Jenkins Security Advisory 2022-08-23 Vulnerabilities Improper Masking of Credentials in Git Plugin - CVE: CVE-2022-38663 - Severity: Medium - Description: Git Plugin 4.11.4 and earlier improperly masks credentials in the build log. - Affected Plugin: Git Plugin Stored XSS Vulnerability in Job Configuration History Plugin - CVE: CVE-2022-38664 - Severity: High - Description: Job Configuration History Plugin 1165 and earlier does not escape the job name on the System Configuration History page, leading to a stored XSS vulnerability. - Affected Plugin: Job Configuration History Plugin RabbitMQ Password Stored in Plain Text by CollabNet Plugins Plugin - CVE: CVE-2022-38665 - Severity: Low - Description: CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ password unencrypted in the global configuration file. - Affected Plugin: CollabNet Plugins Plugin RCE Vulnerability in Kubernetes Continuous Deploy Plugin - CVE: CVE-2021-25738 - Severity: High - Description: Kubernetes Continuous Deploy Plugin 2.3.1 and earlier includes a vulnerable version of the Kubernetes Java Client library, allowing RCE. - Affected Plugin: Kubernetes Continuous Deploy Plugin Severity SECURITY-2157: Low SECURITY-2448: High SECURITY-2765: High SECURITY-2796: Medium Affected Versions CollabNet Plugins Plugin: Up to and including 2.0.8 Git Plugin: Up to and including 4.11.4 Job Configuration History Plugin: Up to and including 1165.v8cc9fd1f4597 Kubernetes Continuous Deploy Plugin: Up to and including 2.3.1 Fix CollabNet Plugins Plugin: Update to version 2.0.9 Git Plugin: Update to version 4.11.5 Job Configuration History Plugin: Update to version 1166.vc9f255f45b_8a Credit Thank you to the reporters: Jordy Versmissen for SECURITY-2448 Kevin Guerroudj, CloudBees, Inc. for SECURITY-2765 Peter Darton, i2group.com, and independently, Stefano Mazzucco, Mindera for SECURITY-2796 Son Nguyen (@s0nnnguy3n_) for SECURITY-2157