Jenkins Security Advisory 2019-09-25 关键漏洞信息: 漏洞描述与严重性 Stored XSS Vulnerability in Expandable Textbox Form Control - CVE: SECURITY-1498/CVE-2019-10401 - 严重性: Medium XSS Vulnerability in Combobox Form Control - CVE: SECURITY-1525/CVE-2019-10402 - 严重性: Medium Stored XSS Vulnerability in SCM Tag Action Tooltip - CVE: SECURITY-1537(1)/CVE-2019-10403 - 严重性: Medium Stored XSS Vulnerability in Queue Item Tooltip - CVE: SECURITY-1537(2)/CVE-2019-10404 - 严重性: Medium Diagnostic Web Page Exposed Cookie HTTP Header - CVE: SECURITY-1505/CVE-2019-10405 - 严重性: Medium XSS Vulnerability in Jenkins URL Setting - CVE: SECURITY-1471/CVE-2019-10406 - 严重性: Medium Project Inheritance Plugin Showed Secret Environment Variables - CVE: SECURITY-351/CVE-2019-10407 - 严重性: Medium CSRF Vulnerability and Missing Permission Check in Project Inheritance Plugin - CVE: SECURITY-401/CVE-2019-10408 (CSRF), CVE-2019-10409 (permission check) - 严重性: Medium 影响的版本 Jenkins weekly up to and including 2.196 Jenkins LTS up to and including 2.176.3 Various plugins up to and including specific versions 修复建议 更新Jenkins和相关插件到建议的版本 致谢 多位报告者为发现和报告这些漏洞做出了贡献