Jenkins Security Advisory: Stored XSS, CSRF, and Auth Bypass in Multiple Plugins (CVE-2023-32977, CVE-2023-32978)

From the screenshot of the Jenkins Security Advisory 2023-05-16, the following key vulnerability information can be extracted: Descriptions Cross-Site Scripting (Stored XSS) Vulnerabilities Pipeline Job Plugin: - Vulnerability ID: SECURITY-3042/CVE-2023-32977 - Severity: High - Affected Plugin: workflow-job - Description: If the display name of a build is not properly handled, it may cause the build to be terminated. Attackers can exploit this vulnerability to perform cross-site scripting attacks. Pipeline Utility Steps Plugin: - Vulnerability ID: SECURITY-2196/CVE-2023-32981 - Severity: Medium - Affected Plugin: pipeline-utility-steps - Description: Attackers can exploit certain parameters provided by the plugin to create files. Cross-Site Request Forgery (CSRF) Vulnerabilities LDAP Plugin: - Vulnerability ID: SECURITY-3046/CVE-2023-32978 - Severity: Medium - Affected Plugin: ldap - Description: Allows attackers to exploit this vulnerability. LDAP Plugin: - Vulnerability ID: SECURITY-3047/CVE-2023-32984 - Severity: High - Affected Plugin: testing-plugin - Description: Missing Permission Checks or Improper Permission Management Email Extension Plugin: - Vulnerability ID: SECURITY-3088 (1)/CVE-2023-32979 - Severity: Medium - Affected Plugin: email-ext - Description: Improper Configuration Encryption Ansible Plugin: - Vulnerability ID: SECURITY-3017/CVE-2023-32982 (storage) and SECURITY CVE-2023-32983 (masking) - Severity: Medium - Affected Plugin: ansible - Description: Others Revers - Vulnerability ID: SECURITY - Severity: Medium/Low - Affected Plugin: Affected Versions Each listed vulnerability includes records of affected plugin versions, helping system administrators identify specific versions that require upgrades. Fix For each vulnerability with a fix available, recommended version updates are provided, such as the versions to which Ansible, AppSpider, Azure VM, and other plugins should be upgraded. Credit Lists the security researchers and contributors who reported the vulnerabilities, thanking them for their reports and contributions to fixes.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Stored XSS, CSRF, and Auth Bypass in Multiple Plugins (CVE-2023-32977, CVE-2023-32978)