Jenkins Security Advisory: Multiple Plugin Vulnerabilities (CVE-2019-10331/10337)

Jenkins Security Advisory 2019-06-11 Security Advisories CloudBees CD Plugin jx-resources Plugin Token Macro Plugin Descriptions XML External Entity processing vulnerability in Token Macro Plugin CVE: CVE-2019-10337 Severity: Medium Affected plugin: token-macro Description: The Token Macro Plugin did not properly configure its XML parser, allowing attackers to control XML contents processed with the ${XML} macro. CSRF vulnerability and missing permission check in jx-resources Plugin CVE: CVE-2019-10338 (CSRF), CVE-2019-10339 (Improper Authorization) Severity: Medium Affected plugin: jx-resources Description: The jx-resources Plugin lacked permission checks and allowed CSRF attacks. CSRF vulnerability and missing permission checks in CloudBees CD Plugin allowed SSRF CVE: CVE-2019-10331 (CSRF), CVE-2019-10332 (Missing Permission Checks) Severity: Medium Affected plugin: electricflow Description: The CloudBees CD Plugin lacked permission checks and allowed SSRF. Missing permission checks in CloudBees CD Plugin CVE: CVE-2019-10333 Severity: Medium Affected plugin: electricflow Description: The CloudBees CD Plugin lacked permission checks in various form validation and autofill methods. CloudBees CD Plugin globally and unconditionally disabled SSL/TLS certificate validation CVE: CVE-2019-10334 Severity: Medium Affected plugin: electricflow Description: The CloudBees CD Plugin unconditionally disabled SSL/TLS certificate validation. XSS vulnerability in build metadata contributed by CloudBees CD Plugin CVE: CVE-2019-10335 Severity: Medium Affected plugin: electricflow Description: The CloudBees CD Plugin added metadata without escaping content, leading to XSS. XSS vulnerability in CloudBees CD Plugin affecting job configuration forms CVE: CVE-2019-10336 Severity: Medium Affected plugin: electricflow Description: The configuration forms were vulnerable to XSS. Severity All vulnerabilities listed above are of Medium severity. Affected Versions CloudBees CD Plugin: up to and including 1.1.6 jx-resources Plugin: up to and including 1.0.36 Token Macro Plugin: up to and including 2.7 Fix CloudBees CD Plugin: Update to version 1.1.7 jx-resources Plugin: Update to version 1.0.37 Token Macro Plugin: Update to version 2.8

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple Plugin Vulnerabilities (CVE-2019-10331/10337)