Key Information About Vulnerabilities in Jenkins Security Advisory 2020-01-15 Vulnerabilities: CSRF vulnerability and missing permission checks in Amazon EC2 Plugin - Identifier: SECURITY-1004 / CVE-2020-2090 (CSRF), CVE-2020-2091 (missing permission check) - Severity: Low - Affected Plugin: ec2 XXE vulnerability in Robot Framework Plugin - Identifier: SECURITY-1698 / CVE-2020-2092 - Severity: High - Affected Plugin: robot CSRF vulnerability and missing permission checks in Health Advisor by CloudBees Plugin - Identifier: SECURITY-1708 / CVE-2020-2093 (CSRF), CVE-2020-2094 (missing permission check) - Severity: Medium - Affected Plugin: cloudbees-jenkins-advisor Redgate SQL Change Automation Plugin stored credentials in plain text - Identifier: SECURITY-1696 / CVE-2020-2095 - Severity: Medium - Affected Plugin: redgate-sql-ci Reflected XSS vulnerability in gitlab-hook Plugin - Identifier: SECURITY-1683 / CVE-2020-2096 - Severity: Medium - Affected Plugin: gitlab-hook CSRF vulnerability and missing permission checks in Sounds Plugin allow OS command execution - Identifier: SECURITY-814 / CVE-2020-2097 (permission check), CVE-2020-2098 (CSRF) - Severity: High - Affected Plugin: sounds Affected Versions: Amazon EC2 Plugin up to and including 1.47 gitlab-hook Plugin up to and including 1.4.2 Health Advisor by CloudBees Plugin up to and including 3.0 Redgate SQL Change Automation Plugin up to and including 2.0.4 Robot Framework Plugin up to and including 2.0.0 Sounds Plugin up to and including 0.5 Fixes: Amazon EC2 Plugin should be updated to version 1.48 Health Advisor by CloudBees Plugin should be updated to version 3.0.1 Redgate SQL Change Automation Plugin should be updated to version 2.0.5 Robot Framework Plugin should be updated to version 2.0.1 As of the publication of this advisory, no fixes are available for the following plugins: gitlab-hook Plugin Sounds Plugin