Jenkins Security Advisory 2020-08-12 Vulnerabilities Announced Jenkins: Jenkins Core, Email Extension Plugin, Flaky Test Handler Plugin, Pipeline Maven Integration Plugin, Yet Another Build Visualizer Plugin Key Vulnerabilities Stored XSS Vulnerability in Help Icons CVE: CVE-2020-2229 Severity: High Affected Versions: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier. Stored XSS Vulnerability in Project Naming Strategy CVE: CVE-2020-2230 Severity: High Affected Versions: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier. Stored XSS Vulnerability in 'Trigger Builds Remotely' CVE: CVE-2020-2231 Severity: High Affected Versions: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier. SMTP Password Transmission in Plain Text by Email Extension Plugin CVE: CVE-2020-2232 Severity: Low Affected Versions: Email Extension Plugin 2.72 and 2.73. Missing Permission Check in Pipeline Maven Integration Plugin CVE: CVE-2020-2233 Severity: Medium Affected Versions: Pipeline Maven Integration Plugin 3.8.2 and earlier. CSRF Vulnerability and Missing Permission Check in Pipeline Maven Integration Plugin CVEs: CVE-2020-2234 (Permission Check), CVE-2020-2235 (CSRF) Severity: High Affected Versions: Pipeline Maven Integration Plugin 3.8.2 and earlier. Stored XSS Vulnerability in Yet Another Build Visualizer Plugin CVE: CVE-2020-2236 Severity: High Affected Versions: Yet Another Build Visualizer Plugin 1.11 and earlier. CSRF Vulnerability in Flaky Test Handler Plugin CVE: CVE-2020-2237 Severity: Medium Affected Versions: Flaky Test Handler Plugin 1.0.4 and earlier. Severity Summary SECURITY-1763: Medium SECURITY-1794 (1): Medium SECURITY-1794 (2): High SECURITY-1940: High SECURITY-1955: High SECURITY-1957: High SECURITY-1960: High SECURITY-1975: Low Affected Versions Jenkins weekly up to and including 2.251 Jenkins LTS up to and including 2.235.3 Email Extension Plugin up to and including 2.73 Flaky Test Handler Plugin up to and including 1.0.4 Pipeline Maven Integration Plugin up to and including 3.8.2 Yet Another Build Visualizer Plugin up to and including 1.11 Fix Jenkins weekly should be updated to version 2.252 Jenkins LTS should be updated to version 2.235.4 Email Extension Plugin should be updated to version 2.74 Pipeline Maven Integration Plugin should be updated to version 3.8.3 Yet Another Build Visualizer Plugin should be updated to version 1.12 Credit Bjoern Kasteleiner for SECURITY-1975 Pierre Beitz, CloudBees, Inc. for SECURITY-1957 Tim Jacomb for SECURITY-1794 (1), SECURITY-1794 (2) Wadeck Follonier, CloudBees, Inc. for SECURITY-1763, SECURITY-1940, SECURITY-1955, SECURITY-1960