Jenkins Security Advisory 2020-11-04 Key Information on Vulnerabilities Active Directory Plugin - SECURITY-2117 / CVE-2020-2299 - Severity: Critical - Description: Login allowed with hardcoded password. - SECURITY-2099 / CVE-2020-2300 - Severity: High - Description: Login allowed with empty password. - SECURITY-2123 / CVE-2020-2301 - Severity: High - Description: Authentication cache in Active Directory Plugin allows logging in with any password. - SECURITY-1999 / CVE-2020-2302 - Severity: Medium - Description: Missing permission check allows accessing domain health check page. - SECURITY-2126 / CVE-2020-2303 - Severity: Medium - Description: CSRF vulnerability. - SECURITY-2145 / CVE-2020-2304 - Severity: High - Description: XXE vulnerabilty in Subversion Plugin. - SECURITY-2115 / CVE-2020-2305 - Severity: High - Description: XXE vulnerabilty in Mercurial Plugin. - SECURITY-2104 / CVE-2020-2306 - Severity: Medium - Description: Missing permission check in Mercurial Plugin. - SECURITY-2168 / CVE-2020-2701 - Severity: Medium - Description: Kubernetes Plugin environment variables accessible in Kubernetes Plugin. - SECURITY-2102 / CVE-2020-2308 - Severity: Medium - Description: Missing permission check in Kubernetes Plugin allows listing pod templates. - SECURITY-2103 / CVE-2020-2309 - Severity: Medium - Description: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs. - SECURITY-1943 / CVE-2020-2310 - Severity: Medium - Description: Missing permission checks in Ansible Plugin allow enumerating credentials IDs. - SECURITY-2101 / CVE-2020-2311 - Severity: Medium - Description: Missing permission check in AWS Global Configuration Plugin allows replacing plugin configuration. - SECURITY-2129 / CVE-2020-2312 - Severity: Medium - Description: Password written to the build log by SQLPlus Script Runner Plugin. - SECURITY-2110 / CVE-2020-2313 - Severity: Medium - Description: Missing permission checks in Azure Key Vault Plugin allow enumerating credentials IDs. - SECURITY-2058 / CVE-2020-2314 - Severity: Low - Description: Password stored in plain text by AppSpider Plugin. - SECURITY-1900 / CVE-2020-2315 - Severity: High - Description: XXE vulnerability in Visualworks Store Plugin. - SECURITY-1907 / CVE-2020-2316 - Severity: High - Description: Stored XSS vulnerability in Static Analysis Utilities Plugin. - SECURITY-1918 / CVE-2020-2317 - Severity: High - Description: Stored XSS vulnerability in FindBugs Plugin. - SECURITY-2085 / CVE-2020-2318 - Severity: Medium - Description: Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin. - SECURITY-2084 / CVE-2020-2319 - Severity: Low - Description: Password stored in plain text by VMware Lab Manager Slaves Plugin. Fix Information Active Directory Plugin: Update to version 2.20 or later. Ansible Plugin: Update to version 1.1 or later. AppSpider Plugin: Update to version 1.0.13 or later. AWS Global Configuration Plugin: Update to version 1.6 or later. Azure Key Vault Plugin: Update to version 2.1 or later. Kubernetes Plugin: Update to version 1.27.4 or later. Mercurial Plugin: Update to version 2.12 or later. SQLPlus Script Runner Plugin: Update to version 2.0.13 or later. Subversion Plugin: Update to version 2.13.2 or later. Visualworks Store Plugin: Update to version 1.1.4 or later. Severity Levels High Medium Low Affected Plugins Active Directory Plugin Ansible Plugin AppSpider Plugin AWS Global Configuration Plugin Azure Key Vault Plugin FindBugs Plugin Kubernetes Plugin Mercurial Plugin SQLPlus Script Runner Plugin Subversion Plugin Visualworks Store Plugin Fix Update to the specified versions for each affected plugin.