Jenkins Security Advisory 2019-09-25: Multiple Stored XSS Vulnerabilities in Core and Plugins

Jenkins Security Advisory 2019-09-25 Vulnerabilities Announced: Jenkins (core) Aqua MicroScanner Plugin Aqua Security Scanner Plugin Assembla Plugin Azure Event Grid Build Notifier Plugin Call Remote Job Plugin CodeScan Plugin Data Theorem Mobile Security: CI/CD Plugin eIOyente Plugin Gem Publisher Plugin Git Changelog Plugin GitLab Logo Plugin Google Calendar Plugin Inedo BuildMaster Plugin Plugin Inedo ProGet Plugin Plugin Kubernetes Pipeline - Arquillian Steps Plugin Kubernetes Pipeline - Kubernetes Steps Plugin Log Parser Plugin NeuVector Vulnerability Scanner Plugin Project Inheritance Plugin vFabric Application Director Plugin Violation Comments to GitLab Plugin Descriptions: Stored XSS Vulnerability in Expandable Textbox Form Control CVE: SECURITY-1498 / CVE-2019-10401 Severity: Medium Description: Jenkins form controls include an expandable textbox that can be exploited for cross-site scripting. XSS Vulnerability in Combobox Form Control CVE: SECURITY-1525 / CVE-2019-10402 Severity: Medium Description: Jenkins interpreted items added to combobox form controls as HTML, leading to XSS. Stored XSS Vulnerability in SCM Tag Action Tooltip CVE: SECURITY-1537 (1) / CVE-2019-10403 Severity: Medium Description: Jenkins did not escape the tag name in the tooltip for SCM tag actions. Stored XSS Vulnerability in Queue Item Tooltip CVE: SECURITY-1537 (2) / CVE-2019-10404 Severity: Medium Description: Jenkins did not escape the reason a queue item is blocked in tooltips. Diagnostic Web Page Exposed Cookie HTTP Header CVE: SECURITY-1505 / CVE-2019-10405 Severity: Medium Description: Jenkins exposed the HTTP header that could be exploited to obtain information. XSS Vulnerability in Jenkins URL Setting CVE: SECURITY-1471 / CVE-2019-10406 Severity: Medium Description: Jenkins did not properly handle URL settings, leading to XSS. Project Inheritance Plugin Showed Secret Environment Variables CVE: SECURITY-351 / CVE-2019-10407 Severity: Medium Description: Project Inheritance Plugin showed secret environment variables in project metadata. CSRF Vulnerability and Missing Permission Check CVE: SECURITY-401 / CVE-2019-10408 (CSRF), CVE-2019-10409 (Permission Check) Severity: Medium Description: Project Inheritance Plugin had a CSRF vulnerability and missing permission checks. Stored XSS Vulnerability in Log Parser Plugin CVE: SECURITY-732 / CVE-2019-10410 Severity: Medium Description: Log Parser Plugin had an XSS vulnerability in error messages. NeuVector Vulnerability Scanner Plugin Stored Credentials in Plain Text CVE: SECURITY-1504 / CVE-2019-10430 Severity: Low Description: NeuVector Vulnerability Scanner Plugin stored credentials in plain text. Aqua MicroScanner Plugin Showed Plain Text Credential CVE: SECURITY-1507 / CVE-2019-10427 Severity: Low Description: Aqua MicroScanner Plugin showed a token credential in plain text. Aqua Security Scanner Plugin Showed Plain Text Password CVE: SECURITY-1508 / CVE-2019-10428 Severity: Low Description: Aqua Security Scanner Plugin showed a password in plain text. Inedo BuildMaster Plugin Plugin Showed Plain Text Password CVE: SECURITY-1513 / CVE-2019-10411 Severity: Low Description: Inedo BuildMaster Plugin Plugin showed a service password in plain text. Inedo ProGet Plugin Plugin Showed Plain Text Password CVE: SECURITY-1514 / CVE-2019-10412 Severity: Low Description: Inedo ProGet Plugin Plugin showed a service password in plain text. Data Theorem Mobile Security: CI/CD Plugin Stored Credentials in Plain Text CVE: SECURITY-1557 / CVE-2019-10413 Severity: Medium Description: Data Theorem Mobile Security: CI/CD Plugin stored credentials in plain text. Git Changelog Plugin Stored Credentials in Plain Text CVE: SECURITY-1574 / CVE-2019-10414 Severity: Medium Description: Git Changelog Plugin stored credentials in plain text. GitLab Logo Plugin Stored Credentials in Plain Text CVE: SECURITY-1575 / CVE-2019-10429 Severity: Low Description: GitLab Logo Plugin stored credentials in plain text. Violation Comments to GitLab Plugin Stored Credentials in Plain Text CVE: SECURITY-1577 / CVE-2019-10415 (Global Password), CVE-2019-10416 (Job Password) Severity: Medium Description: Violation Comments to GitLab Plugin stored credentials in plain text. Script Sandbox Bypass Vulnerability in Kubernetes Pipeline Plugins CVE: SECURITY-920 (1) / CVE-2019-10417 (High), SECURITY-920 (2) / CVE-2019-10418 (High) Severity: High Description: Kubernetes Pipeline Plugins had a script sandbox bypass vulnerability. vFabric Application Director Plugin Stored Credentials in Plain Text CVE: SECURITY-1541 / CVE-2019-10419 Severity: Low Description: vFabric Application Director Plugin stored credentials in plain text. Assembla Plugin Stored Credentials in Plain Text CVE: SECURITY-1543 / CVE-2019-10420 Severity: Low Description: Assembla Plugin stored credentials in plain text. Azure Event Grid Build Notifier Plugin Stored Credentials in Plain Text CVE: SECURITY-1544 / CVE-2019-10421 Severity: Medium Description: Az

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory 2019-09-25: Multiple Stored XSS Vulnerabilities in Core and Plugins