### Jenkins Security Advisory 2020-07-02 #### Key Vulnerability Information - **Affected Plugins:** - Compatibility Action Storage Plugin - Fortify on Demand Plugin (multiple instances) - GitHub Coverage Reporter Plugin - HP ALM Quality Center Plugin - ElasticBox Jenkins Kubernetes CI/CD Plugin - Slack Upload Plugin - Sonargraph Integration Plugin - Stash Branch Parameter Plugin - TestComplete support Plugin - VncRecorder Plugin - VncViewer Plugin - Whitesource Plugin - ZAP Pipeline Plugin - Zephyr for JIRA Test Management Plugin #### Severity Ratings (CVSS) - **Medium:** Multiple vulnerabilities across various plugins. - **High:** RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin. - **Low:** Credentials stored in plain text by some plugins. #### Descriptions and Impacts - **Stored XSS Vulnerability in Sonargraph Integration Plugin** - Plugin does not escape file paths, leading to XSS exploitable by users with Job/Configure permission. - **Users with Overall/Read access could enumerate credentials IDs in Fortify on Demand Plugin** - Plugin provides an enumeration of valid credentials IDs, exploitable for credential capture. - **CSRF Vulnerability and missing permission checks in Fortify on Demand Plugin** - Lack of permission checks and missing POST request requirement leads to CSRF. - **RCE Vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin** - YAML parser misconfiguration results in RCE by users providing YAML input files. - **Secret stored in plain text by Slack Upload Plugin** - Secrets stored unencrypted in job config.xml files. - **Password stored in plain text by TestComplete support Plugin** - Passwords stored unencrypted in job config.xml files. - **Credentials stored in plain text by whitesource Plugin** - Credentials stored in plain text in global configurations. - **Other Issues:** - XSS vulnerabilities in various plugins. - CSRF vulnerabilities in Zephyr for JIRA Test Management Plugin. #### Affected Versions - Specific versions of plugins that are vulnerable are listed for each issue. #### Fix - Updated versions of affected plugins that include fixes for the vulnerabilities. #### Credit - Acknowledgment of individuals and organizations that reported the vulnerabilities.