CTR-2017

Users with View/Create and View/Configure permissions were able to execute any Groovy code on the Jenkins instance, leveraging a concurrency issue in Groovy Views.

The concurrency issue is fixed, removing the RCE vulnerability.

FNDJEN-2722

Git Validated Merge Plugin was not checking any permission when filling up the Credentials field in the job configuration.

Git Validated Merge Plugin is now checking the permission needed.

CTR-2176

With this fix, only admin users can execute a backup of the instance configuration.

CTR-2012

External Notification plugin was storing some secrets in plain text.

The DockerHub and BitBucket Cloud secret parameters are now stored encrypted instead of using plain text.

CTR-1895

Move/Copy/Promote operations were vulnerable to XML External Entity (XXE) attack if some of the XML files involved contained malicious code.

With this fix, malicious files are rejected by the XML parser and the Move/Copy/Promote operation is stopped.

CTR-1846

The CloudBees Groovy View sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

This affected an HTTP endpoint used to validate a user-submitted Groovy script and allowed users to bypass the sandbox protection and execute arbitrary code on the Jenkins master.

The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.

CTR-1851

With this fix, backup jobs with a restore build step can be built only if created and saved by administrators.

SECURITY-1955

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values.

This results in a stored cross-site scripting (XSS) vulnerability.

Jenkins LTS 2.235.4 escapes the tooltip content of help icons.

SECURITY-1957

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.

Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.

SECURITY-1960

Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token.

Jenkins 2.252, LTS 2.235.4 escapes the remote address of the host.

SECURITY-1975

email-ext stores an SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins master as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by email-ext 2.72 and 2.73.

This can result in exposure of the password.

email-ext 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

This vulnerability does not affect CloudBees products using the version of Email Extension Plugin offered by CAP.

SECURITY-1794

pipeline-maven 3.8.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read access to Jenkins to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in pipeline-maven 3.8.3 requires the appropriate permissions.

SECURITY-1794

`pipeline-maven` 3.8.2 and earlier does not perform a permission check in a method implementing form validation.

This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

pipeline-maven 3.8.3 requires POST requests and Job/Configure permission for the affected form validation method.

SECURITY-1940

yet-another-build-visualizer 1.11 and earlier does not escape tooltip content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Run/Update permission.

yet-another-build-visualizer 1.12 escapes tooltip content.

SECURITY-1763

flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing.

As of publication of this advisory, there is no fix.

• CTR-2017: High

• FNDJEN-2722: Medium

• CTR-2176: Low

• CTR-2012: Low

• CTR-1895: High

• CTR-1846: High

• CTR-1851: High

• SECURITY-1763: Medium

• SECURITY-1794 (1): Medium

• SECURITY-1794 (2): High

• SECURITY-1940: High

• SECURITY-1955: High

• SECURITY-1957: High

• SECURITY-1960: High

• SECURITY-1975: Low

• CloudBees Traditional Platforms should be upgraded 2.235.4.1

• CloudBees Cloud Platforms should be upgraded 2.235.4.1

• CloudBees Jenkins Enterprise should be upgraded the Managed Masters and Operations Center to 2.235.4.1

• CloudBees Jenkins Platform (rolling train, CJP Operations Center and CJP Client Master (2.x.y.z) should be upgraded to version 2.235.4.1

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.190.x.0.z) should be upgraded to version 2.190.33.0.2

• CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.222.x.0.z) should be upgraded to version 2.222.41.0.1