Jenkins Security Advisory 2012-09-17

This advisory announces security vulnerabilities that were found in Jenkins core and several plugins.

Several of these vulnerabilities were discovered by Avram Marius Gabriel.

Severity

The first vulnerability in the core is rated as critical, as it allows malicious users to execute arbitrary code on the server. The other three XSS vulnerabilities are rated as high, as they allow malicious users to escalate privileges.

Fix

The following versions incorporate fixes to the vulnerabilities found in the Jenkins core.

  • Main line users should upgrade to Jenkins 1.482

  • LTS users should upgrade to 1.466.2

To patch vulnerabilities in the plugins, upgrade to the following versions. These plugins should be available in your Jenkins' plugin update center UI in up to a day.

  • Users of the Violations plugin should upgrade to 0.7.11 or later

  • Users of the CI game plugin should upgrade to 1.19 or later

Other resources