Jenkins Security Advisory 2022-03-29 Affected Plugins and Vulnerabilities Bitbucket Server Integration Plugin: - Stored XSS vulnerability (SECURITY-2639 / CVE-2022-28133, High Severity) - Missing permission checks (SECURITY-2640 / CVE-2022-28134, Medium Severity) Instant-messaging Plugin: - Passwords stored in plain text (SECURITY-2161 / CVE-2022-28135, Low Severity) JiraTestResultReporter Plugin: - CSRF vulnerability and missing permission check (SECURITY-2236 / CVE-2022-28136, CVE-2022-28137, Medium Severity) RocketChat Notifier Plugin: - CSRF vulnerability and missing permission check (SECURITY-2241 / CVE-2022-28138, CVE-2022-28139, Medium Severity) Flaky Test Handler Plugin: - XXE vulnerability (SECURITY-1896 / CVE-2022-28140, High Severity) Proxmox Plugin: - Password stored in plain text (SECURITY-2079 / CVE-2022-28141, Low Severity) - SSL/TLS certificate validation globally disabled (SECURITY-2081 / CVE-2022-28142, Medium Severity) - CSRF vulnerability and missing permission checks (SECURITY-2082 / CVE-2022-28143, CVE-2022-28144, Medium Severity) Continuous Integration with Toad Edge Plugin: - XSS vulnerability (SECURITY-1892 / CVE-2022-28145, High Severity) - Arbitrary file read vulnerability (SECURITY-2633 / CVE-2022-28146, Medium Severity) - Missing permission check (SECURITY-2635 / CVE-2022-28147, Medium Severity) - Path traversal vulnerability on Windows (SECURITY-2654 / CVE-2022-28148, Medium Severity) Job and Node Ownership Plugin: - Stored XSS vulnerability (SECURITY-2285 / CVE-2022-28149, High Severity) - CSRF vulnerability and missing permission check (SECURITY-2062 (1), CVE-2022-28150, CVE-2022-28151, Medium Severity) SiteMonitor Plugin: - Stored XSS vulnerability (SECURITY-1932 / CVE-2022-28153, High Severity) Coverage/Complexity Scatter Plot Plugin: - XXE vulnerability (SECURITY-1899 / CVE-2022-28154, High Severity) Pipeline: Phoenix AutoTest Plugin: - XXE vulnerability (SECURITY-1897 / CVE-2022-28155, High Severity) - Path traversal vulnerability (SECURITY-2683 / CVE-2022-28156, High Severity) - Arbitrary file read vulnerability (SECURITY-2684 / CVE-2022-28157, Medium Severity) - Missing permission checks (SECURITY-2685 / CVE-2022-28158, Medium Severity) Tests Selector Plugin: - Stored XSS vulnerability (SECURITY-2262 / CVE-2022-28159, High Severity) - Arbitrary file read vulnerability (SECURITY-2338 / CVE-2022-28160, Medium Severity) Severity High: SECURITY-1892, SECURITY-1896, SECURITY-1897, SECURITY-1899, SECURITY-1932, SECURITY-2236, SECURITY-2241, SECURITY-2262, SECURITY-2285, SECURITY-2338, SECURITY-2633, SECURITY-2639, SECURITY-2640, SECURITY-2654, SECURITY-2683 Medium: SECURITY-1932, SECURITY-2062, SECURITY-2081, SECURITY-2082, SECURITY-2161, SECURITY-2236, SECURITY-2262, SECURITY-2338, SECURITY-2579, SECURITY-2633, SECURITY-2635, SECURITY-2654, SECURITY-2684, SECURITY-2685 Affected Versions Bitbucket Server Integration Plugin up to and including 3.1.0 Continuous Integration with Toad Edge Plugin up to and including 2.3 Coverage/Complexity Scatter Plot Plugin up to and including 1.1.1 Flaky Test Handler Plugin up to and including 1.2.2 Instant-messaging Plugin up to and including 1.4.1 JiraTestResultReporter Plugin up to and including 165.v817928553942 Job and Node Ownership Plugin up to and including 0.13.0 Pipeline: Phoenix AutoTest Plugin up to and including 1.3 Proxmox Plugin up to and including 0.5.0 Proxmox Plugin up to and including 0.6.0 Proxmox Plugin up to and including 0.7.0 RocketChat Notifier Plugin up to and including 1.4.10 SiteMonitor Plugin up to and including 0.6 Tests Selector Plugin up to and including 1.3.3 Fix Bitbucket Server Integration Plugin should be updated to version 3.2.0 Continuous Integration with Toad Edge Plugin should be updated to version 2.4 Flaky Test Handler Plugin should be updated to version 1.2.2 Instant-messaging Plugin should be updated to version 1.4.2 JiraTestResultReporter Plugin should be updated to version 166.v0cc6208295b5 Proxmox Plugin should be updated to version 0.6.0 Proxmox Plugin should be updated to version 0.7.0 Proxmox Plugin should be updated to version 0.7.1 RocketChat Notifier Plugin should be updated to version 1.5.0