Security Advisories

Jenkins Security Advisory2021-06-16

This advisory announces vulnerabilities in 

,

and

Jenkins

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2224 / CVE-2021-21667

Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms.

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2390 / CVE-2021-21668

Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.2 escapes script content.

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Kevin Guerroudj for SECURITY-2224

Severity

  • SECURITY-2224: High
  • SECURITY-2390: High

Fix

  • Scriptler Plugin: should be updated to version 3.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Subscription confirmed

You'll now be notified automatically when new vulnerabilities
are disclosed