Jenkins Security Advisory 2022-03-29 Vulnerabilities Bitbucket Server Integration Plugin - CVE-2022-28133: Stored XSS vulnerability (High severity) - CVE-2022-28134: Missing permission checks (Medium severity) Instant-messaging Plugin - CVE-2022-28135: Passwords stored in plain text (Low severity) JiraTestResultReporter Plugin - CVE-2022-28136: CSRF vulnerability and missing permission check (Medium severity) RocketChat Notifier Plugin - CVE-2022-28138: CSRF vulnerability and missing permission check (Medium severity) Flaky Test Handler Plugin - CVE-2022-28140: XXE vulnerability (High severity) Proxmox Plugin - CVE-2022-28141: Password stored in plain text (Low severity) - CVE-2022-28142: SSL/TLS certificate validation globally disabled (Medium severity) - CVE-2022-28143: CSRF vulnerability and missing permission checks (Medium severity) - CVE-2022-28145: XSS vulnerability (High severity) - CVE-2022-28146: Path traversal vulnerability and missing permission checks (Medium severity) - CVE-2022-28147: Partial list vulnerability (Medium severity) Severity High: SECURITY-1892, SECURITY-1896, SECURITY-1897, SECURITY-1899, SECURITY-1932, SECURITY-2241, SECURITY-2262 Medium: SECURITY-2636, SECURITY-2285, SECURITY-2383, SECURITY-2654, SECURITY-2683, SECURITY-2685 Low: SECURITY-2079, SECURITY-2161 Affected Versions Bitbucket Server Integration Plugin: up to and including 3.1.0 Continuous Integration with Toad Edge Plugin: up to and including 2.3 Coverage/Complexity Scatter Plot Plugin: up to and including 1.1.1 Flaky Test Handler Plugin: up to and including 1.2.1 Instant-messaging Plugin: up to and including 1.41 JiraTestResultReporter Plugin: up to and including 165.v817928553942 Job and Node ownership Plugin: up to and including 0.13.0 Pipeline: Phoenix AutoTest Plugin: up to and including 1.3 Proxmox Plugin: up to and including 0.5.0, 0.6.0, 0.7.0 RocketChat Notifier Plugin: up to and including 1.4.10 SiteMonitor Plugin: up to and including 0.6 Tests Selector Plugin: up to and including 1.3.3 Fix Update the affected plugins to the specified versions: Bitbucket Server Integration Plugin: 3.2.0 Continuous Integration with Toad Edge Plugin: 2.4 Flaky Test Handler Plugin: 1.2.2 Instant-messaging Plugin: 1.4.2 JiraTestResultReporter Plugin: 166.v0cc6208295b5 Proxmox Plugin: 0.6.0, 0.7.0, 0.7.1 RocketChat Notifier Plugin: 1.5.0 Note: For Coverage/Complexity Scatter Plot Plugin, Job and Node ownership Plugin, Pipeline: Phoenix AutoTest Plugin, SiteMonitor Plugin, and Tests Selector Plugin, no fixes are available as of the advisory publication.