The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

**Tim Allclair**

unread,

Jun 1, 2020, 6:05:28 PM6/1/20

to kubernete...@googlegroups.com, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, oss-se...@lists.openwall.com, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).

This issue has been rated medium (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N), and assigned CVE-2020-8555.

**Am I vulnerable?**

You may be vulnerable if:

*   You are running a vulnerable version (see below);
    
*   There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network); and
    
*   Untrusted users can create pods with an affected volume type or modify storage classes.
    

**Affected Versions**

*   kube-controller-manager v1.18.0
    
*   kube-controller-manager v1.17.0 - v1.17.4
    
*   kube-controller-manager v1.16.0 - v1.16.8
    
*   kube-controller-manager < v1.15.11
    

The affected volume types are: GlusterFS, Quobyte, StorageFS, ScaleIO

**How do I mitigate this vulnerability?**

Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.

**Fixed Versions**

The information leak was patched in the following versions:

*   kube-controller-manager v1.18.1+
    
*   kube-controller-manager v1.17.5+
    
*   kube-controller-manager v1.16.9+
    
*   kube-controller-manager v1.15.12+
    

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Further work to protect against SSRF is underway and will be included in an upcoming patch release (details to follow).

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/91542

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

CVE-2020-8555: [Security Advisory] CVE-2020-8555: Half-Blind SSRF in kube-controller-manager

macaron before 1.3.7 has an open redirect in the static handler, as demonstrated by the http://127.0.0.1:4000//example.com/ URL.

看了这个issue，觉得蛮有意思，试了一下发现这个问题在另一种场景里可以发生  
#125  
需要开启静态文件服务  
漏洞代码

package main
import "gopkg.in/macaron.v1"
func main() {
	m := macaron.Classic()
	m.Get("/", func(ctx \*macaron.Context) string {
		return "Hello world!"
	})
	m.Use(macaron.Static("static"))
	m.Run()
}

只要使用了 m.Use(macaron.Static("static"))静态文件服务，可以在所有浏览器下触发任意302跳转漏洞  
比如访问：http://127.0.0.1:4000//evoa.me%2f..  
即可跳到evoa.me

我也好奇地看了一下源码，大概逻辑是当访问的路由不在注册的路由中时，就会去查找访问的路径否是在注册的静态目录中  
分析一下，以http://127.0.0.1:4000//evoa.me%2f..为例  
macaron.v1/static.go:121

静态资源的判断逻辑是staticHandler函数实现的，126行会获取到访问的路径，值为//evoa.me/..，138行会使用http.FileSystem去打开访问路径，由于我们访问的路径是..结尾，所以http.FileSystem返回是一个文件夹对象，150行fi.IsDir()会为真，进入if判断，152行，我们的路由后缀并不是'/'，继续进入if判断，153行给我们访问的路径添加一个'/'后缀，然后返回response，所以http 返回头对应的location为

Location: //evoa.me/../  
//开头的host，浏览器默认会用当前协议去重定向，即可造成任意302跳转问题

至于之前issue提的chrome无法成功，具体原因就是chrome会自动把访问路径的/..给标准化（即删除），从而导致/..无法发送至后端，只要将/.. 编码为 %2f..即可逃逸chrome的标准化  
至于302的危害，如果是钓鱼的话确实不是很大，但是302漏洞除了钓鱼以外最主要的是可以和其他场景或漏洞结合，产生更大的危害。  
举个例子  
比如假如程序里有这么一个代码

package main

import (
	"gopkg.in/macaron.v1"
	"io/ioutil"
	"net/http"
)
func httpGet(url string) string {
	resp, err := http.Get(url)
	if err != nil {
		// handle error
	}
	defer resp.Body.Close()
	body, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		// handle error
	}
	return string(body)
}
func main() {
	m := macaron.Classic()
	m.Get("/:username", func(ctx \*macaron.Context) string {
		return ctx.Params(":username")
	})
	m.Get("/get",func(ctx \*macaron.Context) string {
		return httpGet("http://127.0.0.1:4000/"+ctx.Query("username"))
	})
	m.Use(macaron.Static("static"))
	m.Run()
}

可能实际代码不会这么写，但是如果是RPC调用，或者后端要和其他web进行交互，这种场景就很常见了。  
这个代码本身并没有任何问题，但是如果存在一个302跳转，恶意攻击者可以输入  
http://127.0.0.1:4000/get?username=/192.168.10.1/..  
由于http.Get默认会进行302  
即可造成SSRF（服务端请求伪造漏洞），攻击者可访问所有内网web内容

by the way, django曾经也有一个差不多的漏洞，CVE-2018-14574 可以看看这篇文章：https://xz.aliyun.com/t/3302  
修复建议：  
对重定向的url进行判断，不允许//开头

由衷的感谢您看完这么长一篇issue报告

CVE-2020-12666: vulnerability: open redirect in static handler · Issue #198 · go-macaron/macaron

IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 176404.

  

**Summary**

IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF)

**Vulnerability Details**

**CVEID:**   CVE-2020-4294  
**DESCRIPTION:**   IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.  
CVSS Base score: 6.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176404 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**Affected Products and Versions**

· IBM QRadar 7.3.0 to 7.3.3 Patch 2

  

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

The vulnerability was reported to IBM by Yorick Koster

**Change History**

06 Apr 2020: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"7.3, 7.4","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2020-4294: Security Bulletin: IBM QRadar SIEM is vulnerable to Server-Side Request Forgery (SSRF) (CVE-2020-4294)

GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.

Learn more about GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 12.9.1, 12.8.8, and 12.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

**Arbitrary File Read when Moving an Issue**

An arbitrary local file read was possible when an moving issues between projects. This issue is now mitigated in the latest release and is assigned CVE-2020-10977.

Thanks @vakzz for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 8.5 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Path Traversal in NPM Package Registry**

The NPM package registry was vulnerable to a path traversal issue. This issue is now mitigated in the latest release and is assigned CVE-2020-10953.

Thanks to @saltyyolk of Chaitin Tech for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE 11.7 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**SSRF on Project Import**

An SSRF issue was discovered in the project import note feature. This issue is now mitigated in the latest release and is assigned CVE-2020-10956.

Thanks @vakzz for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab 8.10 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**External Users Can Create Personal Snippet**

Insufficient access verification lead to unauthorized creation of personal snippets through the API by an external user. This issue is now mitigated in the latest release and is assigned CVE-2020-12275.

Thanks the GitLab team for finding and reporting this issue.

**Versions Affected**

Affects GitLab EE/CE 12.6 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Triggers Decription Can be Updated by Other Maintainers in Project**

A maintainer can modify other maintainers' pipeline trigger descriptions within the same project. This issue is now mitigated in the latest release and is assigned CVE-2020-10981.

Thanks @ashish\_r\_padelkar for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 9.0 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Information Disclosure on Confidential Issues Moved to Private Programs**

Issues opened in a public project and then moved to a private project reveal the private project namespace through Web-UI and GraphQL API. This issue is now mitigated in the latest release and is assigned CVE-2020-10978.

Thanks @0xwintermute for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 8.11 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Potential DoS in Repository Archive Download**

Repository archives download could be abused to cause large resource consumption on an instance. This issue is now mitigated in the latest release and is assigned CVE-2020-10954.

Thanks the GitLab team for finding and reporting this issue.

**Versions Affected**

Affects all previous versions of GitLab CE/EE.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Blocked Users Can Still Pull/Push Docker Images**

Under certain circumstances a blocked user still had the ability to pull images from the internal container registry of any projects to which the user had access. This issue is now mitigated in the latest release and is assigned CVE-2020-10952.

Thanks @logan5 for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 8.11 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Repository Mirroring not Disabled when Feature not Activated**

A project repository could still be mirrored when the feature was not enabled. This issue is now mitigated in the latest release and is assigned CVE-2020-12277.

Thanks @adam\_\_b for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 10.8 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Vulnerability Feedback Page Was Leaking Information on Vulnerabilities**

The vulnerability feedback page was leaking metadata and comments on vulnerabilities to unauthorized users. This issue is now mitigated in the latest release and is assigned CVE-2020-10975 .

Thanks @rpadovani for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 10.8 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Stored XSS Vulnerability in Admin Feature**

A stored XSS vulnerability was discovered in an admin notification feature. This issue is now mitigated in the latest release and is assigned CVE-2020-12276.

Thanks the GitLab team for finding and reporting this issue.

**Versions Affected**

Affects GitLab EE/CE 9.5.9 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Upload Feature Allowed a User to Read Unauthorized Exported Files**

The upload feature was vulnerable to parameter tampering allowing and unauthorized user to read content available under specific folders. This issue is now mitigated in the latest release and is assigned CVE-2020-10955.

Thanks @manassehzhou for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 11.1 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Unauthorized Users Are Able to See CI Metrics**

Restricted CI pipelines metrics could be seen by members even if the pipeline was restricted. This issue is now mitigated in the latest release and is assigned CVE-2020-10979.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 11.10 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Last Pipeline Status of a Merge Request Leaked**

The last status of a restricted pipeline was returned through a query in the merge request widget. This issue is now mitigated in the latest release and is assigned CVE-2020-10976.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 8.17 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Blind SSRF on FogBugz**

A blind SSRF was discovered in the FogBugz integration. This issue is now mitigated in the latest release and is assigned CVE-2020-10980.

Thanks @ngalog for responsibly reporting this vulnerability to us.

**Versions Affected**

Affects GitLab EE/CE 8.0 and later.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Update Nokogiri dependency**

The Nokogiri dependency has been upgraded to 1.10.8. This upgrade include a security fix for CVE-2020-7595.

**Versions Affected**

Affects all previous versions of GitLab CE/EE.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**Update Pcre2 dependency**

The pcre2 dependency has been upgraded to 10.34. This upgrade include a security fix for CVE-2019-20454.

**Versions Affected**

Affects all previous versions of GitLab CE/EE.

**Remediation**

We **strongly recommend** that all installations running an affected version above are upgraded to the latest version as soon as possible.

**New SSH keys not being added to the authorized_keys file**

A bug in GitLab 12.9.0 prevented new SSH keys from being added to the Git user's authorized_keys file, effectively breaking Git-over-SSH operations for new users. See issue #212178 for full details.

**Versions Affected**

Affects GitLab 12.9.0 only.

**Remediation**

Upgrade to GitLab 12.9.1 or later.

**Updating**

To update GitLab, see the update page.

**Receive Security Release Notifications**

To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive security release blog notifications via RSS, subscribe to our RSS feed.

CVE-2020-10977: GitLab Security Release: 12.9.1, 12.8.8, and 12.7.8

Jenkins Gatling Plugin 1.2.7 and earlier prevents Content-Security-Policy headers from being set for Gatling reports served by the plugin, resulting in an XSS vulnerability exploitable by users able to change report content.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   AWSEB Deployment Plugin
*   Code Coverage Plugin
*   FitNesse Plugin
*   Gatling Plugin
*   useMango Runner Plugin

**Descriptions****XXE vulnerability in Code Coverage Plugin**

**SECURITY-1699 / CVE-2020-2172**  
**Severity (CVSS):** High  
**Affected plugin: code-coverage-api**  
**Description:**

Code Coverage Plugin 1.1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows a user able to control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Code Coverage Plugin 1.1.5 disables external entity resolution for its XML parser.

**XSS vulnerability in Gatling Plugin**

**SECURITY-1633 / CVE-2020-2173**  
**Severity (CVSS):** Medium  
**Affected plugin: gatling**  
**Description:**

Gatling Plugin 1.2.7 and earlier serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625.3. This results in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.

Gatling Plugin 1.3.0 no longer allows viewing Gatling reports directly in Jenkins. Instead users need to download an archive containing the report.

**Reflected XSS vulnerability in AWSEB Deployment Plugin**

**SECURITY-1769 / CVE-2020-2174**  
**Severity (CVSS):** Medium  
**Affected plugin: awseb-deployment-plugin**  
**Description:**

AWSEB Deployment Plugin 0.3.19 and earlier does not escape various values printed as part of form validation output.

This results in a reflected cross-site scripting (XSS) vulnerability.

AWSEB Deployment Plugin 0.3.20 escapes the values printed as part of the affected form validation endpoints.

**Stored XSS vulnerability in FitNesse Plugin**

**SECURITY-1801 / CVE-2020-2175**  
**Severity (CVSS):** Medium  
**Affected plugin: fitnesse**  
**Description:**

FitNesse Plugin 1.31 and earlier does not correctly escape report contents before showing them on the Jenkins UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the XML input files processed by the plugin.

FitNesse Plugin 1.33 escapes content from XML input files before rendering it on the Jenkins UI.

**XSS vulnerability in useMango Runner Plugin**

**SECURITY-1780 / CVE-2020-2176**  
**Severity (CVSS):** Medium  
**Affected plugin: usemango-runner**  
**Description:**

Multiple form validation endpoints in useMango Runner Plugin 1.4 and earlier do not escape values received from the useMango service.

This results in a cross-site scripting (XSS) vulnerability exploitable by users able to control the values returned from the useMango service.

useMango Runner Plugin 1.5 escapes all values received from the useMango service in form validation messages.

**Severity**

*   SECURITY-1633: Medium
*   SECURITY-1699: High
*   SECURITY-1769: Medium
*   SECURITY-1780: Medium
*   SECURITY-1801: Medium

**Affected Versions**

*   **AWSEB Deployment Plugin** up to and including 0.3.19
*   **Code Coverage Plugin** up to and including 1.1.4
*   **FitNesse Plugin** up to and including 1.31
*   **Gatling Plugin** up to and including 1.2.7
*   **useMango Runner Plugin** up to and including 1.4

**Fix**

*   **AWSEB Deployment Plugin** should be updated to version 0.3.20
*   **Code Coverage Plugin** should be updated to version 1.1.5
*   **FitNesse Plugin** should be updated to version 1.33
*   **Gatling Plugin** should be updated to version 1.3.0
*   **useMango Runner Plugin** should be updated to version 1.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1633
*   **Federico Pellegrin** for SECURITY-1699, SECURITY-1801
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1769, SECURITY-1780

CVE-2020-2173: Jenkins Security Advisory 2020-04-07

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier improperly processes HTML content of list view column headers, resulting in a stored XSS vulnerability exploitable by users able to control column headers.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Artifactory Plugin
*   Azure Container Service Plugin
*   OpenShift Pipeline Plugin
*   Pipeline: AWS Steps Plugin
*   Queue cleanup Plugin
*   RapidDeploy Plugin

**Descriptions****CSRF protection for any URL could be bypassed**

**SECURITY-1774 / CVE-2020-2160**  
**Severity (CVSS):** High  
**Description:**

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

**Stored XSS vulnerability in label expression validation**

**SECURITY-1781 / CVE-2020-2161**  
**Severity (CVSS):** Medium  
**Description:**

Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run.

In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels.

Jenkins now correctly escapes node labels that are shown in form validation on job configuration pages.

**Stored XSS vulnerability in file parameters**

**SECURITY-1793 / CVE-2020-2162**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters.

Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL.

The system property hudson.model.DirectoryBrowserSupport.CSP can be set to override the value of Content-Security-Policy headers sent when serving these files. This is the same system property used for files in workspaces and archived artifacts unless those are served via the Resource Root URL and works the same way for file parameters. See Configuring Content Security Policy to learn more.

Even when Jenkins is configured to serve files in workspaces and archived artifacts using the Resource Root URL (introduced in Jenkins 2.200), file parameters are not, and therefore still subject to Content-Security-Policy restrictions.

**Stored XSS vulnerability in list view column headers**

**SECURITY-1796 / CVE-2020-2163**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers.

The following plugins are known to allow users to define column headers:

*   Warnings NG
    
*   Maven Info
    
*   Link Column
    

Further plugins may also allow users to define column headers.

Jenkins no longer processes HTML embedded in list view column headers.

**Passwords stored in plain text by Artifactory Plugin**

**SECURITY-1542 (1) / CVE-2020-2164**  
**Severity (CVSS):** Low  
**Description:**

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

**Passwords transmitted in plain text by Artifactory Plugin**

**SECURITY-1542 (2) / CVE-2020-2165**  
**Severity (CVSS):** Low  
**Affected plugin: artifactory**  
**Description:**

Artifactory Plugin stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

**RCE vulnerability in Pipeline: AWS Steps Plugin**

**SECURITY-1741 / CVE-2020-2166**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-aws**  
**Description:**

Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in OpenShift Pipeline Plugin**

**SECURITY-1739 / CVE-2020-2167**  
**Severity (CVSS):** High  
**Affected plugin: openshift-pipeline**  
**Description:**

OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step.

OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

**RCE vulnerability in Azure Container Service Plugin**

**SECURITY-1732 / CVE-2020-2168**  
**Severity (CVSS):** High  
**Affected plugin: azure-acs**  
**Description:**

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

**Reflected XSS vulnerability in Queue cleanup Plugin**

**SECURITY-1724 / CVE-2020-2169**  
**Severity (CVSS):** Medium  
**Affected plugin: queue-cleanup**  
**Description:**

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability (XSS).

Queue cleanup Plugin 1.4 correctly escapes the query parameter.

**Stored XSS vulnerability in RapidDeploy Plugin**

**SECURITY-1676 / CVE-2020-2170**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users able to configure jobs.

RapidDeploy Plugin 4.2.1 escapes package names.

**XXE vulnerability in RapidDeploy Plugin**

**SECURITY-1677 / CVE-2020-2171**  
**Severity (CVSS):** High  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'RapidDeploy deployment package build' build or post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

RapidDeploy Plugin 4.2.1 disables external entity resolution for its XML parser.

**Severity**

*   SECURITY-1542 (1): Low
*   SECURITY-1542 (2): Low
*   SECURITY-1676: Medium
*   SECURITY-1677: High
*   SECURITY-1724: Medium
*   SECURITY-1732: High
*   SECURITY-1739: High
*   SECURITY-1741: High
*   SECURITY-1774: High
*   SECURITY-1781: Medium
*   SECURITY-1793: Medium
*   SECURITY-1796: Medium

**Affected Versions**

*   **Jenkins weekly** up to and including 2.227
*   **Jenkins LTS** up to and including 2.204.5
*   **Artifactory Plugin** up to and including 3.6.0
*   **Azure Container Service Plugin** up to and including 1.0.1
*   **OpenShift Pipeline Plugin** up to and including 1.0.56
*   **Pipeline: AWS Steps Plugin** up to and including 1.40
*   **Queue cleanup Plugin** up to and including 1.3
*   **RapidDeploy Plugin** up to and including 4.2

**Fix**

*   **Jenkins weekly** should be updated to version 2.228
*   **Jenkins LTS** should be updated to version 2.204.6 or 2.222.1
*   **Artifactory Plugin** should be updated to version 3.6.1
*   **Azure Container Service Plugin** should be updated to version 1.0.2
*   **OpenShift Pipeline Plugin** should be updated to version 1.0.57
*   **Pipeline: AWS Steps Plugin** should be updated to version 1.41
*   **Queue cleanup Plugin** should be updated to version 1.4
*   **RapidDeploy Plugin** should be updated to version 4.2.1

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1676, SECURITY-1677
*   **Daniel Kalinowski of ISEC.pl Research Team** for SECURITY-1732
*   **James Holderness, IB Boost, and independently, ethorsa** for SECURITY-1542 (1)
*   **Nick Collisson from Gemini Trust Company, LLC.** for SECURITY-1774
*   **Phu X. Mai, University of Luxembourg** for SECURITY-1793
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1724, SECURITY-1781

CVE-2020-2163: Jenkins Security Advisory 2020-03-25

A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

CVE-2020-2169: Jenkins Security Advisory 2020-03-25

Jenkins RapidDeploy Plugin 4.2 and earlier does not escape package names in the table of packages obtained from a remote server, resulting in a stored XSS vulnerability.

CVE-2020-2170: Jenkins Security Advisory 2020-03-25

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.

CVE-2019-19034: AssetExplorer ITAM Solution ServicePacks Readme

Jenkins Timestamper Plugin 1.11.1 and earlier does not sanitize HTML formatting of its output, resulting in a stored XSS vulnerability exploitable by attackers with Overall/Administer permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Audit Trail Plugin
*   Backlog Plugin
*   Cobertura Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Git Plugin
*   Literate Plugin
*   Logstash Plugin
*   Mac Plugin
*   OpenShift Deployer Plugin
*   P4 Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Rundeck Plugin
*   Script Security Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Timestamper Plugin
*   Zephyr Enterprise Test Management Plugin
*   Zephyr for JIRA Test Management Plugin

**Descriptions****Sandbox bypass vulnerability in Script Security Plugin**

**SECURITY-1754 / CVE-2020-2134 (constructors), CVE-2020-2135 (GroovyInterceptable)**  
**Severity (CVSS):** High  
**Affected plugin: script-security**  
**Description:**

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

*   Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
    
*   Crafted method calls on objects that implement GroovyInterceptable
    

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

**Stored XSS vulnerability in Git Plugin**

**SECURITY-1723 / CVE-2020-2136**  
**Severity (CVSS):** Medium  
**Affected plugin: git**  
**Description:**

Git Plugin 4.2.0 and earlier does not escape the error message for the repository URL for Microsoft TFS field form validation.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Job/Configure permission.

Git Plugin 4.2.1 escapes the affected part of the error message.

**Stored XSS vulnerability in Timestamper Plugin**

**SECURITY-1784 / CVE-2020-2137**  
**Severity (CVSS):** Medium  
**Affected plugin: timestamper**  
**Description:**

Timestamper Plugin 1.11.1 and earlier does not escape or sanitize the HTML formatting used to display the timestamps in console output for builds.

This results in a stored cross-site scripting vulnerability that can be exploited by users with Overall/Administer permission.

Timestamper Plugin 1.11.2 sanitizes the HTML formatting for timestamps and only allows basic, safe HTML formatting.

**XXE vulnerability in Cobertura Plugin**

**SECURITY-1700 / CVE-2020-2138**  
**Severity (CVSS):** High  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user able to control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Cobertura Plugin 1.16 disables external entity resolution for its XML parser.

**Arbitrary file write vulnerability in Cobertura Plugin**

**SECURITY-1668 / CVE-2020-2139**  
**Severity (CVSS):** Medium  
**Affected plugin: cobertura**  
**Description:**

Cobertura Plugin 1.15 and earlier does not validate file paths from the XML file it parses.

This allows attackers able to control the coverage report content to overwrite any file on the Jenkins controller file system.

Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory.

**XSS vulnerability in Audit Trail Plugin**

**SECURITY-1722 / CVE-2020-2140**  
**Severity (CVSS):** Medium  
**Affected plugin: audit-trail**  
**Description:**

Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Overall/Administer permission.

Audit Trail Plugin 3.3 escapes the affected part of the error message.

**CSRF vulnerability and missing permission checks in P4 Plugin**

**SECURITY-1765 / CVE-2020-2141 (CSRF), CVE-2020-2142 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: p4**  
**Description:**

P4 Plugin 1.10.10 and earlier does not perform permission checks in several HTTP endpoints. This allows users with Overall/Read access to trigger builds or add labels in the Perforce repository.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

P4 Plugin 1.10.11 requires POST requests and appropriate user permissions for the affected HTTP endpoints.

**Credentials transmitted in plain text by Logstash Plugin**

**SECURITY-1516 / CVE-2020-2143**  
**Severity (CVSS):** Low  
**Affected plugin: logstash**  
**Description:**

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

**XXE vulnerability in Rundeck Plugin**

**SECURITY-1702 / CVE-2020-2144**  
**Severity (CVSS):** High  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.6 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Rundeck Plugin 3.6.7 disables external entity resolution for its XML parser.

**Credentials stored in plain text by Zephyr Enterprise Test Management Plugin**

**SECURITY-1596 / CVE-2020-2145**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-enterprise-test-management**  
**Description:**

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system.

Zephyr Enterprise Test Management Plugin 1.10 integrates with Credentials Plugin.

**Missing SSH host key validation in Mac Plugin**

**SECURITY-1692 / CVE-2020-2146**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not use SSH host key validation when connecting to Mac Cloud host launched by the plugin. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to build agents.

Mac Plugin 1.2.0 validates SSH host keys when connecting to agents.

**CSRF vulnerability and missing permission checks in Mac Plugin**

**SECURITY-1761 / CVE-2020-2147 (CSRF), CVE-2020-2148 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: mac**  
**Description:**

Mac Plugin 1.1.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified SSH host using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

This form validation method requires POST requests and Overall/Administer permission in Mac Plugin 1.2.0.

**Credentials transmitted in plain text by Repository Connector Plugin**

**SECURITY-1520 / CVE-2020-2149**  
**Severity (CVSS):** Low  
**Affected plugin: repository-connector**  
**Description:**

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Sonar Quality Gates Plugin**

**SECURITY-1523 / CVE-2020-2150**  
**Severity (CVSS):** Low  
**Affected plugin: sonar-quality-gates**  
**Description:**

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Quality Gates Plugin**

**SECURITY-1519 / CVE-2020-2151**  
**Severity (CVSS):** Low  
**Affected plugin: quality-gates**  
**Description:**

Quality Gates Plugin stores credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Quality Gates Plugin 2.5 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**XSS vulnerability in Subversion Release Manager Plugin**

**SECURITY-1727 / CVE-2020-2152**  
**Severity (CVSS):** Medium  
**Affected plugin: svn-release-mgr**  
**Description:**

Subversion Release Manager Plugin 1.2 and earlier does not escape the error message for the Repository URL field form validation.

This results in a reflected cross-site scripting vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Backlog Plugin**

**SECURITY-1510 / CVE-2020-2153**  
**Severity (CVSS):** Low  
**Affected plugin: backlog**  
**Description:**

Backlog Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials stored in plain text by Zephyr for JIRA Test Management Plugin**

**SECURITY-1550 / CVE-2020-2154**  
**Severity (CVSS):** Low  
**Affected plugin: zephyr-for-jira-test-management**  
**Description:**

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by OpenShift Deployer Plugin**

**SECURITY-1518 / CVE-2020-2155**  
**Severity (CVSS):** Low  
**Affected plugin: openshift-deployer**  
**Description:**

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by DeployHub Plugin**

**SECURITY-1511 / CVE-2020-2156**  
**Severity (CVSS):** Low  
**Affected plugin: deployhub**  
**Description:**

DeployHub Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**Credentials transmitted in plain text by Skytap Cloud CI Plugin**

**SECURITY-1522 / CVE-2020-2157**  
**Severity (CVSS):** Low  
**Affected plugin: skytap**  
**Description:**

Skytap Cloud CI Plugin stores credentials in job config.xml files as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Skytap Cloud CI Plugin 2.07 and earlier. These credentials could be viewed by users with Extended Read permission.

As of publication of this advisory, there is no fix.

**RCE vulnerability in Literate Plugin**

**SECURITY-1750 / CVE-2020-2158**  
**Severity (CVSS):** High  
**Affected plugin: literate**  
**Description:**

Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Literate Plugin’s build step.

As of publication of this advisory, there is no fix.

**OS command injection in CryptoMove Plugin**

**SECURITY-1635 / CVE-2020-2159**  
**Severity (CVSS):** High  
**Affected plugin: cryptomove**  
**Description:**

CryptoMove Plugin 0.1.33 and earlier allows the configuration of an OS command to execute as part of its build step configuration.

This command will be executed on the Jenkins controller as the OS user account running Jenkins, allowing user with Job/Configure permission to execute an arbitrary OS command on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1510: Low
*   SECURITY-1511: Low
*   SECURITY-1516: Low
*   SECURITY-1518: Low
*   SECURITY-1519: Low
*   SECURITY-1520: Low
*   SECURITY-1522: Low
*   SECURITY-1523: Low
*   SECURITY-1550: Low
*   SECURITY-1596: Low
*   SECURITY-1635: High
*   SECURITY-1668: Medium
*   SECURITY-1692: Medium
*   SECURITY-1700: High
*   SECURITY-1702: High
*   SECURITY-1722: Medium
*   SECURITY-1723: Medium
*   SECURITY-1727: Medium
*   SECURITY-1750: High
*   SECURITY-1754: High
*   SECURITY-1761: Medium
*   SECURITY-1765: Medium
*   SECURITY-1784: Medium

**Affected Versions**

*   **Audit Trail Plugin** up to and including 3.2
*   **Backlog Plugin** up to and including 2.4
*   **Cobertura Plugin** up to and including 1.15
*   **CryptoMove Plugin** up to and including 0.1.33
*   **DeployHub Plugin** up to and including 8.0.14
*   **Git Plugin** up to and including 4.2.0
*   **Literate Plugin** up to and including 1.0
*   **Logstash Plugin** up to and including 2.3.1
*   **Mac Plugin** up to and including 1.1.0
*   **OpenShift Deployer Plugin** up to and including 1.2.0
*   **P4 Plugin** up to and including 1.10.10
*   **Quality Gates Plugin** up to and including 2.5
*   **Repository Connector Plugin** up to and including 1.2.6
*   **Rundeck Plugin** up to and including 3.6.6
*   **Script Security Plugin** up to and including 1.70
*   **Skytap Cloud CI Plugin** up to and including 2.07
*   **Sonar Quality Gates Plugin** up to and including 1.3.1
*   **Subversion Release Manager Plugin** up to and including 1.2
*   **Timestamper Plugin** up to and including 1.11.1
*   **Zephyr Enterprise Test Management Plugin** up to and including 1.9.1
*   **Zephyr for JIRA Test Management Plugin** up to and including 1.5

**Fix**

*   **Audit Trail Plugin** should be updated to version 3.3
*   **Cobertura Plugin** should be updated to version 1.16
*   **Git Plugin** should be updated to version 4.2.1
*   **Logstash Plugin** should be updated to version 2.3.2
*   **Mac Plugin** should be updated to version 1.2.0
*   **P4 Plugin** should be updated to version 1.10.11
*   **Rundeck Plugin** should be updated to version 3.6.7
*   **Script Security Plugin** should be updated to version 1.71
*   **Timestamper Plugin** should be updated to version 1.11.2
*   **Zephyr Enterprise Test Management Plugin** should be updated to version 1.10

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Backlog Plugin
*   CryptoMove Plugin
*   DeployHub Plugin
*   Literate Plugin
*   OpenShift Deployer Plugin
*   Quality Gates Plugin
*   Repository Connector Plugin
*   Skytap Cloud CI Plugin
*   Sonar Quality Gates Plugin
*   Subversion Release Manager Plugin
*   Zephyr for JIRA Test Management Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1702
*   **Federico Pellegrin** for SECURITY-1668, SECURITY-1700
*   **Ian Williams** for SECURITY-1596
*   **James Holderness, IB Boost** for SECURITY-1510, SECURITY-1511, SECURITY-1516, SECURITY-1518, SECURITY-1519, SECURITY-1520, SECURITY-1522, SECURITY-1523, SECURITY-1550
*   **Nils Emmerich of ERNW Research GmbH** for SECURITY-1754
*   **Raihaan Shouhell, Autodesk, Inc** for SECURITY-1692
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1722, SECURITY-1723, SECURITY-1727, SECURITY-1761, SECURITY-1765, SECURITY-1784
*   **Wasin Saengow** for SECURITY-1635

Tag

#ssrf