Jenkins Security Advisory 2020-07-02 Key Vulnerability Information Affected Plugins: - Compatibility Action Storage Plugin - Fortify on Demand Plugin (multiple instances) - GitHub Coverage Reporter Plugin - HP ALM Quality Center Plugin - ElasticBox Jenkins Kubernetes CI/CD Plugin - Slack Upload Plugin - Sonargraph Integration Plugin - Stash Branch Parameter Plugin - TestComplete support Plugin - VncRecorder Plugin - VncViewer Plugin - Whitesource Plugin - ZAP Pipeline Plugin - Zephyr for JIRA Test Management Plugin Severity Ratings (CVSS) Medium: Multiple vulnerabilities across various plugins. High: RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin. Low: Credentials stored in plain text by some plugins. Descriptions and Impacts Stored XSS Vulnerability in Sonargraph Integration Plugin - Plugin does not escape file paths, leading to XSS exploitable by users with Job/Configure permission. Users with Overall/Read access could enumerate credentials IDs in Fortify on Demand Plugin - Plugin provides an enumeration of valid credentials IDs, exploitable for credential capture. CSRF Vulnerability and missing permission checks in Fortify on Demand Plugin - Lack of permission checks and missing POST request requirement leads to CSRF. RCE Vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin - YAML parser misconfiguration results in RCE by users providing YAML input files. Secret stored in plain text by Slack Upload Plugin - Secrets stored unencrypted in job config.xml files. Password stored in plain text by TestComplete support Plugin - Passwords stored unencrypted in job config.xml files. Credentials stored in plain text by whitesource Plugin - Credentials stored in plain text in global configurations. Other Issues: - XSS vulnerabilities in various plugins. - CSRF vulnerabilities in Zephyr for JIRA Test Management Plugin. Affected Versions Specific versions of plugins that are vulnerable are listed for each issue. Fix Updated versions of affected plugins that include fixes for the vulnerabilities. Credit Acknowledgment of individuals and organizations that reported the vulnerabilities.