This advisory announces vulnerabilities in these Jenkins plugins:
Active Choices (uno-choice)
Persisted Cross-Site Scripting vulnerability in Active Choices plugin
SECURITY-470 / CVE-2017-1000386
Active Choices now sanitizes the HTML inserted on the Build With Parameters page if and only if the script is executed in a sandbox. As unsandboxed scripts are subject to administrator approval, it is up to the administrator to allow or disallow problematic script output.
Sandboxed Groovy scripts for Active Choices Reactive Reference Parameter will no longer emit HTML that is considered unsafe, such as <script> tags. This may result in behavior changes on Build With Parameters forms, such as missing elements.
To resolve this issue, Groovy scripts emitting HTML will need to be configured to run outside the script security sandbox, possibly requiring separate administrator approval in In-Process Script Approval.
Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting vulnerability in global-build-stats plugin
SECURITY-50 / CVE-2017-1000389
Some URLs provided by global-build-stats plugin returned a JSON response that contained request parameters. These responses had the Content Type: text/html , so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability.
Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.
Affected URLs now specify the correct Content-Type for JSON responses, and require that requests be sent via POST .
Missing permission checks in Dependency Graph Viewer plugin
SECURITY-57 / CVE-2017-1000388
Dependency Graph Viewer plugin did not perform permission checks for the API endpoint that modifies the dependency graph, allowing anyone with Overall/Read permission to modify this data.
Dependency graph modification now requires that users have the permission to configure all jobs involved in the operation.
Build-Publisher plugin stores Jenkins credentials unencrypted on disk, round-trips in unencrypted form
SECURITY-378 / CVE-2017-1000387
Build-Publisher plugin stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them.
Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Build-Publisher Plugin now encrypts the credentials on disk, and only transmits their encrypted form to users viewing the configuration form.
Missing permission check in Multijob plugin Resume Build action
JENKINS-36333 / CVE-2017-1000390
Multijob plugin did not check permissions in the Resume Build action, allowing anyone with Job/Read permission to resume the build.
Multijob plugin 1.26 introduced a permission check requiring Overall/Administer . This was lowered to Job/Build in version 1.27.
SCP publisher plugin stores Jenkins credentials unencrypted on disk, round-trips in unencrypted form
SCP publisher plugin stores SSH credentials in the file be.certipost.hudson.plugin.SCPRepositoryPublisher.xml in the Jenkins master home directory. These credentials are stored unencrypted, allowing anyone with local file system access to access them.
Additionally, the credentials are also transmitted in plain text as part of the configuration form. This could result in exposure of credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.
As of publication of this advisory, there is no fix.