Security Advisories

Jenkins Security Advisory2016-04-12

This advisory announces vulnerabilities in 

,

and

CloudBees CI

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.

Groovy sandbox protection incomplete in Script Security Plugin

SECURITY-258 / CVE-2016-3102

The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access or get/set array operations.

Severity

  • SECURITY-136 is considered medium .
  • SECURITY-258 is considered medium .

Fix

The following versions incorporate fixes to the vulnerabilities:

  • Users of Extra Columns Plugin should update it to version 1.17.
  • Users of Script Security Plugin should update it to version 1.18.1.​
  • DEV@cloudis already protected.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

An update of Jenkins itself is not necessary.

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed