### Key Information Summary #### Vulnerability Details - **Script Security Plugin Vulnerability** - **CVE**: SECURITY-1658 / CVE-2019-16538 - **Severity**: High - **Description**: Bypasses sandbox protection via default parameter expressions, allowing arbitrary code execution in the Jenkins controller context. - **Support Core Plugin Vulnerability** - **CVE**: SECURITY-1634 / CVE-2019-16539 (Permission check), CVE-2019-16540 (Path traversal) - **Severity**: High - **Description**: Unvalidated path for deleting support bundles leads to arbitrary file deletion; missing permission checks allow users with Overall/Read permissions to delete support bundles and related files. - **Jira Plugin Vulnerability** - **CVE**: SECURITY-1106 / CVE-2019-16541 - **Severity**: Medium - **Description**: Jira Plugin allows folder-based Jira site access to system-wide credentials, even if the user does not have permission to use them. - **Anchore Container Image Scanner Plugin Vulnerability** - **CVE**: SECURITY-1539 / CVE-2019-16542 - **Severity**: Medium - **Description**: Stores Anchore.io service password in plain text. - **Spira Importer Plugin Vulnerability** - **CVE**: SECURITY-1554 / CVE-2019-16543 - **Severity**: Low 一 **Description**: Stores credentials in plain text. - **Google Compute Engine Plugin Vulnerability** - **CVE**: SECURITY-1584 / CVE-2019-16546 - **Severity**: Medium - **Description**: Fails to validate SSH host keys. - **CVE**: SECURITY-1585 / CVE-2019-16547 - **Severity**: Medium - **Description**: Leaks environment information to users with Overall/Read permissions. - **CSRF Vulnerability** - **CVE**: SECURITY-1586 / CVE-2019-16548 - **Severity**: Medium - **Description**: Allows attackers to preconfigure proxies. - **QMetric for JIRA Test Management Plugin Vulnerability** - **CVE**: SECURITY-727(1) / CVE-2019-16544, SECURITY-727(2) / CVE-2019-16545 - **Severity**: Medium, Low - **Description**: Stored credentials displayed in plain text and passwords transmitted in plain text via configuration forms. #### Vulnerability Severity - Medium: SECURITY-727 (1), SECURITY-1106, SECURITY-1539, SECURITY-1584, SECURITY-1585, SECURITY-1586 - Low: SECURITY-727 (2), SECURITY-1554 - High: SECURITY-1634, SECURITY-1658 #### Affected Versions - **Anchore Container Image Scanner Plugin**: Versions 1.0.19 and earlier - **Google Compute Engine Plugin**: Versions 4.1.1 and earlier - **Jira Plugin**: Versions 3.0.10 and earlier - etc. #### Remediation - Upgrade to the latest available versions to address the vulnerabilities listed above. #### Reporters - Vulnerabilities discovered and reported by Daniel Beck and others.