Jenkins Security Advisory 2022-03-29 Overview This advisory announces vulnerabilities in several Jenkins plugins. Vulnerabilities 1. Stored XSS Vulnerability in Bitbucket Server Integration Plugin Severity: High Affected Versions: atlassian-bitbucket-server-integration up to and including 3.1.0 Description: Does not limit URL schemes for callback URLs on OAuth consumers. Impact: Allows stored XSS attacks. 2. Missing Permission Checks in Bitbucket Server Integration Plugin Severity: Medium Affected Versions: atlassian-bitbucket-server-integration up to and including 3.1.0 Description: Several HTTP endpoints are missing permission checks. Impact: Allows attackers with Overall/Read permission to perform unauthorized actions. 3. Passwords Stored in Plain Text by Instant-Messaging Plugin Severity: Low Affected Versions: instant-messaging up to and including 1.4.1 Description: Passwords are stored unencrypted in the global configuration file. Impact: Users with access to Jenkins controller can view passwords. 4. CSRF Vulnerability and Missing Permission Check in JiraTestResultReporter Plugin Severity: Medium Affected Versions: JiraTestResultReporter up to and including 165.v817928553942 Description: Missing permission check in a method implementing form validation. Impact: Allows CSRF attacks and permission bypass. 5. XXE Vulnerability in Flaky Test Handler Plugin Severity: High Affected Versions: flaky-test-handler up to and including 1.2.1 Description: XML parser does not prevent XML external entity (XXE) attacks. Impact: Allows attackers with Item/Configure permission to perform XXE attacks. 6. Password Stored in Plain Text by Proxmox Plugin Severity: Low Affected Versions: proxmox up to and including 0.5.0 Description: Proxmox Datacenter password is stored unencrypted. Impact: Passwords can be viewed by users with access to Jenkins controller. 7. SSL/TLS Certificate Validation Globally Disabled by Proxmox Plugin Severity: Medium Affected Versions: proxmox up to and including 0.6.0 Description: Disables SSL/TLS certificate validation globally. Impact: Insecure SSL/TLS connections. 8. CSRF Vulnerability and Missing Permission Checks in Proxmox Plugin Severity: Medium Affected Versions: proxmox up to and including 0.7.0 Description: Missing permission checks in several HTTP endpoints. Impact: Allows CSRF attacks and permission bypass. 9. XSS Vulnerability in Continuous Integration with Toad Edge Plugin Severity: High Affected Versions: ci-with-toad-edge up to and including 2.3 Description: Uses a patched fork of the file browser with removed Content-Security-Policy header. Impact: Allows stored XSS attacks. 10. Arbitrary File Read Vulnerability in Continuous Integration with Toad Edge Plugin Severity: Medium Affected Versions: ci-with-toad-edge up to and including 2.3 Description: Allows attackers with Item/Configure permission to read arbitrary files. Impact: File contents can be read by attackers. 11. Missing Permission Check in Continuous Integration with Toad Edge Plugin Severity: Medium Affected Versions: ci-with-toad-edge up to and including 2.3 Description: Missing permission check in a method implementing form validation. Impact: Permission bypass. 12. Path Traversal Vulnerability on Windows in Continuous Integration with Toad Edge Plugin Severity: High Affected Versions: ci-with-toad-edge up to and including 2.3 Description: Path traversal in Windows environment. Impact: Attackers can obtain arbitrary file contents. 13. Stored XSS Vulnerability in Job and Node Ownership Plugin Severity: High Affected Versions: ownership up to and including 0.13.0 Description: Does not escape names of secondary owners. Impact: Allows stored XSS attacks. 14. CSRF Vulnerability and Missing Permission Check in Job and Node Ownership Plugin Severity: Medium Affected Versions: ownership up to and including 0.13.0 Description: Missing permission check and no POST requirement. Impact: Allows CSRF attacks. Fix Update all plugins to the specified fixed versions. Review and patch plugins with no available fix.