Jenkins Security Advisory: Multiple XSS, CSRF, and Info Disclosure Vulnerabilities

Jenkins Security Advisory 2019-09-25 Critical Vulnerability Information: Vulnerability Description and Severity Stored XSS Vulnerability in Expandable Textbox Form Control - CVE: SECURITY-1498/CVE-2019-10401 - Severity: Medium XSS Vulnerability in Combobox Form Control - CVE: SECURITY-1525/CVE-2019-10402 - Severity: Medium Stored XSS Vulnerability in SCM Tag Action Tooltip - CVE: SECURITY-1537(1)/CVE-2019-10403 - Severity: Medium Stored XSS Vulnerability in Queue Item Tooltip - CVE: SECURITY-1537(2)/CVE-2019-10404 - Severity: Medium Diagnostic Web Page Exposed Cookie HTTP Header - CVE: SECURITY-1505/CVE-2019-10405 - Severity: Medium XSS Vulnerability in Jenkins URL Setting - CVE: SECURITY-1471/CVE-2019-10406 - Severity: Medium Project Inheritance Plugin Showed Secret Environment Variables - CVE: SECURITY-351/CVE-2019-10407 - Severity: Medium CSRF Vulnerability and Missing Permission Check in Project Inheritance Plugin - CVE: SECURITY-401/CVE-2019-10408 (CSRF), CVE-2019-10409 (permission check) - Severity: Medium Affected Versions Jenkins weekly up to and including 2.196 Jenkins LTS up to and including 2.176.3 Various plugins up to and including specific versions Remediation Recommendations Update Jenkins and related plugins to the recommended versions Acknowledgments Multiple reporters contributed to the discovery and reporting of these vulnerabilities

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple XSS, CSRF, and Info Disclosure Vulnerabilities