Jenkins Security Advisory 2021-01-13 Vulnerabilities Announced Jenkins (core) Bumblebee HP ALM Plugin TICS Plugin tracetronic ecu.test Plugin Descriptions 1. XSS Vulnerability in Notification Bar - CVE: SECURITY-1889 / CVE-2021-21603 - Severity: High - Description: Attackers can exploit this vulnerability to execute XSS by influencing notification bar contents. 2. Stored XSS Vulnerability in Button Labels - CVE: SECURITY-2035 / CVE-2021-21608 - Severity: High - Description: Attackers can control button labels to exploit stored XSS vulnerabilities in Jenkins UI. 3. Reflected XSS Vulnerability in Markup Formatter Preview - CVE: SECURITY-2153 / CVE-2021-21610 - Severity: High - Description: Malicious users can exploit reflected XSS vulnerabilities by crafting preview URLs without proper restrictions. 4. Stored XSS Vulnerability on New Item Page - CVE: SECURITY-2171 / CVE-2021-21611 - Severity: High - Description: Attackers can specify display names or IDs of item types to cause stored XSS on the new item page. 5. Improper Handling of REST API XML Deserialization Errors - CVE: SECURITY-1923 / CVE-2021-21604 - Severity: High - Description: Invalid data submissions can lead to the creation of invalid object references in Old Data Monitor, allowing injection of unsafe objects. 6. Arbitrary File Read Vulnerability in Workspace Browsers - CVE: SECURITY-1452 / CVE-2021-21602 - Severity: Medium - Description: Symbolic links in workspace browsers can be exploited to access files outside the workspace. 7. Path Traversal Vulnerability in Agent Names - CVE: SECURITY-2021 / CVE-2021-21605 - Severity: High - Description: Users can choose agent names that override unrelated config.xml files, causing unsafe legacy defaults. 8. Arbitrary File Existence Check in File Fingerprints - CVE: SECURITY-2023 / CVE-2021-21606 - Severity: Medium - Description: Attackers can check for the existence of XML files on the controller file system by constructing relative paths. 9. Excessive Memory Allocation in Graph URLs Leads to Denial of Service - CVE: SECURITY-2025 / CVE-2021-21607 - Severity: Medium - Description: Crafting URLs with large graph sizes can lead to memory exhaustion and out-of-memory errors. 10. Missing Permission Check for Paths with Specific Prefix - CVE: SECURITY-2047 / CVE-2021-21609 - Severity: Low - Description: Attackers can access plugin-provided URLs without proper permission checks if they match specific path prefixes. 11. Credentials Stored in Plain Text by tracetronic ecu.test Plugin - CVE: SECURITY-2057 / CVE-2021-21612 - Severity: Low - Description: Credentials in the global configuration file are unencrypted, allowing access to these sensitive options. 12. XSS Vulnerability in TICS Plugin - CVE: SECURITY-2098 / CVE-2021-21613 - Severity: High - Description: Attackers can control TICS service responses to exploit XSS vulnerabilities. 13. Credentials Stored in Plain Text by Bumblebee HP ALM Plugin - CVE: SECURITY-2156 / CVE-2021-21614 - Severity: Low - Description: Unencrypted credentials in the global configuration file can be accessed by users with the necessary permissions. Severity SECURITY-1452: Medium SECURITY-1889: High SECURITY-1923: High SECURITY-2021: High SECURITY-2023: Medium SECURITY-2025: Medium SECURITY-2035: High SECURITY-2047: Low SECURITY-2057: Low SECURITY-2098: High SECURITY-2153: High SECURITY-2156: Low SECURITY-2171: High Affected Versions Jenkins weekly up to and including 2.274 Jenkins LTS up to and including 2.263.1 Bumblebee HP ALM Plugin up to and including 4.1.5 TICS Plugin up to and including 2020.3.0.6 tracetronic ecu.test Plugin up to and including 2.23.1 Fix Update to the latest versions: Jenkins 2.275, Jenkins LTS 2.263.2, Bumblebee HP ALM Plugin 4.1.6, TICS Plugin 2020.3.0.7, and tracetronic ecu.test Plugin 2.24.