Jenkins Security Advisory: Sandbox Bypass, CSRF, and Info Disclosure in Multiple Plugins (CVE-2019-10355)

Advisory Title: Jenkins Security Advisory 2019-07-31 Affected Plugins: - Amazon EC2 Plugin - Configuration as Code Plugin - Google Kubernetes Engine Plugin - Maven Integration Plugin - Maven Release Plug-in Plugin - Pipeline: Deprecated Groovy Libraries Plugin - Script Security Plugin - Skytap Cloud CI Plugin Key Vulnerabilities: - Sandbox bypass through type casts in Script Security Plugin (SECURITY-1465 / CVE-2019-10355) - High Severity - Sandbox bypass through method pointer expressions in Script Security Plugin (SECURITY-1465 / CVE-2019-10356) - High Severity - Missing permission check in Pipeline: Deprecated Groovy Libraries Plugin (SECURITY-1422 / CVE-2019-10357) - Medium Severity - Maven Integration Plugin did not mask sensitive values in module build logs (SECURITY-713 / CVE-2019-10358) - Medium Severity - CSRF vulnerability in Maven Release Plug-in Plugin (SECURITY-1098 / CVE-2019-10359) - Medium Severity - Stored XSS vulnerability in Maven Release Plug-in Plugin (SECURITY-1184 / CVE-2019-10360) - Medium Severity - Maven Release Plug-in Plugin stored credentials in plain text (SECURITY-1435 / CVE-2019-10361) - Low Severity - Configuration as Code Plugin failed to mask secrets in system log messages (SECURITY-1279 / CVE-2019-10343) - Medium Severity - Configuration as Code Plugin allowed users without Overall/Administer permission to access documentation (SECURITY-1290 / CVE-2019-10344) - Medium Severity - Configuration as Code Plugin did not mask proxy credentials (SECURITY-1303 / CVE-2019-10345) - Low Severity - Configuration as Code Plugin evaluated variable references when importing a previously exported configuration (SECURITY-1446 / CVE-2019-10362) - Medium Severity - Configuration as Code Plugin exported secret values in plain text (SECURITY-1458 / CVE-2019-10363) - Medium Severity - Amazon EC2 Plugin leaked beginning of private key in system log (SECURITY-673 / CVE-2019-10364) - Medium Severity - Google Kubernetes Engine Plugin stored temporary secret in a user accessible location (SECURITY-1345 / CVE-2019-10365) - Medium Severity - Skytap Cloud CI Plugin stored credentials in plain text (SECURITY-1429 / CVE-2019-10366) - Medium Severity Affected Versions: - Amazon EC2 Plugin up to and including 1.43 - Configuration as Code Plugin up to and including 1.24 - Google Kubernetes Engine Plugin up to and including 0.6.2 - Maven Integration Plugin up to and including 3.3 - Maven Release Plug-in Plugin up to and including 0.14.0 - Pipeline: Deprecated Groovy Libraries Plugin up to and including 2.14 - Script Security Plugin up to and including 1.61 - Skytap Cloud CI Plugin up to and including 2.06 Fix: - Update respective plugins to newer versions.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Sandbox Bypass, CSRF, and Info Disclosure in Multiple Plugins (CVE-2019-10355)