This advisory announces multiple security vulnerabilities that were found in several Jenkins plugins.
Subversion plugin was not storing credentials by using the security mechanism Jenkins core provides to plugins. As a result people with local system access on the Jenkins controller can compromise passwords and SSH private key passphrases Jenkins uses to access Subversion repositories. Jenkins project would like to thank Lennart Starr for finding this issue.
Exclusion-plugin wasn’t protecting itself from unauthorized access to list and release resource locks that on-going builds have held. Jenkins project would like to thank mwebber for finding this issue.
build failure analyzer plugin had a Cross-site Scripting Vulnerability, where an attacker with certain pre-existing privileges on Jenkins can execute JavaScript in the browser of other users. We thank Sharif Nassar for finding this problem.
SECURITY-58 is rated low as it requires an attacker to have local access to the Jenkins controller. Subversion itself does not store passwords securely anyway.
SECURITY-53 is rated medium, as it allows anyone with access to Jenkins to mount an attack. However, the impact of the attack is limited, as it can only cause builds to fail and leads to no privilege escalation nor data loss.
SECURITY-96 is rated low. To exploit this vulnerability, an attacker must be granted access to a certain permission explicitly.