Jenkins Security Advisory: XSS, CSRF, Credential Exposure, and Missing Permission Checks in Multiple Plugins (CVE-2017-1000386-390)

--- Jenkins Security Advisory 2017-10-23 Description Persistent Cross-Site Scripting vulnerability in Active Choices plugin CVE: CVE-2017-1000386 Description: The Active Choices plugin allows users with Job/Configure permissions to inject arbitrary HTML via the Active Choices Reactive Reference Parameter on the Build With Parameters page. The plugin now sanitizes HTML, allowing HTML injection only when the script is executed in a sandbox. --- Cross-Site Request Forgery (CSRF) and Reflected Cross-Site Scripting vulnerability in global-build-stats plugin CVE: CVE-2017-1000389 Description: The global-build-stats plugin returns JSON responses containing request parameters with a Content-Type of text/html, leading to a potential reflected cross-site scripting vulnerability. --- Missing permission checks in Dependency Graph Viewer plugin CVE: CVE-2017-1000388 Description: The plugin lacks permission checks for its simple API endpoint used to modify the dependency graph. --- Build-Publisher plugin stores Jenkins credentials unencrypted on disk, round-trips in unencrypted form CVE: CVE-2017-1000387 Description: The file stores Jenkins credentials in plaintext. --- Missing permission check in Multijob plugin Resume Build action CVE: CVE-2017-1000390 Description: The Multijob plugin does not perform permission checks during the Resume Build action. --- SCP publisher plugin stores credentials unencrypted on disk, round-trips in unencrypted form CVE: SECURITY-374 Description: The file stores SSH credentials in plaintext. --- Severity Browser-based vulnerabilities: Medium Other vulnerabilities: Medium --- Affected Versions Active Choices plugin ≤ 1.5.3 Build-Publisher plugin ≤ 1.21 Dependency Graph Viewer plugin ≤ 0.12 global-build-stats plugin ≤ 1.4 Multijob plugin ≤ 1.25 All versions of SCP plugin --- Fix Upgrade affected plugins to the latest versions. --- Acknowledgements Thanks to the individuals who reported these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: XSS, CSRF, Credential Exposure, and Missing Permission Checks in Multiple Plugins (CVE-2017-1000386-390)