Jenkins Security Advisory2016-04-12
This advisory announces vulnerabilities in
,
and
CloudBees CI

This advisory announces multiple vulnerabilities in these Jenkins plugins:
- Extra Columns Plugin
- Script Security Plugin (a dependency of Pipeline Plugin, Matrix Project Plugin, and others)
Stored XSS vulnerability in Extra Columns Plugin
SECURITY-136 / CVE-2016-3101
The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.
Groovy sandbox protection incomplete in Script Security Plugin
SECURITY-258 / CVE-2016-3102
The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access or get/set array operations.
Note
Warning
Severity
- SECURITY-136 is considered medium .
- SECURITY-258 is considered medium .
Fix
The following versions incorporate fixes to the vulnerabilities:
- Users of Extra Columns Plugin should update it to version 1.17.
- Users of Script Security Plugin should update it to version 1.18.1.
- DEV@cloudis already protected.
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
An update of Jenkins itself is not necessary.