Description:

Jenkins has released security update to address multiple vulnerabilities in the following deliverables:

• Applatix Plugin
  • up to and including 1.1
• Azure AD Plugin
  • up to and including 1.1.2
• BMC Release Package and Deployment Plugin
  • up to and including 1.1
• Brakeman Plugin
  • up to and including 0.12
• Debian Package Builder Plugin
  • up to and including 1.6.11
• DigitalOcean Plugin
  • up to and including 1.1
• Dynamic Extended Choice Parameter Plugin
  • up to and including 1.0.1
• Eagle Tester Plugin
  • up to and including 1.0.9
• ECX Copy Data Management Plugin
  • up to and including 1.9
• FitNesse Plugin
  • up to and including 1.30
• Git Parameter Plugin
  • up to and including 0.9.11
• Google Kubernetes Engine Plugin
  • up to and including 0.8.0
• Harvest SCM Plugin
  • up to and including 0.5.1
• NUnit Plugin
  • up to and including 0.25
• Parasoft Environment Manager Plugin
  • up to and including 2.14
• Pipeline GitHub Notify Step Plugin
  • up to and including 1.0.4
• Pipeline: Groovy Plugin
  • up to and including 2.78
• RadarGun Plugin
  • up to and including 1.7
• S3 publisher Plugin
  • up to and including 0.11.4
• Script Security Plugin
  • up to and including 1.69
• Subversion Plugin
  • up to and including 2.13.0

Threats:

Attacker could exploit these vulnerabilities by doing the following:

• Sandbox bypass to execute arbitrary code.
• Cross-site scripting (XSS) attack.
• Cross-site request forgery (CSRF).
• Credentials stored in plain text.

Best practice and Recommendations:

The CERT team encourages users to review Jenkins security advisory and apply the necessary updates:

• https://jenkins.io/security/advisory/2020-02-12/