Jenkins Security Advisory 2015-03-23 Description: SECURITY-171/CVE-2015-1812, SECURITY-177/CVE-2015-1813 (Reflective XSS vulnerability) - An attacker can navigate the user to a crafted URL and execute unintended actions. - Can attack Jenkins behind firewalls if the location is known to the attacker. SECURITY-180/CVE-2015-1814 (forced API token change) - Inadequate protection against anonymous attackers, allowing privilege escalation. Severity: SECURITY-171/SECURITY-177: High (Passive attack, can compromise Jenkins controller or data loss) SECURITY-180: Critical (Can be mounted by any unauthenticated user, compromising Jenkins controller or data loss) Affected Versions: All Jenkins releases <= 1.605 All LTS releases <= 1.596.1 Credit: Jesse Glick for SECURITY-171 Luca Carettoni for SECURITY-177 Missoum Said for SECURITY-180 Fix: Main line users: Upgrade to Jenkins 1.606 LTS users: Upgrade to 1.596.2