Jenkins Security Advisory 2019-12-17 Key Vulnerability Information Vulnerability IDs: Multiple, including SECURITY-1681, SECURITY-1527, SECURITY-1651, etc. Affected Plugins: - Maven Release Plugin - Gerrit Trigger Plugin - Build Failure Analyzer Plugin - Pipeline Aggregator View Plugin - Rundeck Plugin - Redgate SQL Change Automation Plugin - Spira Importer Plugin - WebSphere Deployer Plugin - Weibo Plugin - SCTM Executor Plugin - Team Concert Plugin Severity High: SECURITY-1681, SECURITY-1605 Medium: SECURITY-1527, SECURITY-1651, etc. Low: SECURITY-1581, SECURITY-1592 Vulnerability Types XXE: Maven Release Plugin CSRF: Multiple plugins XSS: Pipeline Aggregator View Plugin, Mission Control Plugin Stored Credentials in Plain Text: Rundeck Plugin, Redgate SQL Change Automation Plugin, Weibo Plugin, Spira Importer Plugin SSL/TLS Validation Issues: Spira Importer Plugin, WebSphere Deployer Plugin Affected Versions Each plugin has specific versions affected, listed under Affected Versions Fixes Build Failure Analyzer Plugin: 1.24.2 Gerrit Trigger Plugin: 2.30.2 Maven Release Plugin: 0.16.2 Pipeline Aggregator View Plugin: 1.9 Redgate SQL Change Automation Plugin: 2.0.4 Rundeck Plugin: 3.6.6 Spira Importer Plugin: 3.2.4 Credits Multiple individuals and teams are credited for discovering and reporting these vulnerabilities.