Jenkins Security Advisory 2019-07-31 This advisory addresses vulnerabilities in the following Jenkins deliverables: Amazon EC2 Plugin Configuration as Code Plugin Google Kubernetes Engine Plugin Maven Integration Plugin Maven Release Plug-in Plugin Pipeline: Deprecated Groovy Libraries Plugin Script Security Plugin Skytap Cloud CI Plugin Key Vulnerability Information Sandbox bypass through type casts in Script Security Plugin - Severity (CVSS): High - Affected plugin: script-security Sandbox bypass through method pointer expressions in Script Security Plugin - Severity (CVSS): High - Affected plugin: script-security Missing permission check in Pipeline: Deprecated Groovy Libraries Plugin - Severity (CVSS): Medium - Affected plugin: workflow-cps-global-lib Maven Integration Plugin did not mask sensitive values in module build logs - Severity (CVSS): Medium - Affected plugin: maven-plugin CSRF vulnerability in Maven Release Plug-in Plugin - Severity (CVSS): Medium - Affected plugin: m2release Severity SECURITY-673: Medium SECURITY-713: Medium SECURITY-1098: Medium SECURITY-1184: Medium SECURITY-1279: Medium SECURITY-1290: Medium SECURITY-1303: Low SECURITY-1345: Medium SECURITY-1422: Medium SECURITY-1429: Medium SECURITY-1435: Low SECURITY-1446: Medium SECURITY-1458: Medium SECURITY-1465 (1): High SECURITY-1465 (2): High Affected Versions Amazon EC2 Plugin: up to and including 1.43 Configuration as Code Plugin: up to and including 1.24 Google Kubernetes Engine Plugin: up to and including 0.6.2 Maven Integration Plugin: up to and including 3.3 Maven Release Plug-in Plugin: up to and including 0.14.0 Pipeline: Deprecated Groovy Libraries Plugin: up to and including 2.14 Script Security Plugin: up to and including 1.61 Skytap Cloud CI Plugin: up to and including 2.06 Fix Amazon EC2 Plugin: update to version 1.44 Configuration as Code Plugin: update to version 1.25 Google Kubernetes Engine Plugin: update to version 0.6.3 Maven Integration Plugin: update to version 3.4 Maven Release Plug-in Plugin: update to version 0.15.0 Pipeline: Deprecated Groovy Libraries Plugin: update to version 2.15 Script Security Plugin: update to version 1.62 Skytap Cloud CI Plugin: update to version 2.07 Credit Alex Earl (@alexearl), Marvell Semiconductor, Inc., and Daniel Beck, CloudBees, Inc. for SECURITY-1422 Daniel Beck, CloudBees, Inc. for SECURITY-1184 David Fiser of Trend Micro Nebula working with Trend Micro's Zero Day Initiative for SECURITY-1429, SECURITY-1435 Jesse Glick, CloudBees, Inc. for SECURITY-713, SECURITY-1345 Mikaël Barbero (Eclipse Foundation) for SECURITY-1290 Oleg Nenashev, CloudBees, Inc. for SECURITY-1098 Wadeck Follonier, CloudBees, Inc. for SECURITY-1446