[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple vulnerabilities in Jenkins plugins
From:       Daniel Beck <ml () beckweb ! net>
Date:       2021-06-16 13:32:20
Message-ID: F09E188B-8CA8-4E1F-B7E3-714E5A04ACB2 () beckweb ! net
[Download RAW message or body]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Scriptler Plugin 3.2 and 3.3


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2021-06-16/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2224 / CVE-2021-21667
Scriptler Plugin 3.2 and earlier does not escape parameter names shown in
job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Scriptler/Configure permission.


SECURITY-2390 / CVE-2021-21668
Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers with Scriptler/Configure permission.


[prev in list] [next in list] [prev in thread] [next in thread]