This advisory announces vulnerabilities in these Jenkins plugins:
SECURITY-85 / CVE-2016-4986
The plugin did not correctly filter a parameter and allowed reading arbitrary files on the file system.
SECURITY-278 / CVE-2016-4987
The plugin did not correctly validate form fields and allowed listing arbitrary directories and reading arbitrary files on the file system.
SECURITY-290 / CVE-2016-4988
The plugin did not escape a parameter echoed on an HTML page, resulting in a reflected XSS vulnerability.
SECURITY-305 / CVE-2013-7397 and CVE-2013-7398
Async HTTP Client Plugin provides the Async HTTP Client Java library to other plugins. It is based on the 1.7.x line of AHC, which by default is vulnerable to CVE-2013-7397 and CVE-2013-7398, allowing man-in-the-middle attacks. The fixes for these vulnerabilities were backported. The system property jenkins.plugins.asynchttpclient.AHC.acceptAnyCertificate can temporarily be set to true to disable these new validity checks. Learn more about system properties in Jenkins.
Async Http Client Plugin up to and including version 1.7.24.
Build Failure Analyzer Plugin up to and including version 1.15.0.
Image Gallery Plugin up to and including version 1.3.
TAP Plugin up to and including version 1.24.
Users of Async Http Client Plugin should update it to version 1.7.24.1.
Users of Build Failure Analyzer Plugin should update it to version 1.16.0.
Users of Image Gallery Plugin should update it to version 1.4.
Users of TAP Plugin should update it to version 1.25.
These versions include fixes to the vulnerabilities described above. All prior versions are affected by these vulnerabilities.
The Jenkins project would like to thank the following people for discovering and reporting these vulnerabilities:
Ben Walding, CloudBees, Inc. for SECURITY-278
Jason Marzan for SECURITY-290
Kishore Bhatia, CloudBees, Inc. for SECURITY-305