关键漏洞信息 1. Jenkins allowed deserialization of URL objects with host components CVE: SECURITY-637 / CVE-2018-1999042 Severity: Low Description: Jenkins allowed deserialization of URL objects via Remoting and XStream, which could be used to look up specified hosts' DNS records. Jenkins now injects a URLStreamHandler to prevent this and can be disabled by setting to . 2. Ephemeral user record was created on some invalid authentication attempts CVE: SECURITY-672 / CVE-2018-1999043 Severity: Medium Description: Trying to authenticate using API tokens could create many ephemeral user records in memory due to legacy behavior. 3. Cron expression form validation could enter infinite loop CVE: SECURITY-790 / CVE-2018-1999044 Severity: Medium Description: Certain cron expressions could cause the form validation to enter infinite loops, blocking request handling threads. 4. "Remember me" cookie was evaluated even if that feature is disabled CVE: SECURITY-996 / CVE-2018-1999045 Severity: Low Description: Even if the "Remember me" feature is disabled, existing "Remember me" cookies could still allow users to log in. 5. Unauthorized users could access agent logs CVE: SECURITY-1071 / CVE-2018-1999046 Severity: Medium Description: Due to lack of permission checks, users with certain permissions could access agent logs. 6. Unauthorized users could cancel scheduled restarts from the update center CVE: SECURITY-1076 / CVE-2018-1999047 Severity: Low Description: Users with specific permissions could cancel scheduled restarts initiated from the update center due to permission check issues. Severity SECURITY-637: Low SECURITY-672: Medium SECURITY-790: Medium SECURITY-996: Low SECURITY-1071: Medium SECURITY-1076: Low Affected Versions Jenkins weekly up to and including 2.137 Jenkins LTS up to and including 2.121.2 Fix Jenkins weekly: Update to version 2.138 Jenkins LTS: Update to version 2.121.3 Credit Reporters are credited for discovering and reporting these vulnerabilities.