This advisory announces vulnerabilities in the following Jenkins deliverables:
The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches.
This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated.
Support for the remoting-based CLI was dropped in Jenkins 2.165, so newer weekly releases are not affected. Jenkins 2.164.2 no longer supports legacy CLI authentication caches from before 2.150.2/2.160, and these users will be considered logged out.
f:validateButton form control for the Jenkins UI did not properly escape job URLs.
This resulted in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
The affected form control has been rewritten to no longer need to escape job URLs.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: