Jenkins Multiple Vulnerabilities Advisory (CVE-2020-2160 to 2171)

Critical Vulnerability Information CSRF Protection Bypass Vulnerability Vulnerability ID: SECURITY-1774 / CVE-2020-2160 Severity: High Description: Due to differences in URL path representation, CSRF protection can be bypassed. Stored XSS Vulnerability - Label Expression Validation Vulnerability ID: SECURITY-1781 / CVE-2020-2161 Severity: Medium Description: Node labels are not properly escaped, leading to a stored XSS vulnerability. Stored XSS Vulnerability - File Parameter Vulnerability ID: SECURITY-1793 / CVE-2020-2162 Severity: Medium Description: Lack of appropriate Content-Security-Policy HTTP header results in a stored XSS vulnerability. Stored XSS Vulnerability - Column View Column Header Vulnerability ID: SECURITY-1796 / CVE-2020-2163 Severity: Medium Description: Column view column headers process embedded HTML, leading to a stored XSS vulnerability. Artifactory Plugin Plaintext Password Storage Vulnerability ID: SECURITY-1542 (1) / CVE-2020-2164 Severity: Low Description: Artifactory server password is stored in plaintext. Artifactory Plugin Plaintext Password Transmission Vulnerability ID: SECURITY-1542 (2) / CVE-2020-2165 Severity: Low Description: Artifactory server password is transmitted in plaintext via configuration form. Pipeline: AWS Steps Plugin RCE Vulnerability Vulnerability ID: SECURITY-1741 / CVE-2020-2166 Severity: High Description: Improper YAML parser configuration leads to RCE vulnerability. OpenShift Pipeline Plugin RCE Vulnerability Vulnerability ID: SECURITY-1739 / CVE-2020-2167 Severity: High Description: Improper YAML parser configuration leads to RCE vulnerability. Azure Container Service Plugin RCE Vulnerability Vulnerability ID: SECURITY-1732 / CVE-2020-2168 Severity: High Description: Improper YAML parser configuration leads to RCE vulnerability. Queue Cleanup Plugin Reflected XSS Vulnerability Vulnerability ID: SECURITY-1724 / CVE-2020-2169 Severity: Medium Description: Query parameters are not escaped, leading to a reflected XSS vulnerability. RapidDeploy Plugin Stored XSS Vulnerability Vulnerability ID: SECURITY-1676 / CVE-2020-2170 Severity: Medium Description: Package names are not escaped, leading to a stored XSS vulnerability. RapidDeploy Plugin XXE Vulnerability Vulnerability ID: SECURITY-1677 / CVE-2020-2171 Severity: High Description: Improper XML parser configuration leads to XXE vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Multiple Vulnerabilities Advisory (CVE-2020-2160 to 2171)