Jenkins Plugin Security Advisory: CSRF, XXE, Credential Storage Issues (CVE-2019-10307-10318)

Critical Vulnerability Information Affected Plugins analysis-core Plugin Ansible Tower Plugin Aqua MicroScanner Plugin GitHub Authentication Plugin Koji Plugin Microsoft Entra ID (previously Azure AD) Plugin SiteMonitor Plugin Swarm Plugin Twitter Plugin Vulnerability Descriptions CSRF Vulnerability and Missing Permission Checks (analysis-core Plugin) CVE: SECURITY-1100, CVE-2019-10307 (CSRF), CVE-2019-10308 (permission check) Severity: Medium SiteMonitor Plugin Unconditionally Disables SSL/TLS Certificate Verification Globally CVE: SECURITY-930, CVE-2019-10317 Severity: Medium XXE Vulnerability via UDP Broadcast Response (Swarm Plugin) CVE: SECURITY-1252, CVE-2019-10309 Severity: Medium CSRF Vulnerability and Missing Permission Checks (Ansible Tower Plugin) CVE: SECURITY-1355 (1), CVE-2019-10310 (CSRF), CVE-2019-10311 (permission check) Severity: Medium Users with Overall/Read Access Can Enumerate Credential IDs in Ansible Tower Plugin CVE: SECURITY-1355 (2), CVE-2019-10312 Severity: Medium Microsoft Entra ID Plugin Stores Credentials in Plaintext CVE: SECURITY-1390, CVE-2019-10318 Severity: Low Twitter Plugin Stores Credentials in Plaintext CVE: SECURITY-1143, CVE-2019-10313 Severity: Low Koji Plugin Unconditionally Disables SSL/TLS Certificate Verification Globally CVE: SECURITY-936, CVE-2019-10314 Severity: Medium OAuth Callback CSRF Vulnerability in GitHub Authentication Plugin CVE: SECURITY-443, CVE-2019-10315 Severity: Medium Aqua MicroScanner Plugin Stores Credentials in Plaintext CVE: SECURITY-1380, CVE-2019-10316 Severity: Low Remediation Recommendations Upgrade affected plugins to the specified versions

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Advisory: CSRF, XXE, Credential Storage Issues (CVE-2019-10307-10318)