Jenkins Security Advisory 2015-03-23

This advisory announces a security advisory in Jenkins core.

SECURITY-171, SECURITY-177 (Reflective XSS vulnerability)

An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker.

SECURITY-180 (forced API token change)

The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins .

Severity: 

SECURITY-171/SECURITY-177 is rated high. It is a passive attack, but it can result in a compromise of Jenkins master or loss of data.

SECURITY-180 is rated critical. This attack can be mounted by any unauthenticated user, and it results in a compromise of Jenkins master or loss of data.

Fix: 

All the versions released to date are affected.

  • Main line users should upgrade to Jenkins 1.606.
  • LTS users should upgrade to 1.596.2
  • Jenkins Enterprise by CloudBees users should upgrade to either 1.580.13.1, 1.565.13.1, or 1.554.13.1 (depending on release lines)
  • Jenkins Operations Center by CloudBees users should upgrade to 1.580.13.1 or 1.554.13.1
  • DEV@cloud users need not take any actions. Your instances are being patched and upgraded.