oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple vulnerabilities in Jenkins plugins

From: Daniel Beck <ml () beckweb net>
Date: Wed, 16 Jun 2021 15:32:20 +0200
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Scriptler Plugin 3.2 and 3.3


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-06-16/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2224 / CVE-2021-21667
Scriptler Plugin 3.2 and earlier does not escape parameter names shown in
job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Scriptler/Configure permission.


SECURITY-2390 / CVE-2021-21668
Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Scriptler/Configure permission.
Previous By Date Next
Previous By Thread Next

Current thread: