Jenkins Security Advisory: Multiple High-Severity Vulnerabilities (XSS, Deserialization, Path Traversal)

### Jenkins Security Advisory 2021-01-13 #### Vulnerabilities Announced - **Jenkins (core)** - **Bumblebee HP ALM Plugin** - **TICS Plugin** - **tracetronic ecu.test Plugin** #### Descriptions 1. **XSS Vulnerability in Notification Bar** - **CVE:** SECURITY-1889 / CVE-2021-21603 - **Severity:** High - **Description:** Attackers can exploit this vulnerability to execute XSS by influencing notification bar contents. 2. **Stored XSS Vulnerability in Button Labels** - **CVE:** SECURITY-2035 / CVE-2021-21608 - **Severity:** High - **Description:** Attackers can control button labels to exploit stored XSS vulnerabilities in Jenkins UI. 3. **Reflected XSS Vulnerability in Markup Formatter Preview** - **CVE:** SECURITY-2153 / CVE-2021-21610 - **Severity:** High - **Description:** Malicious users can exploit reflected XSS vulnerabilities by crafting preview URLs without proper restrictions. 4. **Stored XSS Vulnerability on New Item Page** - **CVE:** SECURITY-2171 / CVE-2021-21611 - **Severity:** High - **Description:** Attackers can specify display names or IDs of item types to cause stored XSS on the new item page. 5. **Improper Handling of REST API XML Deserialization Errors** - **CVE:** SECURITY-1923 / CVE-2021-21604 - **Severity:** High - **Description:** Invalid data submissions can lead to the creation of invalid object references in Old Data Monitor, allowing injection of unsafe objects. 6. **Arbitrary File Read Vulnerability in Workspace Browsers** - **CVE:** SECURITY-1452 / CVE-2021-21602 - **Severity:** Medium - **Description:** Symbolic links in workspace browsers can be exploited to access files outside the workspace. 7. **Path Traversal Vulnerability in Agent Names** - **CVE:** SECURITY-2021 / CVE-2021-21605 - **Severity:** High - **Description:** Users can choose agent names that override unrelated config.xml files, causing unsafe legacy defaults. 8. **Arbitrary File Existence Check in File Fingerprints** - **CVE:** SECURITY-2023 / CVE-2021-21606 - **Severity:** Medium - **Description:** Attackers can check for the existence of XML files on the controller file system by constructing relative paths. 9. **Excessive Memory Allocation in Graph URLs Leads to Denial of Service** - **CVE:** SECURITY-2025 / CVE-2021-21607 - **Severity:** Medium - **Description:** Crafting URLs with large graph sizes can lead to memory exhaustion and out-of-memory errors. 10. **Missing Permission Check for Paths with Specific Prefix** - **CVE:** SECURITY-2047 / CVE-2021-21609 - **Severity:** Low - **Description:** Attackers can access plugin-provided URLs without proper permission checks if they match specific path prefixes. 11. **Credentials Stored in Plain Text by tracetronic ecu.test Plugin** - **CVE:** SECURITY-2057 / CVE-2021-21612 - **Severity:** Low - **Description:** Credentials in the global configuration file are unencrypted, allowing access to these sensitive options. 12. **XSS Vulnerability in TICS Plugin** - **CVE:** SECURITY-2098 / CVE-2021-21613 - **Severity:** High - **Description:** Attackers can control TICS service responses to exploit XSS vulnerabilities. 13. **Credentials Stored in Plain Text by Bumblebee HP ALM Plugin** - **CVE:** SECURITY-2156 / CVE-2021-21614 - **Severity:** Low - **Description:** Unencrypted credentials in the global configuration file can be accessed by users with the necessary permissions. #### Severity - SECURITY-1452: Medium - SECURITY-1889: High - SECURITY-1923: High - SECURITY-2021: High - SECURITY-2023: Medium - SECURITY-2025: Medium - SECURITY-2035: High - SECURITY-2047: Low - SECURITY-2057: Low - SECURITY-2098: High - SECURITY-2153: High - SECURITY-2156: Low - SECURITY-2171: High #### Affected Versions - Jenkins weekly up to and including 2.274 - Jenkins LTS up to and including 2.263.1 - Bumblebee HP ALM Plugin up to and including 4.1.5 - TICS Plugin up to and including 2020.3.0.6 - tracetronic ecu.test Plugin up to and including 2.23.1 #### Fix - Update to the latest versions: Jenkins 2.275, Jenkins LTS 2.263.2, Bumblebee HP ALM Plugin 4.1.6, TICS Plugin 2020.3.0.7, and tracetronic ecu.test Plugin 2.24.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory: Multiple High-Severity Vulnerabilities (XSS, Deserialization, Path Traversal)