Jenkins Security Advisory: Stored XSS, CSRF, and Credential Exposure in Multiple Plugins (CVE-2023-39151 et al.)

Key Information Vulnerability Descriptions Stored XSS vulnerability (SECURITY-3188 / CVE-2023-39151) - Severity: High - Description: Jenkins applies formatting to console output in build logs, which may allow an attacker to exploit a stored cross-site scripting (XSS) vulnerability when administrators control the content of build logs. Incorrect control flow in Gradle Plugin breaks credentials masking in the build log (SECURITY-3208 / CVE-2023-39152) - Severity: Medium - Description: In Gradle Plugin versions 2.8 and earlier, the build log annotation setup incorrectly calls an API available only in controllers, potentially causing credentials to remain unmasked in logs. CSRF vulnerability in GitLab Authentication Plugin (SECURITY-2696 / CVE-2023-39153) - Severity: Medium - Description: GitLab Authentication Plugin versions 1.17.1 and earlier do not implement a state parameter in their OAuth flow, allowing attackers to trick users into logging in to the attacker’s account. CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials (SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)) - Severity: Medium - Description: The form validation method in ServiceNow DevOps Plugin versions 1.38.0 and earlier lacks permission checks, enabling attackers to capture credentials via alternative methods. Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials (SECURITY-3012 / CVE-2023-39154) - Severity: Medium - Description: Multiple HTTP endpoints in Qualys Web App Scanning Connector Plugin versions 2.0.10 and earlier do not properly enforce permission checks, allowing attackers to capture credentials. Secret displayed without masking by Chef Identity Plugin (SECURITY-3192 / CVE-2023-39155) - Severity: Low - Description: Chef Identity Plugin stores user .pem keys in global configuration files, and versions 2.0.3 and earlier do not mask the .pem key form field. CSRF vulnerability in Bazaar Plugin (SECURITY-3095 / CVE-2023-39156) - Severity: Medium - Description: Bazaar Plugin versions 1.22 and earlier do not require POST requests for HTTP endpoints, allowing attackers to delete previously created Bazaar SCM tags. Affected Versions Jenkins weekly: up to and including 2.415 Jenkins LTS: up to and including 2.401.2 Bazaar Plugin: up to and including 1.22 Chef Identity Plugin: up to and including 2.0.3 GitLab Authentication Plugin: up to and including 1.17.1 Gradle Plugin: up to and including 2.8 Qualys Web App Scanning Connector Plugin: up to and including 2.0.10 ServiceNow DevOps Plugin: up to and including 1.38.0 Remediation Recommendations Jenkins weekly: update to version 2.416 Jenkins LTS: update to version 2.401.3 or 2.414.1 GitLab Authentication Plugin: update to version 1.18 Gradle Plugin: update to version 2.8.1 Qualys Web App Scanning Connector Plugin: update to version 2.0.11 ServiceNow DevOps Plugin: update to version 1.38.1

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Stored XSS, CSRF, and Credential Exposure in Multiple Plugins (CVE-2023-39151 et al.)