This advisory announces vulnerabilities in the following Jenkins deliverables:
uno-choice
Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.
Active Choices Plugin 2.5.7 escapes references to parameter names.
scriptler
Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create Scriptler scripts.
Scriptler Plugin 3.4 escapes the name of scripts on the UI when asking to confirm their deletion.
performance
Performance Plugin 3.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML report file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
pom2config
pom2config Plugin 1.2 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
dependency-check-jenkins-plugin
OWASP Dependency-Check Plugin 5.1.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.
This allows attackers able to control workspace contents to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
As of publication of this advisory, there is no fix.
squashtm-publisher
Squash TM Publisher (Squash4Jenkins) Plugin 1.0.0 and earlier implements an agent-to-controller message that does not implement any validation of its input.
This allows attackers able to control agent processes to replace arbitrary files on the Jenkins controller file system with an attacker-controlled JSON string.
As of publication of this advisory, there is no fix.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: