Jenkins Security Advisory: XXE/CSRF Vulnerabilities in Multiple Plugins

Critical Vulnerability Information Vulnerability Overview Advisory Name: Jenkins Security Advisory 2019-12-17 Affected Plugins: - Alauda DevOps Pipeline Plugin - Alauda Kubernetes Support Plugin - Build Failure Analyzer Plugin - buildgraph-view Plugin - Gerrit Trigger Plugin - Mantis Plugin - Maven Release Plug-in Plugin - Mission Control Plugin - Pipeline Aggregator View Plugin - RapidDeploy Plugin - Redgate SQL Change Automation Plugin - Rundeck Plugin - SCTMExecutor Plugin - Spira Importer Plugin - Team Concert Plugin - WebSphere Deployer Plugin - Weibo Plugin Detailed Vulnerability Description XXE Vulnerability in Maven Release Plug-in Plugin: - CVE ID: CVE-2019-16549, CVE-2019-16550 - Severity: High - Affected Versions: Maven Release Plug-in 0.16.1 and earlier - Remediation: Upgrade to the latest version CSRF Vulnerability and Missing Authorization Checks in Gerrit Trigger Plugin: - CVE ID: CVE-2019-16551, CVE-2019-16552 - Severity: Medium - Affected Versions: Gerrit Trigger Plugin 2.30.1 and earlier - Remediation: Upgrade to the latest version Remediation Information Build Failure Analyzer Plugin: Upgrade to version 1.24.2 Gerrit Trigger Plugin: Upgrade to version 2.30.2 Maven Release Plug-in Plugin: Upgrade to version 0.16.2 Pipeline Aggregator View Plugin: Upgrade to version 1.9 Rundeck Plugin: Upgrade to version 3.6.5 Spira Importer Plugin: Upgrade to version 3.2.4 Additional Important Information Advisory Date: 2019-12-17 Vulnerability Severity: - High: SECURITY-1681 - Medium: SECURITY-1527, SECURITY-1580, SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1602, SECURITY-1605

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: XXE/CSRF Vulnerabilities in Multiple Plugins