Jenkins Security Advisory 2016-04-11

This advisory announces multiple vulnerabilities in these Jenkins plugins:

Description

Stored XSS vulnerability in Extra Columns Plugin

SECURITY-136 / CVE-2016-3101

The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.

Groovy sandbox protection incomplete in Script Security Plugin

SECURITY-258 / CVE-2016-3102

The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access (foo.@bar) or get/set array operations (foo[bar]).

Severity

  • SECURITY-136 is considered medium.

  • SECURITY-258 is considered medium.

Affected versions

  • Extra Columns Plugin up to and including version 1.16.

  • Script Security Plugin up to and including version 1.18.

Fix

  • Users of Extra Columns Plugin should update it to version 1.17.

  • Users of Script Security Plugin should update it to version 1.18.1.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

Credit

The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:

  • Daniel Beck, CloudBees, Inc. for SECURITY-136

  • Jesse Glick, CloudBees, Inc. for SECURITY-258