A cross-site request forgery (CSRF) vulnerability in Jenkins Shared Objects Plugin 0.44 and earlier allows attackers to configure shared objects.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Active Choices Plugin
*   Audit Trail Plugin
*   couchdb-statistics Plugin
*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Role-based Authorization Strategy Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

**Descriptions****Improper authorization due to caching in Role-based Authorization Strategy Plugin**

**SECURITY-1767 / CVE-2020-2286**  
**Severity (CVSS):** High  
**Affected plugin: role-strategy**  
**Description:**

Role-based Authorization Strategy Plugin 2.12 and newer uses a cache to speed up permission lookups.

In Role-based Authorization Strategy Plugin 3.0 and earlier this cache is not invalidated properly when an administrator changes the permission configuration. This can result in permissions being granted long after the configuration was changed to no longer grant them.

Role-based Authorization Strategy Plugin 3.1 properly invalidates the cache on configuration changes.

**Request logging could be bypassed in Audit Trail Plugin**

**SECURITY-1815 / CVE-2020-2287**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin logs requests whose URL path matches an admin-configured regular expression.

A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in Audit Trail Plugin 3.6 and earlier. This only applies to Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, as the fix for SECURITY-1774 prohibits dispatch of affected requests.

Audit Trail Plugin 3.7 processes request URL paths the same way as the Stapler web framework.

**Incorrect default pattern in Audit Trail Plugin**

**SECURITY-1846 / CVE-2020-2288**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin uses regular expressions to match requested URLs whose dispatch should be logged.

In Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.

Audit Trail Plugin 3.7 changes the default regular expression pattern so that it allows for arbitrary suffixes. It automatically will replace previous default patterns with the new, more complete default pattern.

Additionally, an administrative monitor is shown if a user-specified pattern is found to be bypassable through crafted URLs and form validation was improved to recognize patterns that would not match requests with arbitrary suffixes.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-1954 / CVE-2020-2289**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape the name and description of build parameters.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Active Choices Plugin 2.5 escapes the name of build parameters and applies the configured markup formatter to the description of build parameters.

**Stored XSS vulnerability in Active Choices Plugin**

**SECURITY-2008 / CVE-2020-2290**  
**Severity (CVSS):** High  
**Affected plugin: uno-choice**  
**Description:**

Active Choices Plugin 2.4 and earlier does not escape List and Map return values of sandboxed scripts for _Reactive Reference Parameter_.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This issue is caused by an incomplete fix for SECURITY-470.

Active Choices Plugin 2.5 escapes all legal return values of sandboxed scripts.

**Password stored in plain text by couchdb-statistics Plugin**

**SECURITY-2065 / CVE-2020-2291**  
**Severity (CVSS):** Low  
**Affected plugin: couchdb-statistics**  
**Description:**

couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

**Stored XSS vulnerability in Release Plugin**

**SECURITY-1928 / CVE-2020-2292**  
**Severity (CVSS):** High  
**Affected plugin: release**  
**Description:**

Release Plugin 2.10.2 and earlier does not escape the release version in the badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Persona Plugin**

**SECURITY-2046 / CVE-2020-2293**  
**Severity (CVSS):** Medium  
**Affected plugin: persona**  
**Description:**

Persona Plugin 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Maven Cascade Release Plugin**

**SECURITY-2049 / CVE-2020-2294 (permission check), CVE-2020-2295 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: maven-release-cascade**  
**Description:**

Maven Cascade Release Plugin 1.3.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Shared Objects Plugin**

**SECURITY-2052 / CVE-2020-2296**  
**Severity (CVSS):** Medium  
**Affected plugin: shared-objects**  
**Description:**

Shared Objects Plugin 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to configure shared objects.

As of publication of this advisory, there is no fix.

**Access token stored in plain text by SMS Notification Plugin**

**SECURITY-2054 / CVE-2020-2297**  
**Severity (CVSS):** Low  
**Affected plugin: sms**  
**Description:**

SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file com.hoiio.jenkins.plugin.SMSNotification.xml on the Jenkins controller as part of its configuration.

This access token can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**XXE vulnerability in Nerrvana Plugin**

**SECURITY-2097 / CVE-2020-2298**  
**Severity (CVSS):** High  
**Affected plugin: nerrvana-plugin**  
**Description:**

Nerrvana Plugin 1.02.06 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, XML parsing is exposed as a form validation endpoint that does not require POST requests, allowing exploitation by users without Overall/Read permission via CSRF.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1767: High
*   SECURITY-1815: Medium
*   SECURITY-1846: Medium
*   SECURITY-1928: High
*   SECURITY-1954: High
*   SECURITY-2008: High
*   SECURITY-2046: Medium
*   SECURITY-2049: Medium
*   SECURITY-2052: Medium
*   SECURITY-2054: Low
*   SECURITY-2065: Low
*   SECURITY-2097: High

**Affected Versions**

*   **Active Choices Plugin** up to and including 2.4
*   **Audit Trail Plugin** up to and including 3.6
*   **couchdb-statistics Plugin** up to and including 0.3
*   **Maven Cascade Release Plugin** up to and including 1.3.2
*   **Nerrvana Plugin** up to and including 1.02.06
*   **Persona Plugin** up to and including 2.4
*   **Release Plugin** up to and including 2.10.2
*   **Role-based Authorization Strategy Plugin** up to and including 3.0
*   **Shared Objects Plugin** up to and including 0.44
*   **SMS Notification Plugin** up to and including 1.2

**Fix**

*   **Active Choices Plugin** should be updated to version 2.5
*   **Audit Trail Plugin** should be updated to version 3.7
*   **couchdb-statistics Plugin** should be updated to version 0.4
*   **Role-based Authorization Strategy Plugin** should be updated to version 3.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Maven Cascade Release Plugin
*   Nerrvana Plugin
*   Persona Plugin
*   Release Plugin
*   Shared Objects Plugin
*   SMS Notification Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1846, SECURITY-2046, SECURITY-2097
*   **Daniel Beck, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1815
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2052
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2054, SECURITY-2065
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1767
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1928, SECURITY-1954, SECURITY-2008
*   **Wadeck Follonier, CloudBees, Inc. and Jeff Thompson, CloudBees, Inc.** for SECURITY-2049

CVE-2020-2296: Jenkins Security Advisory 2020-10-08

Jenkins Release Plugin 2.10.2 and earlier does not escape the release version in badge tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Release/Release permission.

CVE-2020-2292: Jenkins Security Advisory 2020-10-08

Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   android-lint Plugin
*   Blue Ocean Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   computer-queue-plugin Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Email Extension Plugin
*   Health Advisor by CloudBees Plugin
*   Locked Files Report Plugin
*   Mailer Plugin
*   MongoDB Plugin
*   Perfecto Plugin
*   Pipeline Maven Integration Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin
*   Validating String Parameter Plugin

**Descriptions****Missing hostname validation in Mailer Plugin**

**SECURITY-1813 / CVE-2020-2252**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

**Missing hostname validation in Email Extension Plugin**

**SECURITY-1851 / CVE-2020-2253**  
**Severity (CVSS):** Medium  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS by default. In Email Extension Plugin 2.75 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection. Alternatively, this protection can be enabled (or disabled in the new version) via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System.

In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method.

**Path traversal vulnerability in Blue Ocean Plugin**

**SECURITY-1956 / CVE-2020-2254**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.

**Missing permission check in Blue Ocean Plugin**

**SECURITY-1961 / CVE-2020-2255**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

**Updated 2020-09-16:** _This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it._

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

**Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin**

**SECURITY-1976 / CVE-2020-2256**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

**Stored XSS vulnerability in Validating String Parameter Plugin**

**SECURITY-1935 / CVE-2020-2257**  
**Severity (CVSS):** High  
**Affected plugin: validating-string-parameter**  
**Description:**

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

**Incorrect permission check in Health Advisor by CloudBees Plugin**

**SECURITY-1998 / CVE-2020-2258**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page.

Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its administrative configuration page.

**Stored XSS vulnerability in computer-queue-plugin Plugin**

**SECURITY-1912 / CVE-2020-2259**  
**Severity (CVSS):** High  
**Affected plugin: computer-queue-plugin**  
**Description:**

computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

computer-queue-plugin Plugin 1.6 escapes the agent name in tooltips.

**Missing permission check in Perfecto Plugin**

**SECURITY-1979 / CVE-2020-2260**  
**Severity (CVSS):** Medium  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin 1.17 and earlier does not perform a permission check in a method implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.

Perfecto Plugin 1.18 requires Overall/Administer permission to perform a connection test.

**OS command execution vulnerability in Perfecto Plugin**

**SECURITY-1980 / CVE-2020-2261**  
**Severity (CVSS):** High  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

**Stored XSS vulnerability in android-lint Plugin**

**SECURITY-1908 / CVE-2020-2262**  
**Severity (CVSS):** High  
**Affected plugin: android-lint**  
**Description:**

android-lint Plugin 2.6 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Radiator View Plugin**

**SECURITY-1927 / CVE-2020-2263**  
**Severity (CVSS):** High  
**Affected plugin: radiatorviewplugin**  
**Description:**

Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Custom Job Icon Plugin**

**SECURITY-1914 / CVE-2020-2264**  
**Severity (CVSS):** High  
**Affected plugin: custom-job-icon**  
**Description:**

Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Coverage/Complexity Scatter Plot Plugin**

**SECURITY-1913 / CVE-2020-2265**  
**Severity (CVSS):** High  
**Affected plugin: covcomplplot**  
**Description:**

Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Description Column Plugin**

**SECURITY-1916 / CVE-2020-2266**  
**Severity (CVSS):** High  
**Affected plugin: description-column-plugin**  
**Description:**

Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in MongoDB Plugin**

**SECURITY-1904 / CVE-2020-2267 (missing permission check), CVE-2020-2268 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: mongodb**  
**Description:**

MongoDB Plugin 1.3 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in chosen-views-tabbar Plugin**

**SECURITY-1869 / CVE-2020-2269**  
**Severity (CVSS):** High  
**Affected plugin: chosen-views-tabbar**  
**Description:**

chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in ClearCase Release Plugin**

**SECURITY-1911 / CVE-2020-2270**  
**Severity (CVSS):** High  
**Affected plugin: clearcase-release**  
**Description:**

ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Locked Files Report Plugin**

**SECURITY-1921 / CVE-2020-2271**  
**Severity (CVSS):** High  
**Affected plugin: locked-files-report**  
**Description:**

Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in ElasTest Plugin**

**SECURITY-1903 / CVE-2020-2272 (missing permission check), CVE-2020-2273 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by ElasTest Plugin**

**SECURITY-2014 / CVE-2020-2274**  
**Severity (CVSS):** Low  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Copy data to workspace Plugin**

**SECURITY-1966 / CVE-2020-2275**  
**Severity (CVSS):** Medium  
**Affected plugin: copy-data-to-workspace-plugin**  
**Description:**

Copy data to workspace Plugin allows users to copy files from the Jenkins controller to job workspaces.

Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**System command execution vulnerability in Selection tasks Plugin**

**SECURITY-1967 / CVE-2020-2276**  
**Severity (CVSS):** High  
**Affected plugin: selection-tasks-plugin**  
**Description:**

Selection tasks Plugin implements a job parameter that dynamically generates possible values from the output of a program. The path to that program is specified as part of the parameter configuration.

Selection tasks Plugin 1.0 and earlier executes this user-specified program on the Jenkins controller. This allows attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Storable Configs Plugin**

**SECURITY-1968 (1) / CVE-2020-2277**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Storable Configs Plugin**

**SECURITY-1968 (2) / CVE-2020-2278**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin allows storing copies of a job’s config.xml file on the Jenkins controller with a user-specified file name.

Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, except that a .xml suffix is added if it’s not already present. This allows attackers with Job/Configure permission to replace any other .xml file on the Jenkins controller with the job’s config.xml file’s content.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1813: Medium
*   SECURITY-1851: Medium
*   SECURITY-1869: High
*   SECURITY-1903: Medium
*   SECURITY-1904: Medium
*   SECURITY-1908: High
*   SECURITY-1911: High
*   SECURITY-1912: High
*   SECURITY-1913: High
*   SECURITY-1914: High
*   SECURITY-1916: High
*   SECURITY-1921: High
*   SECURITY-1927: High
*   SECURITY-1935: High
*   SECURITY-1956: Medium
*   SECURITY-1961: Medium
*   SECURITY-1966: Medium
*   SECURITY-1967: High
*   SECURITY-1968 (1): Medium
*   SECURITY-1968 (2): Medium
*   SECURITY-1976: High
*   SECURITY-1979: Medium
*   SECURITY-1980: High
*   SECURITY-1998: Medium
*   SECURITY-2014: Low

**Affected Versions**

*   **android-lint Plugin** up to and including 2.6
*   **Blue Ocean Plugin** up to and including 1.23.2
*   **chosen-views-tabbar Plugin** up to and including 1.2
*   **ClearCase Release Plugin** up to and including 0.3
*   **computer-queue-plugin Plugin** up to and including 1.5
*   **Copy data to workspace Plugin** up to and including 1.0
*   **Coverage/Complexity Scatter Plot Plugin** up to and including 1.1.1
*   **Custom Job Icon Plugin** up to and including 0.2
*   **Description Column Plugin** up to and including 1.3
*   **ElasTest Plugin** up to and including 1.2.1
*   **Email Extension Plugin** up to and including 2.75
*   **Health Advisor by CloudBees Plugin** up to and including 3.2.0
*   **Locked Files Report Plugin** up to and including 1.6
*   **Mailer Plugin** up to and including 1.32
*   **MongoDB Plugin** up to and including 1.3
*   **Perfecto Plugin** up to and including 1.17
*   **Pipeline Maven Integration Plugin** up to and including 3.9.2
*   **Radiator View Plugin** up to and including 1.29
*   **Selection tasks Plugin** up to and including 1.0
*   **Storable Configs Plugin** up to and including 1.0
*   **Validating String Parameter Plugin** up to and including 2.4

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.23.3
*   **computer-queue-plugin Plugin** should be updated to version 1.6
*   **Email Extension Plugin** should be updated to version 2.76
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.2.1
*   **Mailer Plugin** should be updated to version 1.32.1
*   **Perfecto Plugin** should be updated to version 1.18
*   **Pipeline Maven Integration Plugin** should be updated to version 3.9.3
*   **Validating String Parameter Plugin** should be updated to version 2.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   android-lint Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Locked Files Report Plugin
*   MongoDB Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1966, SECURITY-1967, SECURITY-1968 (1), SECURITY-1968 (2), SECURITY-1976
*   **Jinchen Sheng, Ant Security FG Lab.** for SECURITY-1956, SECURITY-1961
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1998
*   **Peter Stöckli (via Github Security Lab)** for SECURITY-1813
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1869, SECURITY-1903, SECURITY-1904, SECURITY-1908, SECURITY-1911, SECURITY-1912, SECURITY-1913, SECURITY-1914, SECURITY-1916, SECURITY-1921, SECURITY-1927, SECURITY-2014
*   **Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-1935

CVE-2020-2263: Jenkins Security Advisory 2020-09-16

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2262: Jenkins Security Advisory 2020-09-16

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2265: Jenkins Security Advisory 2020-09-16

Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

CVE-2020-2259: Jenkins Security Advisory 2020-09-16

Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2266: Jenkins Security Advisory 2020-09-16

Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2257: Jenkins Security Advisory 2020-09-16

Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2264: Jenkins Security Advisory 2020-09-16

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Tag

#maven