Celebrating 15 Years of DevOps Industry Impact and Continued Innovation. Read more →

CloudBees Security Advisory 2016-04-12

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.

Groovy sandbox protection incomplete in Script Security Plugin

SECURITY-258 / CVE-2016-3102

The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access or get/set array operations.

Severity

  • SECURITY-136 is considered medium .

  • SECURITY-258 is considered medium .

Fix

The following versions incorporate fixes to the vulnerabilities:

  • Users of Extra Columns Plugin should update it to version 1.17.

  • Users of Script Security Plugin should update it to version 1.18.1.​

  • DEV@cloudis already protected.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

An update of Jenkins itself is not necessary.

More Security Advisories

Continuously redefine what’s possible through software

© 2025 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.
Terms of Service