Created
August 31, 2021 11:19
-
-
Save daniel-beck/284a092b844d193598723ade6669b116 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Subject: Jenkins plugins security advisory | |
The following Jenkins plugin updates contain fixes for security vulnerabilities: | |
* Azure AD Plugin 180.v8b1e80e6f242 | |
* Code Coverage API Plugin 1.4.1 | |
* Nested View Plugin 1.21 | |
* Nomad Plugin 0.7.5 | |
* SAML Plugin 2.0.8 | |
Please see the advisory for more information: | |
https://www.jenkins.io/security/advisory/2021-08-31/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Subject: Multiple vulnerabilities in Jenkins plugins | |
Jenkins is an open source automation server which enables developers around | |
the world to reliably build, test, and deploy their software. | |
The following releases contain fixes for security vulnerabilities: | |
* Azure AD Plugin 180.v8b1e80e6f242 | |
* Code Coverage API Plugin 1.4.1 | |
* Nested View Plugin 1.21 | |
* Nomad Plugin 0.7.5 | |
* SAML Plugin 2.0.8 | |
Summaries of the vulnerabilities are below. More details, severity, and | |
attribution can be found here: | |
https://www.jenkins.io/security/advisory/2021-08-31/ | |
We provide advance notification for security updates on this mailing list: | |
https://groups.google.com/d/forum/jenkinsci-advisories | |
If you discover security vulnerabilities in Jenkins, please report them as | |
described here: | |
https://www.jenkins.io/security/#reporting-vulnerabilities | |
--- | |
SECURITY-2376 / CVE-2021-21677 | |
Code Coverage API Plugin 1.4.0 and earlier does not apply JEP-200 | |
deserialization protection to Java objects it deserializes from disk. | |
This results in a remote code execution (RCE) vulnerability exploitable by | |
attackers able to control agent processes. | |
SECURITY-2469 / CVE-2021-21678 | |
An extension point in Jenkins allows selectively disabling cross-site | |
request forgery (CSRF) protection for specific URLs. SAML Plugin implements | |
this extension point for the URL that users are redirected to after login. | |
In SAML Plugin 2.0.7 and earlier this implementation is too permissive, | |
allowing attackers to craft URLs that would bypass the CSRF protection of | |
any target URL. | |
This vulnerability was originally introduced in SAML Plugin 1.1.3. | |
SECURITY-2470 / CVE-2021-21679 | |
An extension point in Jenkins allows selectively disabling cross-site | |
request forgery (CSRF) protection for specific URLs. Azure AD Plugin | |
implements this extension point for URLs used by a JavaScript component. | |
In Azure AD Plugin 179.vf6841393099e and earlier this implementation is too | |
permissive, allowing attackers to craft URLs that would bypass the CSRF | |
protection of any target URL. | |
This vulnerability was originally introduced in Azure AD Plugin | |
164.v5b48baa961d2. | |
SECURITY-2411 / CVE-2021-21680 | |
Nested View Plugin 1.20 and earlier does not configure its XML transformer | |
to prevent XML external entity (XXE) attacks. | |
This allows attackers able to configure views to have Jenkins parse a | |
crafted view XML definition that uses external entities for extraction of | |
secrets from the Jenkins controller or server-side request forgery. | |
SECURITY-2396 / CVE-2021-21681 | |
Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against | |
the Docker registry unencrypted in the global `config.xml` file on the | |
Jenkins controller as part of its worker templates configuration. | |
These passwords can be viewed by users with access to the Jenkins | |
controller file system. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment