Jenkins Security Advisory 2021-01-13: Multiple High-Severity Vulnerabilities (XSS, File Read, Deserialization)

## Jenkins Security Advisory 2021-01-13 ### Key Information about Vulnerabilities #### XSS Vulnerability in Notification Bar - **CVE:** CVE-2021-21603 - **Severity:** High - **Description:** Attackers can exploit a cross-site scripting (XSS) vulnerability by influencing notification bar contents. #### Stored XSS Vulnerability in Button Labels - **CVE:** CVE-2021-21608 - **Severity:** High - **Description:** Attackers can control button labels to exploit a cross-site scripting vulnerability. #### Reflected XSS Vulnerability in Markup Formatter Preview - **CVE:** CVE-2021-21610 - **Severity:** High - **Description:** Marked-up responses can be exploited to inject malicious content. #### Stored XSS Vulnerability on New Item Page - **CVE:** CVE-2021-21611 - **Severity:** High - **Description:** Attackers can specify display names or IDs of item types to exploit a stored XSS vulnerability. #### Improper Handling of REST API XML Deserialization Errors - **CVE:** CVE-2021-21604 - **Severity:** High - **Description:** Invalid object references can be stored in Old Data Monitor, leading to unsafe object instantiation. #### Arbitrary File Read Vulnerability in Workspace Browsers - **CVE:** CVE-2021-21602 - **Severity:** Medium - **Description:** Symbolic links can be used to access files outside workspaces. #### Path Traversal Vulnerability in Agent Names - **CVE:** CVE-2021-21605 - **Severity:** High - **Description:** Agent names can be set to override unrelated files, causing unsafe legacy defaults. #### Arbitrary File Existence Check in File Fingerprints - **CVE:** CVE-2021-21606 - **Severity:** Medium - **Description:** The XML metadata check for fingerprints is incomplete. #### Excessive Memory Allocation in Graph URLs - **CVE:** CVE-2021-21607 - **Severity:** Medium - **Description:** Crafted URLs can lead to out-of-memory errors. #### Missing Permission Check for Specific Path Prefixes - **CVE:** CVE-2021-21609 - **Severity:** Low - **Description:** Attackers can access URLs without proper permission checks. #### Credentials Stored in Plain Text - **Plugin:** tracetronic ecu.test Plugin - **CVE:** CVE-2021-21612 - **Severity:** Low - **Description:** Credentials are stored unencrypted in the global configuration file. - **Plugin:** TICS Plugin - **CVE:** CVE-2021-21613 - **Severity:** High - **Description:** Credentials can be viewed through XSS in TICS service responses. - **Plugin:** Bumblebee HP ALM Plugin - **CVE:** CVE-2021-21614 - **Severity:** Low - **Description:** Credentials are stored unencrypted in the global configuration file. ### Affected Versions - Jenkins weekly up to and including 2.274 - Jenkins LTS up to and including 2.263.1 - Bumblebee HP ALM Plugin up to and including 4.1.5 - TICS Plugin up to and including 2020.3.0.6 - tracetronic ecu.test Plugin up to and including 2.23.1 ### Fix - Jenkins weekly: Update to version 2.275 - Jenkins LTS: Update to version 2.263.2 - Bumblebee HP ALM Plugin: Update to version 4.1.6 - TICS Plugin: Update to version 2020.3.0.7 - tracetronic ecu.test Plugin: Update to version 2.24

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory 2021-01-13: Multiple High-Severity Vulnerabilities (XSS, File Read, Deserialization)