Jenkins Plugin Security Advisories: RCE, XSS, XXE (CVE-2020-2279-2285)

Vulnerability Key Information 1. Script Security Plugin: Sandbox Bypass Vulnerability CVE ID: SECURITY-2020 / CVE-2020-2279 Severity: High Affected Plugin: script-security Description: Attackers can bypass sandbox protection and execute arbitrary code. Fix: Upgrade to the specified version. 2. warnings Plugin: CSRF Vulnerability Allowing Remote Code Execution CVE ID: SECURITY-2042 / CVE-2020-2280 Severity: High Affected Plugin: warnings Description: Attackers can execute arbitrary code. Fix: Upgrade to the specified version. 3. Lockable Resources Plugin: CSRF Vulnerability CVE ID: SECURITY-1958 / CVE-2020-2281 Severity: Medium Affected Plugin: lockable-resources Description: Attackers can perform protected operations. Fix: Upgrade to the specified version. 4. Implied Labels Plugin: Missing Permission Check CVE ID: SECURITY-2004 / CVE-2020-2282 Severity: Medium Affected Plugin: implied-labels Description: Attackers can reconfigure the plugin. Fix: Upgrade to the specified version. 5. Liquibase Runner Plugin: Stored XSS Vulnerability CVE ID: SECURITY-1885 / CVE-2020-2283 Severity: High Affected Plugin: liquibase-runner Description: Attackers can perform cross-site scripting attacks. Fix: Upgrade to the specified version. 6. Liquibase Runner Plugin: XXE Vulnerability CVE ID: SECURITY-1887 / CVE-2020-2284 Severity: High Affected Plugin: liquibase-runner Description: Attackers can perform XML External Entity attacks. Fix: Upgrade to the specified version. 7. Liquibase Runner Plugin: Missing Permission Check CVE ID: SECURITY-2030 / CVE-2020-2285 Severity: Medium Affected Plugin: liquibase-runner Description: Attackers can enumerate credential IDs. Fix: Upgrade to the specified version. Vulnerability Severity High: SECURITY-1885, SECURITY-1887, SECURITY-2020, SECURITY-2042 Medium: SECURITY-1958, SECURITY-2004, SECURITY-2030 Affected Versions Implied Labels Plugin: Version 0.6 and earlier Liquibase Runner Plugin: Version 1.4.5 and earlier Lockable Resources Plugin: Version 2.8 and earlier Script Security Plugin: Version 1.74 and earlier warnings Plugin: Version 5.0.1 and earlier Mitigation Measures Upgrade affected plugins to the specified versions

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Plugin Security Advisories: RCE, XSS, XXE (CVE-2020-2279-2285)