Jenkins Security Advisory 2021-06-16

This advisory announces vulnerabilities in Jenkins

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2224 / CVE-2021-21667

Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms.

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2390 / CVE-2021-21668

Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.2 escapes script content.

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

Kevin Guerroudj for SECURITY-2224

Severity

SECURITY-2224: High
SECURITY-2390: High

Fix

Scriptler Plugin: should be updated to version 3.3

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

More Security Advisories

Security Advisory Impact

Stored XSS vulnerability in Scriptler Plugin

Stored XSS vulnerability in Scriptler Plugin

Severity

Fix