Jenkins Security Advisory 2021-01-13 Key Information about Vulnerabilities XSS Vulnerability in Notification Bar CVE: CVE-2021-21603 Severity: High Description: Attackers can exploit a cross-site scripting (XSS) vulnerability by influencing notification bar contents. Stored XSS Vulnerability in Button Labels CVE: CVE-2021-21608 Severity: High Description: Attackers can control button labels to exploit a cross-site scripting vulnerability. Reflected XSS Vulnerability in Markup Formatter Preview CVE: CVE-2021-21610 Severity: High Description: Marked-up responses can be exploited to inject malicious content. Stored XSS Vulnerability on New Item Page CVE: CVE-2021-21611 Severity: High Description: Attackers can specify display names or IDs of item types to exploit a stored XSS vulnerability. Improper Handling of REST API XML Deserialization Errors CVE: CVE-2021-21604 Severity: High Description: Invalid object references can be stored in Old Data Monitor, leading to unsafe object instantiation. Arbitrary File Read Vulnerability in Workspace Browsers CVE: CVE-2021-21602 Severity: Medium Description: Symbolic links can be used to access files outside workspaces. Path Traversal Vulnerability in Agent Names CVE: CVE-2021-21605 Severity: High Description: Agent names can be set to override unrelated files, causing unsafe legacy defaults. Arbitrary File Existence Check in File Fingerprints CVE: CVE-2021-21606 Severity: Medium Description: The XML metadata check for fingerprints is incomplete. Excessive Memory Allocation in Graph URLs CVE: CVE-2021-21607 Severity: Medium Description: Crafted URLs can lead to out-of-memory errors. Missing Permission Check for Specific Path Prefixes CVE: CVE-2021-21609 Severity: Low Description: Attackers can access URLs without proper permission checks. Credentials Stored in Plain Text Plugin: tracetronic ecu.test Plugin CVE: CVE-2021-21612 Severity: Low Description: Credentials are stored unencrypted in the global configuration file. Plugin: TICS Plugin CVE: CVE-2021-21613 Severity: High Description: Credentials can be viewed through XSS in TICS service responses. Plugin: Bumblebee HP ALM Plugin CVE: CVE-2021-21614 Severity: Low Description: Credentials are stored unencrypted in the global configuration file. Affected Versions Jenkins weekly up to and including 2.274 Jenkins LTS up to and including 2.263.1 Bumblebee HP ALM Plugin up to and including 4.1.5 TICS Plugin up to and including 2020.3.0.6 tracetronic ecu.test Plugin up to and including 2.23.1 Fix Jenkins weekly: Update to version 2.275 Jenkins LTS: Update to version 2.263.2 Bumblebee HP ALM Plugin: Update to version 4.1.6 TICS Plugin: Update to version 2020.3.0.7 tracetronic ecu.test Plugin: Update to version 2.24