Jenkins Plugin Security Advisory: XXE, CSRF, Unverified Downloads (CVE-2020-2320-2324)

Key Information Summary Vulnerability Details XXE Vulnerability in CVS Plugin - SEVERITY-2146 / CVE-2020-2324 - Severity (CVSS): High - Description: CVS plugin versions 2.16 and earlier do not configure the XML parser to prevent XML External Entity (XXE) attacks, potentially leading to sensitive information disclosure or server-side request forgery. Plugin Installation Manager Tool Fails to Validate Plugin Downloads - SEVERITY-1856 / CVE-2020-2320 - Severity (CVSS): High - Description: Plugin Installation Manager Tool versions 2.1.3 and earlier do not validate plugin downloads, potentially allowing third parties to provide malicious plugins for download. CSRF Vulnerability in Shelve Project Plugin - SEVERITY-2108 / CVE-2020-2321 - Severity (CVSS): High - Description: Shelve Project Plugin versions 3.0 and earlier do not enforce POST request validation on HTTP endpoints, potentially leading to Cross-Site Request Forgery (CSRF) vulnerabilities. Chaos Monkey Plugin Lacks Permission Checks - SEVERITY-2109 (1) / CVE-2020-2322 - Severity (CVSS): Medium - SEVERITY-2109 (2) / CVE-2020-2323 - Severity (CVSS): Medium - Description: Chaos Monkey Plugin versions 0.4 and earlier lack permission checks on certain HTTP endpoints, allowing attackers with overall/read permissions to generate payloads and cause memory leaks. Vulnerability Severity SEVERITY-1856: High SEVERITY-2108: High SEVERITY-2109 (1): Medium SEVERITY-2109 (2): Medium SEVERITY-2146: High Affected Versions Chaos Monkey Plugin <= 0.3 → Upgrade to 0.4 Chaos Monkey Plugin <= 0.4 → Upgrade to 0.4.1 CVS Plugin <= 2.16 → Upgrade to 2.17 Shelve Project Plugin <= 3.0 → Upgrade to 3.1 Plugin Installation Manager Tool <= 2.1.3 → Upgrade to 2.2.0 Remediation Affected plugins must be upgraded to the specified versions to remediate the vulnerabilities mentioned above. Acknowledgments Daniel Beck, CloudBees, Inc. reported vulnerabilities SEVERITY-1856 and SEVERITY-2146.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Advisory: XXE, CSRF, Unverified Downloads (CVE-2020-2320-2324)