Jenkins Security Advisory: Multiple Plugins Vulnerabilities (CSRF, XSS, Info Leak, CVE-2023-40336, etc.)

Vulnerability Key Information Summary Vulnerability Overview Advisory ID: Jenkins Security Advisory 2023-08-16 Affected Plugins: - Blue Ocean Plugin - Config File Provider Plugin - Delphix Plugin - Docker Swarm Plugin - Favorite View Plugin - Flaky Test Handler Plugin - Folders Plugin - Fortify Plugin - Gogs Plugin - Maven ArtifactChoiceListProvider (Nexus) Plugin - NodeJS Plugin - Shortcut Job Plugin - Tuleap Authentication Plugin Key Vulnerability Descriptions CSRF Vulnerabilities Folders Plugin: - SEVERITY-3106 / CVE-2023-40336: Allows attackers to copy projects, potentially enabling automatic approval of non-sandboxed scripts and execution of unsafe scripts. - SEVERITY-3105 / CVE-2023-40337: Allows attackers to copy views within folders. Config File Provider Plugin: - SEVERITY-3090 / CVE-2023-40339: Credentials specified in configuration files are not masked in logs. Information Disclosure Vulnerabilities Folders Plugin: - SEVERITY-3109 / CVE-2023-40338: Absolute path of log files is exposed in error messages. Gogs Plugin: - SEVERITY-2894 / CVE-2023-40348: Unauthenticated attackers can trigger job builds. Proxy Misconfiguration Vulnerability NodeJS Plugin: - SEVERITY-3196 / CVE-2023-40340: Credentials specified in Npm configuration files are not masked in pipeline build logs. XSS Vulnerabilities Flaky Test Handler Plugin: - SEVERITY-3223 / CVE-2023-40342: JUnit test content is not escaped, leading to a stored XSS vulnerability. Favorite View Plugin: - SEVERITY-3201 / CVE-2023-40351: Allows attackers to add or remove views from other users' favorite views. Missing Permission Checks Vulnerability Fortify Plugin: - SEVERITY-3115 / CVE-2023-4301: Lacks permission checks, allowing attackers to connect to specified URLs and capture credentials. Affected Versions and Remediation Recommendations Affected Versions: Specific version ranges for each affected plugin. Remediation Recommendations: Upgrade to the specified plugin versions to address the vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple Plugins Vulnerabilities (CSRF, XSS, Info Leak, CVE-2023-40336, etc.)