关键信息 漏洞描述 Stored XSS vulnerability (SECURITY-3188 / CVE-2023-39151) - 严重性: 高 - 描述: Jenkins将格式应用于构建日志的控制台输出,导致管理员控制构建日志内容时,攻击者可能利用存储的跨站脚本(XSS)漏洞。 Incorrect control flow in Gradle Plugin breaks credentials masking in the build log (SECURITY-3208 / CVE-2023-39152) - 严重性: 中等 - 描述: Gradle Plugin 2.8及以下版本在设置构建日志注释时,错误地调用了仅在控制器上可用的API,导致凭证可能未被掩码。 CSRF vulnerability in GitLab Authentication Plugin (SECURITY-2696 / CVE-2023-39153) - 严重性: 中等 - 描述: GitLab Authentication Plugin 1.17.1及以下版本在其OAuth流程中未实现状态参数,攻击者可以诱使用户登录到攻击者账户。 CSRF vulnerability and missing permission check in ServiceNow DevOps Plugin allow capturing credentials (SECURITY-3129 / CVE-2023-3414 (CSRF), CVE-2023-3442 (missing permission check)) - 严重性: 中等 - 描述: ServiceNow DevOps Plugin 1.38.0及以下版本的表单验证方法未执行权限检查,攻击者可以通过另一方法捕获凭据。 Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials (SECURITY-3012 / CVE-2023-39154) - 严重性: 中等 - 描述: Qualys Web App Scanning Connector Plugin 2.0.10及以下版本的多个HTTP端点未正确执行权限检查,攻击者可以捕获凭据。 Secret displayed without masking by Chef Identity Plugin (SECURITY-3192 / CVE-2023-39155) - 严重性: 低 - 描述: Chef Identity Plugin将用户.pem密钥存储在全局配置文件中,2.0.3及以下版本未掩码用户.pem密钥表单字段。 CSRF vulnerability in Bazaar Plugin (SECURITY-3095 / CVE-2023-39156) - 严重性: 中等 - 描述: Bazaar Plugin 1.22及以下版本对HTTP端点的请求未要求POST请求,攻击者可以删除先前创建的Bazaar SCM标签。 影响版本 Jenkins weekly: up to and including 2.415 Jenkins LTS: up to and including 2.401.2 Bazaar Plugin: up to and including 1.22 Chef Identity Plugin: up to and including 2.0.3 GitLab Authentication Plugin: up to and including 1.17.1 Gradle Plugin: up to and including 2.8 Qualys Web App Scanning Connector Plugin: up to and including 2.0.10 ServiceNow DevOps Plugin: up to and including 1.38.0 修复建议 Jenkins weekly: update to version 2.416 Jenkins LTS: update to version 2.401.3 or 2.414.1 GitLab Authentication Plugin: update to version 1.18 Gradle Plugin: update to version 2.8.1 Qualys Web App Scanning Connector Plugin: update to version 2.0.11 ServiceNow DevOps Plugin: update to version 1.38.1