Jenkins Security Advisory 2020-03-25 Vulnerabilities Identified CSRF Protection Bypass - CVE: CVE-2020-2160 - Severity: High - Extension point in Jenkins allows selective disabling of CSRF protection, leading to URL-based CSRF attacks. Stored XSS in Label Expression Validation - CVE: CVE-2020-2161 - Severity: Medium - Improper escaping of node labels leads to XSS in job configuration pages. Stored XSS in File Parameters - CVE: CVE-2020-2162 - Severity: Medium - Jenkins handles file parameters without setting proper headers, leading to stored XSS. Stored XSS in List View Column Headers - CVE: CVE-2020-2163 - Severity: Medium - HTML in list view column headers can lead to stored XSS. Plain Text Password Storage in Artifactory Plugin - CVE: CVE-2020-2164, CVE-2020-2165 - Severity: Low - Passwords stored and transmitted in plain text, exposing Artifactory server passwords. RCE Vulnerabilities in Pipeline: AWS Steps and OpenShift Pipeline Plugins - CVEs: CVE-2020-2166, CVE-2020-2167 - Severity: High - YAML parser configuration issues result in RCE vulnerabilities. RCE Vulnerability in Azure Container Service Plugin - CVE: CVE-2020-2168 - Severity: High - Similar YAML parser misconfiguration results in RCE. Reflected XSS in Queue Cleanup Plugin - CVE: CVE-2020-2169 - Severity: Medium - Query parameter in error messages not escaped. Stored XSS in RapidDeploy Plugin - CVE: CVE-2020-2170 - Severity: Medium - Unescaped package names result in XSS. XXE Vulnerability in RapidDeploy Plugin - CVE: CVE-2020-2171 - Severity: High - XML parser misconfiguration leads to XXE attacks. Affected Versions Jenkins up to 2.227 Jenkins LTS up to 2.204.5 Various plugins up to specified versions Fixes Update Jenkins and plugins to specified new versions