This advisory announces multiple vulnerabilities in these Jenkins plugins:
Script Security Plugin (bundled since Jenkins 1.600 and Jenkins 1.596.1; dependency of Pipeline Plugin, Matrix Project Plugin, and others)
SECURITY-136 / CVE-2016-3101
The Extra Columns plugin rendered user-supplied HTML in tool tips without filtering them through the configured markup formatter.
SECURITY-258 / CVE-2016-3102
The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows approved signatures to be executed. This sandbox did not cover direct field access (foo.@bar) or get/set array operations (foo[bar]).
Extra Columns Plugin up to and including version 1.16.
Script Security Plugin up to and including version 1.18.
Users of Extra Columns Plugin should update it to version 1.17.
Users of Script Security Plugin should update it to version 1.18.1.
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Daniel Beck, CloudBees, Inc. for SECURITY-136
Jesse Glick, CloudBees, Inc. for SECURITY-258