in report names are now escaped for use as part of a URL and as a directory name.

HTML Publisher Plugin should be updated to version 1.16

• SECURITY-442: medium

• SECURITY-684: medium

• SECURITY-729: low

• SECURITY-730: medium

• SECURITY-784: medium

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.107.2.1 revision 2

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master 2.x.y.z) should be upgraded to version 2.107.2.1 revision 2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master 2.73.x.0.z) should be upgraded to version 2.73.31.0.1 revision 2

• CloudBees Jenkins Team should be upgraded to version 2.107.2.1 revision 2

• DEV@cloud is already protected