Jenkins Security Advisory: Multiple Plugins Vulnerabilities (RCE/XSS/CSRF)

Jenkins Security Advisory 2023-05-16 Affected Plugins Ansible Plugin AppSpider Plugin Azure VM Agents Plugin CAS Plugin Code Dx Plugin Email Extension Plugin File Parameter Plugin HashiCorp Vault Plugin LDAP Plugin LoadComplete support Plugin LoadRunner and Neoload Performance Publisher Plugin Pipeline Utility Steps Plugin Pipeline: Job Plugin Reverse Proxy Auth Plugin SAML Single Sign On(SSO) Plugin Sidebar Link Plugin Tag Profiler Plugin TestNG Results Plugin wso2 Id-oauth Plugin Vulnerabilities Summary Stored XSS vulnerability in Pipeline: Job Plugin - Severity: High CSRF vulnerability in LDAP Plugin - Severity: Medium Missing permission check in Email Extension Plugin - Severity: Medium Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin - Severity: Medium Secrets stored and displayed in plain text by Ansible Plugin - Severity: Medium Stored XSS vulnerability in TestNG Results Plugin - Severity: High Path traversal vulnerability in Sidebar Link Plugin - Severity: Medium Arbitrary file write vulnerability in File Parameter Plugin - Severity: High CSRF vulnerability in Reverse Proxy Auth Plugin - Severity: Medium Missing permission check in Azure VM Agents Plugin - Severity: Medium CSRF vulnerability and missing permission checks in Azure VM Agents Plugin - Severity: Medium CSRF vulnerability and missing permission checks in SAML Single Sign On(SSO) Plugin - Severity: High Missing hostname validation in SAML Single Sign On(SSO) Plugin - Severity: Medium SSL/TLS certificate validation unconditionally disabled by SAML Single Sign On(SSO) Plugin - Severity: Medium Severity Breakdown High: 2 Medium: 13 Affected Versions and Fixes For the affected plugins listed above, updates to the specified versions are necessary to address the vulnerabilities. Some plugins have fixes that are not available yet.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple Plugins Vulnerabilities (RCE/XSS/CSRF)