This advisory announces vulnerabilities in Jenkins
Jenkins accepted cached legacy CLI authentication
SECURITY-1289 / CVE-2019-1003049
The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches.
This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated.
XSS vulnerability in form validation button
SECURITY-1327 / CVE-2019-1003050
f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
The affected form control has been rewritten to no longer need to escape job URLs.