Jenkins Security Advisory 2023-05-16 Description This advisory reports a series of vulnerabilities in the following Jenkins plugins: Stored XSS Vulnerability in Pipeline: Job Plugin - Severity: High CSRF Vulnerability in LDAP Plugin - Severity: Medium Missing Permission Check in Email Extension Plugin - Severity: Medium Arbitrary File Write Vulnerability in Pipeline Utility Steps Plugin - Severity: Medium Secrets Stored and Displayed in Plain Text by Ansible Plugin - Severity: Medium Stored XSS Vulnerability in TestNG Results Plugin - Severity: High Path Traversal Vulnerability in Sidebar Link Plugin - Severity: Medium Arbitrary File Write Vulnerability in File Parameter Plugin - Severity: High CSRF Vulnerability in Reverse Proxy Auth Plugin - Severity: Medium Missing Permission Check in Azure VM Agents Plugin - Severity: Medium CSRF Vulnerability and Missing Permission Checks in Azure VM Agents Plugin - Severity: Medium CSRF Vulnerability and Missing Permission Checks in SAML Single Sign On (SSO) Plugin - Severity: High Missing Hostname Validation in SAML Single Sign On (SSO) Plugin - Severity: Medium SSL/TLS Certificate Validation Unconditionally Disabled by SAML Single Sign On (SSO) Plugin - Severity: Medium Missing Hostname Validation in SAML Single Sign On (SSO) Plugin - Severity: Medium Session Fixation Vulnerability in CAS Plugin - Severity: High CSRF Vulnerability and Missing Permission Checks in Code Dx Plugin - Severity: Medium Missing Permission Checks in Code Dx Plugin - Severity: Medium API Keys Stored and Displayed in Plain Text by Code Dx Plugin - Severity: Medium CSRF Vulnerability and Missing Permission Check in AppSpider Plugin - Severity: Medium Credentials Displayed Without Masking by NS-ND Integration Performance Publisher Plugin - Severity: Low Improper Masking of Credentials in HashiCorp Vault Plugin - Severity: Medium Remediation Update all affected plugins to their latest versions. Except for specific plugins noted, all affected versions have available patches.