Jenkins Security Advisory 2020-01-29: CVE-2020-2099 Auth Bypass, XXE, and More

Jenkins Security Advisory 2020-01-29 Vulnerabilities Mentioned Inbound TCP Agent Protocol/3 authentication bypass CVE: CVE-2020-2099 Severity: High Jenkins vulnerable to UDP amplification reflection attack CVE: CVE-2020-2100 Severity: Medium Non-constant time comparison of inbound TCP agent connection secret CVE: CVE-2020-2101 Severity: Medium Non-constant time HMAC comparison CVE: CVE-2020-2102 Severity: Medium Diagnostic page exposed session cookies CVE: CVE-2020-2103 Severity: Medium Memory usage graphs accessible to anyone with Overall/Read CVE: CVE-2020-2104 Severity: Medium Jenkins REST APIs vulnerable to clickjacking CVE: CVE-2020-2105 Severity: Low Stored XSS vulnerability in Code Coverage Plugin CVE: CVE-2020-2106 Severity: Medium Fortify Plugin stored credentials in plain text CVE: CVE-2020-2107 Severity: Medium XXE vulnerability in WebSphere Deployer Plugin CVE: CVE-2020-2108 Severity: High Affected Versions Jenkins weekly up to 2.218 Jenkins LTS up to 2.204.1 Code Coverage Plugin up to 1.1.2 Fortify Plugin up to 19.1.29 WebSphere Deployer Plugin up to 1.6.1 Fixes Update Jenkins weekly to version 2.219 Update Jenkins LTS to version 2.204.2 Update Code Coverage Plugin to version 1.1.3 Update Fortify Plugin to version 19.2.30 Note There is no fix yet for WebSphere Deployer Plugin.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory 2020-01-29: CVE-2020-2099 Auth Bypass, XXE, and More