Jenkins Security Advisory 2019-04-03

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

IRC Plugin stores credentials in plain text

SECURITY-829 / CVE-2019-1003051

IRC Plugin stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

AWS Elastic Beanstalk Publisher Plugin stores credentials in plain text

SECURITY-831 / CVE-2019-1003052

AWS Elastic Beanstalk Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

HockeyApp Plugin stores credentials in plain text

SECURITY-839 / CVE-2019-1003053

HockeyApp Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Jira Issue Updater Plugin stores credentials in plain text

SECURITY-837 / CVE-2019-1003054

Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

FTP publisher Plugin stores credentials in plain text

SECURITY-954 / CVE-2019-1003055

FTP publisher Plugin stores credentials unencrypted in its global configuration file com.zanox.hudson.plugins.FTPPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

WebSphere Deployer Plugin stores credentials in plain text

SECURITY-956 / CVE-2019-1003056

WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Bitbucket Approve Plugin stores credentials in plain text

SECURITY-965 / CVE-2019-1003057

Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucket_approve.BitbucketApprover.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in FTP publisher Plugin allow connecting to arbitrary FTP servers

SECURITY-974 / CVE-2019-1003058 (CSRF) and CVE-2019-1003059 (permission check)

A missing permission check in a form validation method in FTP publisher Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Official OWASP ZAP Plugin stores credentials in plain text

SECURITY-1041 / CVE-2019-1003060

Official OWASP ZAP Plugin stores Jira credentials unencrypted in its global configuration file org.jenkinsci.plugins.zap.ZAPBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

jenkins-cloudformation-plugin Plugin stores credentials in plain text

SECURITY-1042 / CVE-2019-1003061

jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

SECURITY-830 / CVE-2019-1003062

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Amazon SNS Build Notifier Plugin stores credentials in plain text

SECURITY-832 / CVE-2019-1003063

Amazon SNS Build Notifier Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

aws-device-farm Plugin stores credentials in plain text

SECURITY-835 / CVE-2019-1003064

aws-device-farm Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CloudShare Docker-Machine Plugin stores credentials in plain text

SECURITY-838 / CVE-2019-1003065

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Bugzilla Plugin stores credentials in plain text

SECURITY-841 / CVE-2019-1003066

Bugzilla Plugin stores credentials unencrypted in its global configuration file hudson.plugins.bugzilla.BugzillaProjectProperty.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Trac Publisher Plugin stores credentials in plain text

SECURITY-842 / CVE-2019-1003067

Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

VMware vRealize Automation Plugin stores credentials in plain text

SECURITY-945 / CVE-2019-1003068

VMware vRealize Automation Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Aqua Security Scanner Plugin stores credentials in plain text

SECURITY-949 / CVE-2019-1003069

Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

veracode-scanner Plugin stores credentials in plain text

SECURITY-952 / CVE-2019-1003070

veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Octopus Deploy Plugin stores credentials in plain text

SECURITY-957 / CVE-2019-1003071

Octopus Deploy Plugin stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

WildFly Deployer Plugin stores credentials in plain text

SECURITY-961 / CVE-2019-1003072

WildFly Deployer Plugin stores deployment credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

VS Team Services Continuous Deployment Plugin stores credentials in plain text

SECURITY-962 / CVE-2019-1003073

VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Hyper.sh Commons Plugin stores credentials in plain text

SECURITY-964 / CVE-2019-1003074

Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Audit to Database Plugin stores credentials in plain text

SECURITY-966 / CVE-2019-1003075

Audit to Database Plugin stores database credentials unencrypted in its global configuration file audit2db.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in Audit to Database Plugin allow connecting to arbitrary databases

SECURITY-977 / CVE-2019-1003076 (CSRF) and CVE-2019-1003077 (permission check)

A missing permission check in a form validation method in Audit to Database Plugin allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in VMware Lab Manager Slaves Plugin

SECURITY-979 / CVE-2019-1003078 (CSRF) and CVE-2019-1003079 (permission check)

A missing permission check in a form validation method in VMware Lab Manager Slaves Plugin allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in OpenShift Deployer Plugin

SECURITY-981 / CVE-2019-1003080 (CSRF) and CVE-2019-1003081 (permission check)

A missing permission check in a form validation method in OpenShift Deployer Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Gearman Plugin

SECURITY-991 / CVE-2019-1003082 (CSRF) and CVE-2019-1003083 (permission check)

A missing permission check in a form validation method in Gearman Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Zephyr Enterprise Test Management Plugin allow SSRF

SECURITY-993 / CVE-2019-1003084 (CSRF) and CVE-2019-1003085 (permission check)

A missing permission check in a form validation method in Zephyr Enterprise Test Management Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in sinatra-chef-builder Plugin allow SSRF

SECURITY-1037 / CVE-2019-1003086 (CSRF) and CVE-2019-1003087 (permission check)

A missing permission check in a form validation method in sinatra-chef-builder Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Fabric Beta Publisher Plugin stores credentials in plain text

SECURITY-1043 / CVE-2019-1003088

Fabric Beta Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Upload to pgyer Plugin stores credentials in plain text

SECURITY-1044 / CVE-2019-1003089

Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in SOASTA CloudTest Plugin allow SSRF

SECURITY-1054 / CVE-2019-1003090 (CSRF) and CVE-2019-1003091 (permission check)

A missing permission check in a form validation method in SOASTA CloudTest Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials and SSH key store options.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

CSRF vulnerability and missing permission check in Nomad Plugin allow SSRF

SECURITY-1058 / CVE-2019-1003092 (CSRF) and CVE-2019-1003093 (permission check)

A missing permission check in a form validation method in Nomad Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Open STF Plugin stores credentials in plain text

SECURITY-1059 / CVE-2019-1003094

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Perfecto Mobile Plugin stores credentials in plain text

SECURITY-1061 / CVE-2019-1003095

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

TestFairy Plugin stores credentials in plain text

SECURITY-1062 / CVE-2019-1003096

TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Crowd Integration Plugin stores credentials in plain text

SECURITY-1069 / CVE-2019-1003097

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in OpenID Plugin allow SSRF

SECURITY-1084 / CVE-2019-1003098 (CSRF) and CVE-2019-1003099 (permission check)

A missing permission check in a form validation method in OpenID Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

starteam Plugin stores credentials in plain text

SECURITY-1085 / CVE-2019-10277

starteam Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in jenkins-reviewbot Plugin allow SSRF

SECURITY-1091 / CVE-2019-10278 (CSRF) and CVE-2019-10279 (permission check)

A missing permission check in a form validation method in jenkins-reviewbot Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Assembla Auth Plugin stores credentials in plain text

SECURITY-1093 / CVE-2019-10280

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Relution Enterprise Appstore Publisher Plugin stores credentials in plain text

SECURITY-828 / CVE-2019-10281

Relution Enterprise Appstore Publisher Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relution_publisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Klaros-Testmanagement Plugin stores credentials in plain text

SECURITY-843 / CVE-2019-10282

Klaros-Testmanagement Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

mabl Plugin stores credentials in plain text

SECURITY-946 / CVE-2019-10283

mabl Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Diawi Upload Plugin stores credentials in plain text

SECURITY-947 / CVE-2019-10284

Diawi Upload Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Minio Storage Plugin stores credentials in plain text

SECURITY-955 / CVE-2019-10285

Minio Storage Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

DeployHub Plugin stores credentials in plain text

SECURITY-959 / CVE-2019-10286

DeployHub Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

youtrack-plugin Plugin stored credentials in plain text

SECURITY-963 / CVE-2019-10287

youtrack-plugin Plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

youtrack-plugin Plugin now stores credentials encrypted.

Jabber Server Plugin stores credentials in plain text

SECURITY-1031 / CVE-2019-10288

Jabber Server Plugin stores credentials unencrypted in its global configuration file de.e_nexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CSRF vulnerability and missing permission check in Netsparker Enterprise Scan Plugin allowed SSRF

SECURITY-1032 / CVE-2019-10289 (CSRF) and CVE-2019-10290 (permission check)

A missing permission check in a form validation method in Netsparker Enterprise Scan Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token.

Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.

The form validation method now performs a permission check for Overall/Administer and requires that requests be sent via POST.

Netsparker Enterprise Scan Plugin stored credentials in plain text

SECURITY-1040 / CVE-2019-10291

Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system.

Netsparker Enterprise Scan Plugin now stores API tokens encrypted.

CSRF vulnerability and missing permission check in Kmap Plugin allow SSRF

SECURITY-1055 / CVE-2019-10292 (CSRF) and CVE-2019-10293 (permission check)

A missing permission check in a form validation method in Kmap Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Kmap Plugin stores credentials in plain text

SECURITY-1056 / CVE-2019-10294

Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

crittercism-dsym Plugin stores API key in plain text

SECURITY-1063 / CVE-2019-10295

crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Serena SRA Deploy Plugin stores credentials in plain text

SECURITY-1066 / CVE-2019-10296

Serena SRA Deploy Plugin stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Sametime Plugin stores credentials in plain text

SECURITY-1090 / CVE-2019-10297

Sametime Plugin stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Koji Plugin stores credentials in plain text

SECURITY-1092 / CVE-2019-10298

Koji Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

CloudCoreo DeployTime Plugin stores credentials in plain text

SECURITY-960 / CVE-2019-10299

CloudCoreo DeployTime Plugin stores credentials unencrypted in its global configuration file com.cloudcoreo.plugins.jenkins.CloudCoreoBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Severity

SECURITY-828: Low
SECURITY-829: Low
SECURITY-830: Low
SECURITY-831: Low
SECURITY-832: Low
SECURITY-835: Low
SECURITY-837: Medium
SECURITY-838: Low
SECURITY-839: Medium
SECURITY-841: Medium
SECURITY-842: Medium
SECURITY-843: Medium
SECURITY-945: Medium
SECURITY-946: Medium
SECURITY-947: Medium
SECURITY-949: Low
SECURITY-952: Low
SECURITY-954: Low
SECURITY-955: Low
SECURITY-956: Medium
SECURITY-957: Low
SECURITY-959: Medium
SECURITY-960: Low
SECURITY-961: Medium
SECURITY-962: Medium
SECURITY-963: Low
SECURITY-964: Low
SECURITY-965: Low
SECURITY-966: Low
SECURITY-974: Medium
SECURITY-977: Medium
SECURITY-979: Medium
SECURITY-981: Medium
SECURITY-991: Medium
SECURITY-993: Medium
SECURITY-1031: Low
SECURITY-1032: Medium
SECURITY-1037: Medium
SECURITY-1040: Low
SECURITY-1041: Low
SECURITY-1042: Medium
SECURITY-1043: Medium
SECURITY-1044: Medium
SECURITY-1054: Medium
SECURITY-1055: Medium
SECURITY-1056: Medium
SECURITY-1058: Medium
SECURITY-1059: Low
SECURITY-1061: Low
SECURITY-1062: Medium
SECURITY-1063: Medium
SECURITY-1066: Low
SECURITY-1069: Low
SECURITY-1084: Medium
SECURITY-1085: Medium
SECURITY-1090: Low
SECURITY-1091: Medium
SECURITY-1092: Low
SECURITY-1093: Low

Affected Versions

Amazon SNS Build Notifier Plugin up to and including 1.13
Aqua Security Scanner Plugin up to and including 3.0.15
Assembla Auth Plugin up to and including 1.11
Audit to Database Plugin up to and including 0.5
AWS CloudWatch Logs Publisher Plugin up to and including 1.2.0
AWS Elastic Beanstalk Publisher Plugin up to and including 1.7.4
aws-device-farm Plugin up to and including 1.25
Bitbucket Approve Plugin up to and including 1.0.3
Bugzilla Plugin up to and including 1.5
CloudCoreo DeployTime Plugin up to and including 0.2.3
CloudShare Docker-Machine Plugin up to and including 1.1.0
crittercism-dsym Plugin up to and including 1.1
Crowd Integration Plugin up to and including 1.2
DeployHub Plugin up to and including 8.0.13
Diawi Upload Plugin up to and including 1.4
Fabric Beta Publisher Plugin up to and including 2.1
FTP publisher Plugin up to and including 1.2
Gearman Plugin up to and including 0.2.0
HockeyApp Plugin up to and including 1.4.0
Hyper.sh Commons Plugin up to and including 0.1.5
IRC Plugin up to and including 2.3
Jabber Server Plugin up to and including 1.9
jenkins-cloudformation-plugin Plugin up to and including 1.2
jenkins-reviewbot Plugin up to and including 2.4.6
Jira Issue Updater Plugin up to and including 1.18
Klaros-Testmanagement Plugin up to and including 2.0.0
Kmap Plugin up to and including 1.6
Koji Plugin up to and including 0.3
mabl Plugin up to and including 0.0.12
Minio Storage Plugin up to and including 0.0.3
Netsparker Enterprise Scan Plugin up to and including 1.1.5
Nomad Plugin up to and including 0.4
Octopus Deploy Plugin up to and including 1.9.0
Official OWASP ZAP Plugin up to and including 1.1.0
Open STF Plugin up to and including 1.0.9
OpenID Plugin up to and including 2.3
OpenShift Deployer Plugin up to and including 1.2.0
perfectomobile Plugin up to and including 2.62.0.3
Relution Enterprise Appstore Publisher Plugin up to and including 1.24
Sametime Plugin up to and including 0.4
Serena SRA Deploy Plugin up to and including 1.4.2.4
sinatra-chef-builder Plugin up to and including 1.2
SOASTA CloudTest Plugin up to and including 2.25
starteam Plugin up to and including 0.6.13
TestFairy Plugin up to and including 4.16
Trac Publisher Plugin up to and including 1.3
Upload to pgyer Plugin up to and including 1.31
veracode-scanner Plugin up to and including 1.6
VMware Lab Manager Slaves Plugin up to and including 0.2.8
VMware vRealize Automation Plugin up to and including 1.2.3
VS Team Services Continuous Deployment Plugin up to and including 1.3
WebSphere Deployer Plugin up to and including 1.6.1
WildFly Deployer Plugin up to and including 1.0.2
youtrack-plugin Plugin up to and including 0.7.1
Zephyr Enterprise Test Management Plugin up to and including 1.6

Fix

Netsparker Enterprise Scan Plugin should be updated to version 1.1.6
youtrack-plugin Plugin should be updated to version 0.7.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

Amazon SNS Build Notifier Plugin
Aqua Security Scanner Plugin
Assembla Auth Plugin
Audit to Database Plugin
AWS CloudWatch Logs Publisher Plugin
AWS Elastic Beanstalk Publisher Plugin
aws-device-farm Plugin
Bitbucket Approve Plugin
Bugzilla Plugin
CloudCoreo DeployTime Plugin
CloudShare Docker-Machine Plugin
crittercism-dsym Plugin
Crowd Integration Plugin
DeployHub Plugin
Diawi Upload Plugin
Fabric Beta Publisher Plugin
FTP publisher Plugin
Gearman Plugin
HockeyApp Plugin
Hyper.sh Commons Plugin
IRC Plugin
Jabber Server Plugin
jenkins-cloudformation-plugin Plugin
jenkins-reviewbot Plugin
Jira Issue Updater Plugin
Klaros-Testmanagement Plugin
Kmap Plugin
Koji Plugin
mabl Plugin
Minio Storage Plugin
Nomad Plugin
Octopus Deploy Plugin
Official OWASP ZAP Plugin
Open STF Plugin
OpenID Plugin
OpenShift Deployer Plugin
perfectomobile Plugin
Relution Enterprise Appstore Publisher Plugin
Sametime Plugin
Serena SRA Deploy Plugin
sinatra-chef-builder Plugin
SOASTA CloudTest Plugin
starteam Plugin
TestFairy Plugin
Trac Publisher Plugin
Upload to pgyer Plugin
veracode-scanner Plugin
VMware Lab Manager Slaves Plugin
VMware vRealize Automation Plugin
VS Team Services Continuous Deployment Plugin
WebSphere Deployer Plugin
WildFly Deployer Plugin
Zephyr Enterprise Test Management Plugin

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

Viktor Gazdag for SECURITY-828, SECURITY-829, SECURITY-830, SECURITY-831, SECURITY-832, SECURITY-835, SECURITY-837, SECURITY-838, SECURITY-839, SECURITY-841, SECURITY-842, SECURITY-843, SECURITY-945, SECURITY-946, SECURITY-947, SECURITY-949, SECURITY-952, SECURITY-954, SECURITY-955, SECURITY-956, SECURITY-957, SECURITY-959, SECURITY-960, SECURITY-961, SECURITY-962, SECURITY-963, SECURITY-964, SECURITY-965, SECURITY-966, SECURITY-974, SECURITY-977, SECURITY-979, SECURITY-981, SECURITY-991, SECURITY-993, SECURITY-1031, SECURITY-1032, SECURITY-1037, SECURITY-1040, SECURITY-1041, SECURITY-1042, SECURITY-1043, SECURITY-1044, SECURITY-1054, SECURITY-1055, SECURITY-1056, SECURITY-1058, SECURITY-1059, SECURITY-1061, SECURITY-1062, SECURITY-1063, SECURITY-1066, SECURITY-1069, SECURITY-1084, SECURITY-1085, SECURITY-1090, SECURITY-1091, SECURITY-1092, SECURITY-1093

Other Resources

Announcement blog post