关键漏洞信息 1. Sandbox Bypass Vulnerability in Script Security Plugin CVE: CVE-2023-24422 Severity: High Affected Plugin: script-security Description: Allows attackers to bypass sandbox protection and execute arbitrary code in the Jenkins controller JVM. 2. CSRF Vulnerability in Gerrit Trigger Plugin CVE: CVE-2023-24423 Severity: Medium Affected Plugin: gerrit-trigger Description: Allows attackers to rebuild previous builds triggered by Gerrit. 3. Session Fixation Vulnerability in OpenID Connect Authentication Plugin CVE: CVE-2023-24424 Severity: High Affected Plugin: openid-auth Description: Allows attackers to gain administrator access to Jenkins. 4. Exposure of System-scoped Kubernetes Credentials in Kubernetes Credentials Provider Plugin CVE: CVE-2023-24425 Severity: Medium Affected Plugin: kubernetes-credentials-provider Description: Allows attackers to access and potentially capture Kubernetes credentials they are not entitled to. 5. Session Fixation Vulnerability in Microsoft Entra ID (previously Azure AD) Plugin CVE: CVE-2023-24426 Severity: High Affected Plugin: azure-ad Description: Allows attackers to gain administrator access to Jenkins. Summary This advisory lists multiple vulnerabilities in various Jenkins plugins, with severity levels ranging from low to high. Fixes are recommended for specific plugin versions to mitigate risks such as sandbox bypasses, CSRF attacks, session fixation, and unauthorized credential access.