Jenkins Security Advisory 2016-04-11

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.

Groovy sandbox protection incomplete in Script Security Plugin

SECURITY-258 / CVE-2016-3102

The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access or get/set array operations.

Severity: 
  • SECURITY-136 is considered medium.
  • SECURITY-258 is considered medium.
Fix: 

The following versions incorporate fixes to the vulnerabilities:

  • Users of Extra Columns Plugin should update it to version 1.17.
  • Users of Script Security Plugin should update it to version 1.18.1.​
  • DEV@cloud is already protected.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

An update of Jenkins itself is not necessary.