Description:

Jenkins has released security update to address multiple vulnerabilities in the following deliverables:

• Android Lint Plugin
  • up to and including 2.6
• Blue Ocean Plugin
  • up to and including 1.23.2
• chosen-views-tabbar Plugin
  • up to and including 1.2
• ClearCase Release Plugin
  • up to and including 0.3
• computer-queue-plugin Plugin
  • up to and including 1.5
• Copy data to workspace Plugin up to and including 1.0
• Coverage/Complexity Scatter Plot Plugin
  • up to and including 1.1.1
• Custom Job Icon Plugin
  • up to and including 0.2
• Description Column Plugin
  • up to and including 1.3
• ElasTest Plugin
  • up to and including 1.2.1
• Email Extension Plugin
  • up to and including 2.75
• Health Advisor by CloudBees Plugin
  • up to and including 3.2.0
• Locked Files Report Plugin
  • up to and including 1.6
• Mailer Plugin
  • up to and including 1.32
• MongoDB Plugin
  • up to and including 1.3
• Perfecto Plugin
  • up to and including 1.17
• Pipeline Maven Integration Plugin
  • up to and including 3.9.2
• Radiator View Plugin
  • up to and including 1.29
• Selection tasks Plugin
  • up to and including 1.0
• Storable Configs Plugin
  • up to and including 1.0
• Validating String Parameter Plugin
  • up to and including 2.4

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Cross-site scripting (XSS) attack.
• Cross-site request forgery (CSRF).
• Missing permission check.
• Credentials stored in plain text.

Best practice and Recommendations:

The CERT team encourages users to review Jenkins security advisory and apply the necessary updates:

• https://www.jenkins.io/security/advisory/2020-09-16/