Jenkins Security Advisory 2022-03-15 Affected Plugins AWS Credentials Plugin Dashboard View Plugin dbCharts Plugin Environment Dashboard Plugin Extended Choice Parameter Plugin Favorite Plugin Folder-based Authorization Strategy Plugin GitLab Authentication Plugin global-build-stats Plugin incapptc connect uploader Plugin kubernetes-cd Plugin List Git Branches Parameter Plugin Parameterized Trigger Plugin Release Helper Plugin Semantic Versioning Plugin Vmware vRealize CodeStream Plugin Key Vulnerabilities Sensitive Parameter Values Captured in Build Metadata Files CVE-2022-27195 Severity: Low Affected Plugin: Parameterized Trigger Plugin Description: Captures environment variables including password parameters in build.xml files. Stored XSS Vulnerability in Favorite Plugin CVE-2022-27196 Severity: High Affected Plugin: Favorite Plugin Description: Does not escape job names, leading to XSS. Stored XSS Vulnerability in Dashboard View Plugin CVE-2022-27197 Severity: High Affected Plugin: Dashboard View Plugin Description: Does not perform URL validation for iframe sources. CSRF Vulnerability in AWS Credentials Plugin CVE-2022-27198, CVE-2022-27199 Severity: Medium Affected Plugin: AWS Credentials Plugin Description: Missing permission checks in form validation. Fixes Update the plugins to the following versions: - AWS Credentials Plugin: v191.vcb_f183ce58b_9 - Dashboard View Plugin: 2.18.1 - Favorite Plugin: 2.4.1 - Folder-based Authorization Strategy Plugin: 1.4 - Parameterized Trigger Plugin: 2.43.1 - Semantic Versioning Plugin: 1.14 Credit Daniel Beck, CloudBees, Inc. Gunther Rademacher Jesse Glick, CloudBees, Inc. Justin Philip Kevin Guerroudj