Jenkins Security Advisory 2021-06-16

This advisory announces vulnerabilities in the following Jenkins deliverables:

Descriptions

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2224 / CVE-2021-21667

Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.3 escapes parameter names shown in job configuration forms.

Stored XSS vulnerability in Scriptler Plugin

SECURITY-2390 / CVE-2021-21668

Scriptler Plugin 3.1 and earlier does not escape script content.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

Scriptler Plugin 3.2 escapes script content.

Severity

Affected Versions

  • Scriptler Plugin up to and including 3.2
  • Scriptler Plugin up to and including 3.1

Fix

  • Scriptler Plugin should be updated to version 3.3
  • Scriptler Plugin should be updated to version 3.2

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

  • Kevin Guerroudj for SECURITY-2224