This advisory announces vulnerabilities in the following Jenkins deliverables:
Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user’s pre-login session ID to impersonate them.
Google Login Plugin now invalidates the previous session during login, and creates a new one.
Google Login Plugin redirected users to an arbitrary URL specified as a query parameter after successful login, enabling phishing attacks.
Google Login Plugin now only performs redirects to relative URLs.
Email Extension Plugin stores an SMTP password in the global Jenkins configuration.
While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Email Extension now encrypts the SMTP password transmitted to administrators viewing the global configuration form.
S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files.
S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly.
HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins master without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the build directory.
Non-alphanumeric characters in report names are now escaped for use as part of a URL and as a directory name.
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: