This advisory announces vulnerabilities in the following Jenkins deliverables:
eddsa-api
EDDSA API Plugin makes the EdDSA-Java library (ed25519-java) available to other plugins.
EDDSA API Plugin 0.3.0-13.v7cb_69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.
EDDSA API Plugin 0.3.0.1-16.vcb_4a_98a_3531c inlines the EdDSA-Java library (ed25519-java) directly into the plugin and adds validation to prevent signature malleability and ensure the SUF-CMA property.
AnchorChain
AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step.
As of publication of this advisory, there is no fix. Learn why we announce this.
zohoqengine
Zoho QEngine Plugin stores the QEngine API Key in job config.xml files on the Jenkins controller as part of its configuration.
While this key is stored encrypted on disk, in Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
Zoho QEngine Plugin 1.0.31.v4a_b_1db_6d6a_f2 masks the QEngine API Key form field.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
As of publication of this advisory, no fixes are available for the following plugins:
Learn why we announce these issues.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: