Jenkins Security Advisory: Stored XSS, XXE, CSRF, and Plaintext Password Storage in Multiple Plugins

Jenkins Security Advisory 2022-03-29 Affected Plugins: Bitbucket Server Integration Plugin Continuous Integration with Toad Edge Plugin Coverage/Complexity Scatter Plot Plugin Flaky Test Handler Plugin Instant Messaging Plugin JiraTestResultReporter Plugin Job and Node Ownership Plugin Pipeline: Phoenix AutoTest Plugin Proxmox Plugin RocketChat Notifier Plugin SiteMonitor Plugin Tests Selector Plugin Vulnerabilities 1. Stored XSS Vulnerability in Bitbucket Server Integration Plugin - CVE: SECURITY-2639 / CVE-2022-28133 - Severity: High - Description: Bitbucket Server Integration Plugin does not limit URL schemes for callback URLs. 2. Missing Permission Checks in Bitbucket Server Integration Plugin - CVE: SECURITY-2640 / CVE-2022-28134 - Severity: Medium - Description: Plugin does not perform permission checks in several HTTP endpoints. 3. Passwords Stored in Plain Text by Instant Messaging Plugin - CVE: SECURITY-2161 / CVE-2022-28135 - Severity: Low - Description: Passwords for groupchats stored unencrypted in the global configuration file. 4. CSRF Vulnerability and Missing Permission Check in JiraTestResultReporter Plugin - CVE: SECURITY-2236 / CVE-2022-28136 - Severity: Medium - Description: Plugin does not perform permission check in HTTP method. 5. CSRF Vulnerability and Missing Permission Check in RocketChat Notifier Plugin - CVE: SECURITY-2241 / CVE-2022-28138 - Severity: Medium - Description: Plugin does not perform permission check in HTTP method. 6. XXE Vulnerability in Flaky Test Handler Plugin - CVE: SECURITY-1896 / CVE-2022-28140 - Severity: High - Description: Plugin does not configure its XML parser to prevent XML external entity attacks. 7. Password Stored in Plain Text by Proxmox Plugin - CVE: SECURITY-2079 / CVE-2022-28141 - Severity: Low - Description: Proxmox Plugin stores password unencrypted in the global configuration file. 8. SSL TLS Certificate Validation Globally Disabled by Proxmox Plugin - CVE: SECURITY-2081 / CVE-2022-28142 - Severity: Medium - Description: SSL/TLS certificate validation is disabled. 9. CSRF Vulnerability and Missing Permission Checks in Proxmox Plugin - CVE: SECURITY-2082 / CVE-2022-28143 - Severity: Medium - Description: Plugin does not perform permission checks. Severity High: SECURITY-1892, SECURITY-1896, SECURITY-1899, SECURITY-2639, SECURITY-1932 Medium: SECURITY-2062 (2), SECURITY-2079, SECURITY-2161, SECURITY-2241, SECURITY-2654, SECURITY-2683, SECURITY-2685 Low: SECURITY-2161 Affected Versions Bitbucket Server Integration Plugin up to 3.1.0 Continuous Integration with Toad Edge Plugin up to 2.3 Coverage/Complexity Scatter Plot Plugin up to 1.1.1 Flaky Test Handler Plugin up to 1.2.1 Instant Messaging Plugin up to 1.4.1 JiraTestResultReporter Plugin up to 165.v817928553942 Job and Node Ownership Plugin up to 0.13.0 Pipeline: Phoenix AutoTest Plugin up to 1.3 Fix Update affected plugins to the latest versions.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Stored XSS, XXE, CSRF, and Plaintext Password Storage in Multiple Plugins