oss-sec mailing list archives
Multiple vulnerabilities in Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Wed, 16 Jun 2021 15:32:20 +0200
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Scriptler Plugin 3.2 and 3.3 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2021-06-16/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-2224 / CVE-2021-21667 Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission. SECURITY-2390 / CVE-2021-21668 Scriptler Plugin 3.1 and earlier does not escape script content. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.
Current thread:
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Apr 21)
- <Possible follow-ups>
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 11)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (May 25)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 10)
- Multiple vulnerabilities in Jenkins plugins Daniel Beck (Jun 16)