Jenkins Security Advisory: CSRF Bypass, XSS, and RCE Vulnerabilities (CVE-2020-2160 to 2168)

### Critical Vulnerability Summary #### Vulnerability Details - **CSRF Protection Bypass (SECURITY-1774 / CVE-2020-2160)** - **Severity**: High - **Description**: An extension point in Jenkins allows selective disabling of CSRF protection for specific URLs. In Jenkins 2.227 and earlier versions, the implementation of this extension point differs from the URL path representation received by the Stapler web framework, enabling attackers to bypass CSRF protection for any target URL. - **Stored XSS in Label Expression Validation (SECURITY-1781 / CVE-2020-2161)** - **Severity**: Medium - **Description**: In Jenkins 2.227 and earlier versions, label expression validation in job configuration forms does not properly escape label names, leading to a stored XSS vulnerability exploitable by users with agent/configuration permissions when defining node labels. - **Stored XSS in File Parameters (SECURITY-1793 / CVE-2020-2162)** - **Severity**: Medium - **Description**: In Jenkins 2.227 and earlier versions, file parameter builds are performed without appropriate Content-Security-Policy HTTP headers, resulting in a stored XSS vulnerability exploitable by users with permission to build jobs containing file parameters. #### Other Significant Vulnerabilities - **Artifactory Plugin Stores Passwords in Plaintext (SECURITY-1542 (1) / CVE-2020-2164)** - **Severity**: Low - **Artifactory Plugin Transmits Passwords in Plaintext (SECURITY-1542 (2) / CVE-2020-2165)** - **Severity**: Low - **RCE Vulnerability in Pipeline: AWS Steps Plugin (SECURITY-1741 / CVE-2020-2166)** - **Severity**: High - **RCE Vulnerability in OpenShift Pipeline Plugin (SECURITY-1739 / CVE-2020-2167)** - **Severity**: High - **RCE Vulnerability in Azure Container Service Plugin (SECURITY-1732 / CVE-2020-2168)** - **Severity**: High #### Affected Versions - Jenkins weekly: up to and including 2.227 - Jenkins LTS: up to and including 2.204.5 - Artifactory Plugin: up to and including 3.6.0 - Azure Container Service Plugin: up to and including 1.0.1 - OpenShift Pipeline Plugin: up to and including 1.0.56 - Pipeline: AWS Steps Plugin: up to and including 1.40 - Queue cleanup Plugin: up to and including 1.3 - RapidDeploy Plugin: up to and including 4.2 #### Remediation Recommendations Upgrade to the following versions to address the vulnerabilities: - Jenkins weekly: 2.228 - Jenkins LTS: 2.204.6 or 2.222.1 - Artifactory Plugin: 3.6.1 - Azure Container Service Plugin: 1.0.2 - OpenShift Pipeline Plugin: 1.0.57 - Pipeline: AWS Steps Plugin: 1.41 - Queue cleanup Plugin: 1.4 - RapidDeploy Plugin: 4.2.1

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: CSRF Bypass, XSS, and RCE Vulnerabilities (CVE-2020-2160 to 2168)