Critical Vulnerability Information Vulnerability Overview Announcement Date: 2018-09-25 Affected Plugins: - Arachni Scanner Plugin - Argus Notifier Plugin - Artifactory Plugin - Chatter Notifier Plugin - Config File Provider Plugin - Crowd2 Plugin - Dimensions Plugin - Email Extension Template Plugin - Git Changelog Plugin - HipChat Plugin - Jira Plugin - Job Configuration History Plugin - JUnit Plugin - Jenkins Plugin - Monitoring Plugin - MQ Notifier Plugin - PAM Plugin Specific Vulnerability Descriptions CSRF Vulnerabilities JUnit Plugin - CVE: 2018-1000411 - Severity: Low - Description: The URL used to set the description of test objects does not require a POST request, leading to a CSRF vulnerability. Jira Plugin - CVE: 2018-1000412 - Severity: Medium - Description: Lack of permission checks allows users to capture credentials stored in Jenkins. XSS Vulnerabilities Config File Provider Plugin - CVE: 2018-1000413 - Severity: Medium - Description: Metadata of configuration files is not escaped, leading to a stored XSS vulnerability. Config File Provider Plugin - CVE: 2018-1000419 - Severity: Medium - Description: Metadata of configuration files is not escaped, leading to a stored XSS vulnerability. Remediation Recommendations Upgrade affected plugins to the latest versions. Review and update plugin configurations to ensure compliance with best security practices. Affected and Fixed Versions Affected Versions: See the "Affected Versions" section in the announcement. Fixed Versions: See the "Fix" section in the announcement. Reporters and Contributors Reporters: Daniel Beck, Oleg Nenashev, etc. Contributors: Jenkins Security Team and relevant plugin maintainers.