An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, macOS Catalina 10.15.5, tvOS 13.4.5, watchOS 6.2.5, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing a maliciously crafted image may lead to arbitrary code execution.

Released May 20, 2020

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9789: Wenchao Li of VARAS@IIE

CVE-2020-9790: Xingwei Lin of Ant-financial Light-Year Security Lab

**ImageIO**

Available for: Windows 7 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3878: Samuel Groß of Google Project Zero

**SQLite**

Available for: Windows 7 and later

Impact: A malicious application may cause a denial of service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9794

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9805: an anonymous researcher

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9802: Samuel Groß of Google Project Zero

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-9800: Brendan Draper (@6r3nd4n) working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9806: Wen Xu of SSLab at Georgia Tech

CVE-2020-9807: Wen Xu of SSLab at Georgia Tech

**WebKit**

Available for: Windows 7 and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9850: @jinmo123, @setuid0x0\_, and @insu\_yun\_en of @SSLab\_Gatech working with Trend Micro’s Zero Day Initiative

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9843: Ryan Pickren (ryanpickren.com)

**WebKit**

Available for: Windows 7 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved validation.

CVE-2020-9803: Wen Xu of SSLab at Georgia Tech

CVE-2020-3878: About the security content of iTunes 12.10.7 for Windows

Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution.

Released January 29, 2020

**ImageIO**

Available for: Windows 10 and later via the Microsoft Store

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3826: Samuel Groß of Google Project Zero

**libxml2**

Available for: Windows 10 and later via the Microsoft Store

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3846: Ranier Vilela

**WebKit**

Available for: Windows 10 and later via the Microsoft Store

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2020-3867: an anonymous researcher

**WebKit**

Available for: Windows 10 and later via the Microsoft Store

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2020-3825: Przemysław Sporysz of Euvic

CVE-2020-3868: Marcin Towalski of Cisco Talos

**WebKit**

Available for: Windows 10 and later via the Microsoft Store

Impact: A malicious website may be able to cause a denial of service

Description: A denial of service issue was addressed with improved memory handling.

CVE-2020-3862: Srikanth Gatta of Google Chrome

**WebKit**

Available for: Windows 10 and later via the Microsoft Store

Impact: Visiting a maliciously crafted website may reveal the sites a user has visited

Description: The HTTP referrer header may be used to leak browsing history. The issue was resolved by downgrading all third party referrers to their origin.

CVE-2019-8827: Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis of Google Security Team

Entry added February 3, 2020

**WebKit Page Loading**

Available for: Windows 10 and later via the Microsoft Store

Impact: A top-level DOM object context may have incorrectly been considered secure

Description: A logic issue was addressed with improved validation.

CVE-2020-3865: Ryan Pickren (ryanpickren.com)

Entry added February 11, 2020

**WebKit Page Loading**

Available for: Windows 10 and later via the Microsoft Store

Impact: A DOM object context may not have had a unique security origin

Description: A logic issue was addressed with improved validation.

CVE-2020-3864: Ryan Pickren (ryanpickren.com)

Entry added February 11, 2020

CVE-2020-3865: About the security content of iCloud for Windows 10.9.2

Released January 28, 2020

**Audio**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3857: Zhuo Liang of Qihoo 360 Vulcan Team

**ImageIO**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-3826: Samuel Groß of Google Project Zero

CVE-2020-3870

CVE-2020-3878: Samuel Groß of Google Project Zero

CVE-2020-3880: Samuel Groß of Google Project Zero

Entry updated April 4, 2020

**IOAcceleratorFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3837: Brandon Azad of Google Project Zero

**IOUSBDeviceFamily**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8836: Xiaolong Bai and Min (Spark) Zheng of Alibaba Inc. and Luyi Xing of Indiana University Bloomington

Entry added June 22, 2020

**IPSec**

Available for: Apple TV 4K and Apple TV HD

Impact: Loading a maliciously crafted racoon configuration file may lead to arbitrary code execution

Description: An off by one issue existed in the handling of racoon configuration files. This issue was addressed through improved bounds checking.

CVE-2020-3840: @littlelailo

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2020-3875: Brandon Azad of Google Project Zero

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to read restricted memory

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2020-3872: Haakon Garseg Mørk of Cognite and Cim Stordal of Cognite

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to determine kernel memory layout

Description: An access issue was addressed with improved memory management.

CVE-2020-3836: Brandon Azad of Google Project Zero

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2020-3842: Ned Williamson working with Google Project Zero

**Kernel**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious application may be able to execute arbitrary code with system privileges

Description: A type confusion issue was addressed with improved memory handling.

CVE-2020-3853: Brandon Azad of Google Project Zero

**libxml2**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted XML may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-3846: Ranier Vilela

Entry added January 29, 2020

**libxpc**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing a maliciously crafted string may lead to heap corruption

Description: A memory corruption issue was addressed with improved input validation.

CVE-2020-3856: Ian Beer of Google Project Zero

**libxpc**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to gain elevated privileges

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-3829: Ian Beer of Google Project Zero

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2020-3825: Przemysław Sporysz of Euvic

CVE-2020-3868: Marcin Towalski of Cisco Talos

Entry updated January 29, 2020

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: A malicious website may be able to cause a denial of service

Description: A denial of service issue was addressed with improved memory handling.

CVE-2020-3862: Srikanth Gatta of Google Chrome

Entry added January 29, 2020

**WebKit**

Available for: Apple TV 4K and Apple TV HD

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue was addressed with improved state management.

CVE-2020-3867: an anonymous researcher

Entry added January 29, 2020

**WebKit Page Loading**

Available for: Apple TV 4K and Apple TV HD

Impact: A top-level DOM object context may have incorrectly been considered secure

Description: A logic issue was addressed with improved validation.

CVE-2020-3865: Ryan Pickren (ryanpickren.com)

Entry added January 29, 2020, updated February 11, 2020

**WebKit Page Loading**

Available for: Apple TV 4K and Apple TV HD

Impact: A DOM object context may not have had a unique security origin

Description: A logic issue was addressed with improved validation.

CVE-2020-3864: Ryan Pickren (ryanpickren.com)

Entry added February 11, 2020

**wifivelocityd**

Available for: Apple TV 4K and Apple TV HD

Impact: An application may be able to execute arbitrary code with system privileges

Description: The issue was addressed with improved permissions logic.

CVE-2020-3838: Dayton Pidhirney (@\_watbulb)

CVE-2020-3868: About the security content of tvOS 13.3.1

A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

*   Details
*   Reviews
*   Installation
*   Development

**Gallery Plugin**

**Helpful Links:**

*   Gallery Demo
*   Gallery Documentation
*   Gallery Support

We believe that you shouldn’t have to hire a developer to create a WordPress gallery. That’s why we built Envira, a drag & drop **photo gallery plugin** that’s both EASY, FAST and POWERFUL.

Envira is highly optimized for web and server performance because we understand the importance of speed when it comes to SEO and conversion.

Works great with the top page builders including: Elementor, Beaver Builder, Divi and more.

> **Envira Pro**  
> Photo Gallery by Envira is the lite version of the popular Envira Pro plugin that comes with all the features you will ever need including albums, tags, social media integration, gallery templates / gallery layouts, deeplinking, pagination, e-commerce, image proofing, and tons more. Click here to purchase Envira Pro now!

**Envira** has been downloaded over 3,000,000 times. Here’s why smart photographers, designers, and developers love Envira, and you will too!

**Drag & Drop Gallery Builder**

We were tired with the bloated and buggy gallery widgets. That’s why we built Envira to adapt to your workflow and allow you to create in minutes. By using our easy to use drag and drop builder, you can upload your photos, rearrange them, and basically create an image gallery in 5 minutes or less.

You can also add gallery blocks built for the new WordPress 5.0 Gutenberg block editor.

> The trick to making difficult things easy is to keep the easy things still easy. **Envira makes everything easy.** If you’ve struggled with WordPress gallery plugins that take video tutorials to learn, you’re going to love Envira.  
> Chris Lema – WordPress Blogger and Speaker

**Mobile Ready, SEO Friendly and Optimized for Speed**

Envira is 100% responsive and mobile-friendly by default. We optimized every query on the front-end and the back-end to ensure maximum speed.

Plus, you have the ability for meta data, deeplinks, standalone galleries, and pagination.

**Sharing and Selling Photos Made EASY**

Social media integrations, image proofing, and WooCommerce store integration.

> Not only is Envira **exceptionally well built** behind the scenes, it’s also exceptionally easy to use. It’s perfect for those who really want to get things done.  
> Pippin Williamson – WordPress Core Contributor and founder of EasyDigitalDownloads

**Easy to Customize and Extend**

You can easily customize with our built-in WordPress templates and layouts or create your own.

But we also knew that our developer friends may want to extend it further. That’s why Envira comes with tons of hooks and filters (and yes it’s all very-well documented).

> Most WordPress gallery options are either too basic or require a PhD to figure out. For my clients, I need something that is easy to use yet powerful. Envira is the answer. Its straight forward approach means it is a breeze for my clients to quickly create galleries. Nevertheless, with the API and documentation available, it also allows developers to make customizations and extend functionality when necessary. Simply put, **Envira is a great tool** for everyone’s tool chest.  
> Jared Atchison – Top Notch Engineer and WordPress Developer

**Full Envira Feature List**

*   Guttenberg Blocks for WordPress 5.0
*   Drag & Drop Photo Gallery Builder
*   100% Responsive – Mobile Friendly
*   Beautiful Layouts / Templates for Customization
*   Albums – Easily organize your photo galleries, choose cover photos, and more.
*   Social Sharing – Share your photos on Facebook, Twitter, Pinterest, and Google+
*   Video Galleries – Not just for photos! You can add YouTube, Vimeo, Wistia, and other videos in your video gallery.
*   Watermarking – Protect your images from theft with watermarking.
*   Slideshow – Add beautiful slideshow with autoplay, manual controls, and more.
*   Deeplinking – Make your gallery and images SEO friendly and easily link to individual images with deeplinking.
*   Pagination – Split your large galleries into multiple pages to improve page speed, user experience, and pageviews.
*   Elementor – Quickly and easily create, edit, and sync your image and video galleries directly inside the Elementor page builder.
*   Image Proofing – We made client image proofing easy for your photography business.
*   WooCommerce Integration – Instantly display and sell your photos with the most popular eCommerce software on the web.
*   Image Tags – Organize your WordPress photos with tags for easy search and display that also filtrable.
*   Password Protection – Prevent unauthorized access to your WordPress galleries.
*   Standalone Galleries – Create independent galleries that are not tied to your posts or pages.
*   EXIF Meta Data – Display your EXIF data including camera model, aperture, shutter speed, and more.
*   Pinterest – Add the Pinterest Pin It button to improve your reach.
*   Instagram – Import Instagram images.
*   FullScreen Display – Take advantage of the native fullscreen and Lightbox display.
*   Supersized Images – Don’t want to crop or resize your images? Supersize allows you to do just that.
*   Dynamic Galleries – Easily create galleries on the fly from various different sources.
*   Gallery Defaults – Speed up the creation process by saving your default settings.
*   CSS Styles – Customize your portfolio by adding custom CSS and styles.
*   Adobe Lightroom to WordPress – Do you love Adobe Lightroom? We do too. You can automatically create and sync photo galleries from your Adobe Lightroom Collections. We made Lightroom to WordPress import easy!
*   Zip Importer – Nobody likes uploading images individually. Now you can build a gallery from a .zip file.
*   Dropbox Importer – You can easily import photos from your Dropbox account.
*   NextGen Importer – Not a fan of NextGen? You can import your files in few simple clicks.
*   Auto Image Compression – Reduce the file size of your images and make your site run fast.
*   Want us to add something else? Suggest a feature and we’ll get it added!

> When it comes to WordPress gallery plugins, **Envira has no equal**. Solid enough to do the job right, while flexible enough to handle any situation you can throw at it.  
> Andrew Norcross – Expert WordPress Consultant and Core Contributer

**Demos**

While Envira offers tons of features, below are some of the most requested demos.

*   WordPress Lightbox Photo Display Demo
*   WordPress Masonry Display Demo
*   WordPress Photo Albums Demo
*   WordPress Polaroid Photo Display Demo
*   WordPress Video Display Demo
*   See the full list of Envira Demos

**Popular Envira Tutorials**

We share tons of photography tutorials at the Envira blog.

Below are some of the most popular Envira tutorials:

*   How to Add a Polaroid Gallery in WordPress
*   How to Create a Masonry Image Gallery in WordPress
*   How to Create a Photo Album in WordPress
*   How to Create an Image Slider for Your WordPress Galleries
*   How to Add Pagination in WordPress Image Galleries

**Credits****What’s Next**

If you like this plugin, then consider checking out our other plugins:

*   Soliloquy – The Best WordPress Slider Plugin
*   WP-PDF Embedder – The Best WordPress PDF Embedding Plugin

1.  Install Envira Lite either via the WordPress.org plugin repository or by uploading the files to your server. (See instructions on how to install a WordPress plugin)
2.  Activate Envira Lite.
3.  Navigate to the Envira tab at the bottom of your admin menu and click the “Add New” button to begin creating, or you can create directly inside the post/page/custom post type of your choice.
4.  Salivate for new features and purchase the full version of Envira!

**Who should use Envira?**

Envira is perfect for photographers, designers, bloggers, and small businesses.

**Do I need to have coding skills to use Envira?**

Absolutely not. You can create and customize beautiful image and video galleries without any coding knowledge. We made it super easy.

**What kind of galleries can I create with Envira Gallery?**

Here are the types of galleries you can create:

Photo / Image  
Video Gallery  
Fullscreen  
Image Gallery with Albums  
Image Gallery with Lightbox  
Featured Content  
Masonry Photo  
Justified Image  
Image Gallery with Pagination  
Polaroid Image  
Instagram Photo Gallery  
Image Gallery with Tags  
Pinterest Image Gallery  
Photo Gallery with EXIF Data  
Image Gallery with Watermarks  
Photo Gallery with Slideshow  
Image Gallery with Zoom  
Photo Gallery with Proofing  
Lazyload  
WooCommerce Product  
Image Gallery with Lightroom Photos  
Password Protected Photo  
Dropbox Images  
Image from Zip Files  
Photos with Breadcrumb Navigation  
Custom Post Type Content  
YouTube Video  
Vimeo Video  
Wistia Video  
Twitch.tv Video  
Custom Video  
Dynamic Photos  
Portfolio  
Tiles  
Grid  
Music Gallery

**I’d like access to all features. How can I get them?**

You can get access to more features, Addons and support by visiting the Envira website and purchasing a support license. Purchasing a support license gets you access to the full version of Envira, automatic updates and support, and depending on the level of support license, you can even get exclusive access to Envira Addons!

**Is Envira translation ready?**

Yes, Envira has full translation and localization support via the envira-gallery textdomain. To submit a translation, see https://translate.wordpress.org/projects/wp-plugins/envira-gallery-lite

Easy to use and the customers love it.

Unfortunately, the "Load more" button no longer works and for about 6 weeks we have been waiting for a solution from support. We use Envira in the pay variant.

This is the fastest, easiest to use WordPress image gallery plugin.

easy to use - works great!thanks for that

So many of the blocks I use are not optimized for SEO. This is one of the few that actually brings out the title and alt tags.

Read all 1,500 reviews

“Gallery Plugin for WordPress – Envira Photo Gallery” is open source software. The following people have contributed to this plugin.

Contributors

1.8.6.1

*   Fixed: depricated usort callback

1.8.6

*   Fixed: php 8 compatibility

1.8.5.3

*   Fixed: Links not opening in new window

1.8.5.2

*   Fixed: Undefined function enviratope on mason layouts.

1.8.5.1

*   Fixed: incorrect variable name.

1.8.5

*   Fixed: Improve sanitization.
*   Fixed: Remove legacy code.
*   Fixed: Replace local scripts with WordPress core scripts

1.8.4.7

*   Fixed: Improve admin sanitization.

1.8.4.6

*   Fixed: Javascript warnings when adding a gallery in the block editor.

1.8.4.5

*   Fixed: Tweaked icon spacing and placement in image editor blocks.

1.8.4.4

*   Fixed: Issue involving not being able to edit caption or title in the block editor for individual images in a gallery in certain layouts.

1.8.4.3

*   Fixed: Issue involving fatal error when empying a gallery from the trash.

1.8.4.2

*   Fixed: Corrected text box type and visual look of subscription form signup modal.

1.8.4.1

*   Fixed: Resolved fatal error upon checking for active plugins upon loading.

1.8.4.0

*   Fixed: Issue involving margin resets in block editor.
*   Fixed: Issue involving margin resets in block editor.
*   Fixed: Issue involving gallery button with Classic Editor.
*   Fixed: Resolved conflict with Enhanced Media Replace Pro.
*   Fixed: PHP 8.x and related notices and warnings.

1.8.3.9

*   Updated: Images

1.8.3.8

*   Updated: Getting Started area – new tab and updated CSS.

1.8.3.7

*   Fixed: Issue regarding lightbox and uploaded WebP images.

1.8.3.6

*   Updated: Removed Additional Marketing Copy
*   Added: WebP Support

1.8.3.5

*   Updated: Expired Marketing Offer

1.8.3.4

*   Updated: Promotional messages.
*   Fixed: PHP 8 related notices.

1.8.3.3

*   Fixed: Improving metadata sanitization.

1.8.3.2

*   Fixed: Lightbox Bug with WordPress 5.6.0

1.8.3.1

*   Added: Lifetime option notice.

1.8.3

*   Updated: Recent News On Welcome Screen.
*   Updated: Links On What’s New Screen.

1.8.2

*   Added: Most Popular sort in Addons screen.
*   Updated: Recent News On Welcome Screen.
*   Updated: Links On What’s New Screen.

1.8.1.0

*   Added: envira\_gallery\_output\_item\_src\_retina filter.
*   Added: envira\_gallery\_title\_display filter.
*   Added: filters for aspectRatio, loop, lightbox openclose effect, and more for Fancybox settings.
*   Updated: Subscription number.
*   Updated: Remove references to Facebook Video.

1.8.0.3

*   Fix: Tweak UI for upcoming WordPress 5.5 admin visual changes.
*   Fix: Removed outdated URL from translation files.

1.8.0.2

*   Removed: Legacy style related to Gutenberg.

1.8.0.1

*   Removed: Redirect upon updating.

1.8.0

*   Added: Enable links in lightbox settings, when lightbox is deactivated.

CVE-2020-9334: Gallery Plugin for WordPress – Envira Photo Gallery

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier in form-related methods allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Applatix Plugin
*   Azure AD Plugin
*   BMC Release Package and Deployment Plugin
*   brakeman Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   FitNesse Plugin
*   Git Parameter Plugin
*   Google Kubernetes Engine Plugin
*   Harvest SCM Plugin
*   NUnit Plugin
*   Parasoft Environment Manager Plugin
*   Pipeline GitHub Notify Step Plugin
*   Pipeline: Groovy Plugin
*   RadarGun Plugin
*   S3 publisher Plugin
*   Script Security Plugin
*   Subversion Plugin

**Descriptions****Sandbox bypass via default method parameter expression in Pipeline: Groovy Plugin**

**SECURITY-1710 / CVE-2020-2109**

Sandbox protection in Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

This allows attackers able to specify and run sandboxed Pipelines to execute arbitrary code in the context of the Jenkins controller JVM.

These expressions are subject to sandbox protection in Pipeline: Groovy Plugin 2.79.

**Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1713 / CVE-2020-2110**

Sandbox protection in Script Security Plugin 1.69 and earlier can be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This affects both script execution (typically invoked from other plugins like Pipeline) as well as HTTP endpoints providing sandboxed script validation.

Users with Overall/Read permission can exploit this to bypass sandbox protection and execute arbitrary code on the Jenkins controller.

This issue is due to an incomplete fix of SECURITY-1266.

Script Security Plugin 1.70 disallows all known unsafe AST transformations on imports or when used inside of other annotations.

**Stored XSS vulnerability in Subversion Plugin**

**SECURITY-1725 / CVE-2020-2111**

Subversion Plugin 2.13.0 and earlier does not escape the error message for the Project Repository Base URL field form validation. This results in a stored cross-site scripting vulnerability exploitable by users able to specify such base URLs, for example users able to configure Multibranch Pipelines.

Subversion Plugin 2.13.1 escapes the affected part of the error message.

**Multiple stored XSS vulnerabilities in Git Parameter Plugin**

**SECURITY-1709 / CVE-2020-2112 (parameter name), CVE-2020-2113 (default value)**

Git Parameter Plugin 0.9.11 and earlier does not correctly escape the parameter name or default value. This results in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission.

Git Parameter Plugin 0.9.12 escapes the parameter name and default value shown on the UI.

**Credential transmitted in plain text by S3 publisher Plugin**

**SECURITY-1684 / CVE-2020-2114**

S3 publisher Plugin stores a secret key in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by S3 publisher Plugin 0.11.4 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

S3 publisher Plugin 0.11.5 transmits the secret key in its global configuration encrypted.

**XXE vulnerability in NUnit Plugin**

**SECURITY-1752 / CVE-2020-2115**

NUnit Plugin 0.25 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

NUnit Plugin 0.26 disables external entity processing for its XML parser.

**CSRF vulnerability and missing permission checks in Pipeline GitHub Notify Step Plugin allows capturing credentials**

**SECURITY-812 (1) / CVE-2020-2116 (CSRF), CVE-2020-2117 (missing permission check)**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

This form validation method requires POST requests and Item/Configure permission in Pipeline GitHub Notify Step Plugin 1.0.5.

**Users with Overall/Read access can enumerate credential IDs in Pipeline GitHub Notify Step Plugin**

**SECURITY-812 (2) / CVE-2020-2118**

Pipeline GitHub Notify Step Plugin 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in Pipeline GitHub Notify Step Plugin 1.0.5 requires the permission to configure a project.

**Client secret transmitted in plain text by Azure AD Plugin**

**SECURITY-1717 / CVE-2020-2119**

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

**XXE vulnerability in FitNesse Plugin**

**SECURITY-1751 / CVE-2020-2120**

FitNesse Plugin 1.30 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for its post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

FitNesse Plugin 1.31 disables external entity processing for its XML parser.

**RCE vulnerability in Google Kubernetes Engine Plugin**

**SECURITY-1731 / CVE-2020-2121**

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

**Stored XSS vulnerability in brakeman Plugin**

**SECURITY-1644 / CVE-2020-2122**

brakeman Plugin 0.12 and earlier did not escape values received from parsed JSON files when rendering them, resulting in a stored cross-site scripting vulnerability.

This vulnerability can be exploited by users able to control the Brakeman post-build step input data.

brakeman Plugin 0.13 escape affected values from the parsed file as they are recorded.

This fix is only applied to newly recorded data after a fixed version of the plugin is installed; historical data may still contain unsafe values.

**RCE vulnerability in RadarGun Plugin**

**SECURITY-1733 / CVE-2020-2123**

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

**Password stored in plain text by Dynamic Extended Choice Parameter Plugin**

**SECURITY-1560 / CVE-2020-2124**

Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a Subversion password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by debian-package-builder Plugin**

**SECURITY-1558 / CVE-2020-2125**

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Token stored in plain text by DigitalOcean Plugin**

**SECURITY-1559 / CVE-2020-2126**

DigitalOcean Plugin 1.1 and earlier stores a token unencrypted in the global config.xml files as part of its configuration. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credential stored in plain text by BMC Release Package and Deployment Plugin**

**SECURITY-1547 / CVE-2020-2127**

BMC Release Package and Deployment Plugin 1.1 and earlier stores the RPD user token unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by ECX Copy Data Management Plugin**

**SECURITY-1549 / CVE-2020-2128**

ECX Copy Data Management Plugin 1.9 and earlier stores a service password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Eagle Tester Plugin**

**SECURITY-1552 / CVE-2020-2129**

Eagle Tester Plugin 1.0.9 and earlier stores a password unencrypted in its global configuration file com.bmc.rpd.jenkins.plugin.bmcrpd.configuration.RPDPluginConfiguration.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by Harvest SCM Plugin**

**SECURITY-1553 / CVE-2020-2130 (global configuration), CVE-2020-2131 (job configuration)**

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission (job config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

**Password stored in plain text by Parasoft Environment Manager Plugin**

**SECURITY-1562 / CVE-2020-2132**

Parasoft Environment Manager Plugin 2.14 and earlier stores a repository password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Password stored in plain text by Applatix Plugin**

**SECURITY-1540 / CVE-2020-2133**

Applatix Plugin 1.1 and earlier stores the Applatix password unencrypted in job config.xml files as part of its configuration. This credential can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-812 (1): High
*   SECURITY-812 (2): Medium
*   SECURITY-1540: Medium
*   SECURITY-1547: Low
*   SECURITY-1549: Medium
*   SECURITY-1552: Low
*   SECURITY-1553: Medium
*   SECURITY-1558: Low
*   SECURITY-1559: Low
*   SECURITY-1560: Medium
*   SECURITY-1562: Medium
*   SECURITY-1644: Medium
*   SECURITY-1684: Low
*   SECURITY-1709: Medium
*   SECURITY-1710: High
*   SECURITY-1713: High
*   SECURITY-1717: Low
*   SECURITY-1725: Medium
*   SECURITY-1731: High
*   SECURITY-1733: High
*   SECURITY-1751: High
*   SECURITY-1752: High

**Affected Versions**

*   **Applatix Plugin** up to and including 1.1
*   **Azure AD Plugin** up to and including 1.1.2
*   **BMC Release Package and Deployment Plugin** up to and including 1.1
*   **brakeman Plugin** up to and including 0.12
*   **debian-package-builder Plugin** up to and including 1.6.11
*   **DigitalOcean Plugin** up to and including 1.1
*   **Dynamic Extended Choice Parameter Plugin** up to and including 1.0.1
*   **Eagle Tester Plugin** up to and including 1.0.9
*   **ECX Copy Data Management Plugin** up to and including 1.9
*   **FitNesse Plugin** up to and including 1.30
*   **Git Parameter Plugin** up to and including 0.9.11
*   **Google Kubernetes Engine Plugin** up to and including 0.8.0
*   **Harvest SCM Plugin** up to and including 0.5.1
*   **NUnit Plugin** up to and including 0.25
*   **Parasoft Environment Manager Plugin** up to and including 2.14
*   **Pipeline GitHub Notify Step Plugin** up to and including 1.0.4
*   **Pipeline: Groovy Plugin** up to and including 2.78
*   **RadarGun Plugin** up to and including 1.7
*   **S3 publisher Plugin** up to and including 0.11.4
*   **Script Security Plugin** up to and including 1.69
*   **Subversion Plugin** up to and including 2.13.0

**Fix**

*   **Azure AD Plugin** should be updated to version 1.2.0
*   **brakeman Plugin** should be updated to version 0.13
*   **FitNesse Plugin** should be updated to version 1.31
*   **Git Parameter Plugin** should be updated to version 0.9.12
*   **Google Kubernetes Engine Plugin** should be updated to version 0.8.1
*   **NUnit Plugin** should be updated to version 0.26
*   **Pipeline GitHub Notify Step Plugin** should be updated to version 1.0.5
*   **Pipeline: Groovy Plugin** should be updated to version 2.79
*   **RadarGun Plugin** should be updated to version 1.8
*   **S3 publisher Plugin** should be updated to version 0.11.5
*   **Script Security Plugin** should be updated to version 1.70
*   **Subversion Plugin** should be updated to version 2.13.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Applatix Plugin
*   BMC Release Package and Deployment Plugin
*   debian-package-builder Plugin
*   DigitalOcean Plugin
*   Dynamic Extended Choice Parameter Plugin
*   Eagle Tester Plugin
*   ECX Copy Data Management Plugin
*   Harvest SCM Plugin
*   Parasoft Environment Manager Plugin

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Adith Sudhakar** for SECURITY-1644
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1731, SECURITY-1733
*   **Federico Pellegrin** for SECURITY-1751, SECURITY-1752
*   **James Holderness, IB Boost** for SECURITY-1540, SECURITY-1547, SECURITY-1549, SECURITY-1552, SECURITY-1553, SECURITY-1558, SECURITY-1559, SECURITY-1560, SECURITY-1562
*   **Joseph Petersen @jetersen** for SECURITY-1717
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1710, SECURITY-1713
*   **Sven Grossmann (@svennergr)** for SECURITY-1709
*   **Thomas de Grenier de Latour** for SECURITY-812 (1), SECURITY-812 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1684, SECURITY-1725

CVE-2020-2118: Jenkins Security Advisory 2020-02-12

A missing permission check in Jenkins Pipeline GitHub Notify Step Plugin 1.0.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2020-2117: Jenkins Security Advisory 2020-02-12

Use after free in speech in Google Chrome prior to 79.0.3945.130 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2020-6378: 1018677 - chromium - An open-source project to help move the web forward.

Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.130 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted Chrome Extension.

CVE-2020-6380: Stable Channel Update for Desktop

Inappropriate implementation in Blink in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2020-6404: Stable Channel Update for Desktop

Inappropriate implementation in JavaScript in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Tag

#google