Jenkins Security Advisory 2016-06-20

This advisory announces vulnerabilities in these Jenkins plugins:

  • Async Http Client Plugin
  • Build Failure Analyzer Plugin
  • Image Gallery Plugin
  • TAP Plugin

Path traversal vulnerability in TAP Plugin

SECURITY-85 / CVE-2016-4986

The plugin did not correctly filter a parameter and allowed reading arbitrary files on the file system.

Path traversal vulnerability in Image Gallery Plugin

SECURITY-278 / CVE-2016-4987

The plugin did not correctly validate form fields and allowed listing arbitrary directories and reading arbitrary files on the file system.

Cross-site scripting vulnerability in Build Failure Analyzer Plugin

SECURITY-290 / CVE-2016-4988

The plugin did not escape a parameter echoed on an HTML page, resulting in a reflected XSS vulnerability.

Async HTTP Client Plugin does not properly validate certificates

SECURITY-305 / CVE-2013-7397 and CVE-2013-7398

Async HTTP Client Plugin provides the Async HTTP Client Java library to other plugins. It is based on the 1.7.x line of AHC, which by default is vulnerable to CVE-2013-7397 and CVE-2013-7398, allowing man-in-the-middle attacks. The fixes for these vulnerabilities were backported.

  • SECURITY-85 is considered medium.
  • SECURITY-278 is considered medium.
  • SECURITY-290 is considered medium.
  • SECURITY-305 is considered:

The following versions incorporate fixes to the vulnerabilities:

  • Users of Async Http Client Plugin should update it to version
  • Users of Build Failure Analyzer Plugin should update it to version 1.16.0.
  • Users of Image Gallery Plugin should update it to version 1.4.
  • Users of TAP Plugin should update it to version 1.25.
  • DEV@cloud is already protected.

These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.

An update of Jenkins itself is not necessary.