We just released security updates to Jenkins, versions 2.107 and 2.89.4, that fix multiple security vulnerabilities.

For an overview of what was fixed, see the security advisory. For an overview on the possible impact of these changes on upgrading Jenkins LTS, see our LTS upgrade guide.

While the severity score works out as medium for all the vulnerabilities, we strongly recommend that anyone operating publicly accessible Jenkins instances update as soon as possible, as their secrets on disk might be at risk by SECURITY-705.

Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security.

About the Author
Daniel Beck

Daniel is a Jenkins core maintainer and, as security officer, leads the Jenkins security team. He sometimes contributes to developer documentation and project infrastructure.