Missing Permission Checks in RegistrationHandler
BEE-172
RegistrationHandler does not implement permission checks or similar protections on the web methods it implements.
Web methods in RegistrationHandler now require Overall/Administer permissions
Support bundles can include user session IDs in Support Core Plugin
SECURITY-2150 / CVE-2021-21621
Support Core Plugin 2.72 and earlier provides the serialized user authentication as part of the "About user (basic authentication details only)" information (user.md).
In some configurations, this can include the session ID of the user creating the support bundle. Attackers with access to support bundle content and the Jenkins instance could use this information to impersonate the user who created the support bundle.
Support Core Plugin 2.72.1 no longer provides the serialized user authentication as part of the "About user (basic authentication details only)" information.
As a workaround, deselecting "About user (basic authentication details only)" before creating a support bundle will exclude the affected information from the bundle.
Stored XSS vulnerability in Active Choices Plugin
SECURITY-2192 / CVE-2021-21616
Active Choices Plugin 2.5.2 and earlier does not escape reference parameter values.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5.3 escapes reference parameter values.
CSRF vulnerability in Configuration Slicing Plugin
SECURITY-2003 / CVE-2021-21617
Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs.
Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.
Stored XSS vulnerability in Repository Connector Plugin
SECURITY-2183 / CVE-2021-21618
Repository Connector Plugin 2.0.2 and earlier does not escape parameter names and descriptions for past builds.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
Repository Connector Plugin 2.0.3 escapes parameter names and descriptions when creating new parameters.
XSS vulnerability in Claim Plugin
SECURITY-2188 (1) / CVE-2021-21619
Claim Plugin 2.18.1 and earlier does not escape the user display name shown in claims.
This results in a cross-site scripting (XSS) vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins.
NOTE: Everyone with a Jenkins account can change their own display name.
Claim Plugin 2.18.2 escapes the user display name shown in claims.
CSRF vulnerability in Claim Plugin
SECURITY-2188 (2) / CVE-2021-21620
Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to change claims.
Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.
Stored XSS vulnerability in Artifact Repository Parameter Plugin
SECURITY-2168 / CVE-2021-21622
Artifact Repository Parameter Plugin 1.0.0 and earlier does not escape parameter names and descriptions.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Artifact Repository Parameter Plugin 1.0.1 escapes parameter names and descriptions.