-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.3246
                   Jenkins Security Advisory 2022-06-30
                                4 July 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Jenkins Plugins
Publisher:         Jenkins
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-34818 CVE-2022-34817 CVE-2022-34816
                   CVE-2022-34815 CVE-2022-34814 CVE-2022-34813
                   CVE-2022-34812 CVE-2022-34811 CVE-2022-34810
                   CVE-2022-34809 CVE-2022-34808 CVE-2022-34807
                   CVE-2022-34806 CVE-2022-34805 CVE-2022-34804
                   CVE-2022-34803 CVE-2022-34802 CVE-2022-34801
                   CVE-2022-34800 CVE-2022-34799 CVE-2022-34798
                   CVE-2022-34797 CVE-2022-34796 CVE-2022-34795
                   CVE-2022-34794 CVE-2022-34793 CVE-2022-34792
                   CVE-2022-34791 CVE-2022-34790 CVE-2022-34789
                   CVE-2022-34788 CVE-2022-34787 CVE-2022-34786
                   CVE-2022-34785 CVE-2022-34784 CVE-2022-34783
                   CVE-2022-34782 CVE-2022-34781 CVE-2022-34780
                   CVE-2022-34779 CVE-2022-34778 CVE-2022-34777
                   CVE-2017-2601  

Original Bulletin: 
   https://www.jenkins.io/security/advisory/2022-06-30/

Comment: CVSS (Max):  5.4* CVE-2017-2601 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
         * Not all CVSS available when published

- --------------------------BEGIN INCLUDED TEXT--------------------

Jenkins Security Advisory 2022-06-30  

This advisory announces vulnerabilities in the following Jenkins deliverables:

  o Build Notifications Plugin
  o build-metrics Plugin
  o Cisco Spark Plugin
  o Deployment Dashboard Plugin
  o Elasticsearch Query Plugin
  o eXtreme Feedback Panel Plugin
  o Failed Job Deactivator Plugin
  o GitLab Plugin
  o HPE Network Virtualization Plugin
  o Jigomerge Plugin
  o Matrix Reloaded Plugin
  o OpsGenie Plugin
  o Plot Plugin
  o Project Inheritance Plugin
  o Recipe Plugin
  o Request Rename Or Delete Plugin
  o requests-plugin Plugin
  o Rich Text Publisher Plugin
  o RocketChat Notifier Plugin
  o RQM Plugin
  o Skype notifier Plugin
  o TestNG Results Plugin
  o Validating Email Parameter Plugin
  o XebiaLabs XL Release Plugin
  o XPath Configuration Viewer Plugin

Descriptions  

Stored XSS vulnerability in GitLab Plugin  

SECURITY-2316 / CVE-2022-34777

GitLab Plugin 1.5.34 and earlier does not escape multiple user-provided values
shown as part of the build cause of webhook-triggered builds.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

GitLab Plugin 1.5.35 does not show user-provided fields in the build cause of
webhook-triggered builds.

XSS vulnerability in TestNG Results Plugin  

SECURITY-2788 / CVE-2022-34778

TestNG Results Plugin has options in its post-build step configuration to not
escape test descriptions and exception messages.

If those options are unchecked, TestNG Results Plugin 554.va4a552116332 and
earlier renders the unescaped text provided in test results.

This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to configure jobs or control test results.

TestNG Results Plugin 555.va0d5f66521e3 by default ignores the user-level
options to not escape content.

Administrators who want to restore this functionality must set the Java system
property hudson.plugins.testng.Publisher.allowUnescapedHTML to true.

Missing permission checks in XebiaLabs XL Release Plugin allow enumerating
credentials IDs  

SECURITY-2773 (1) / CVE-2022-34779

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

An enumeration of credentials IDs in XebiaLabs XL Release Plugin 22.0.1
requires Overall/Administer permission.

CSRF vulnerability and missing permission checks in XebiaLabs XL Release Plugin
allow capturing credentials  

SECURITY-2773 (2) / CVE-2022-34780 (CSRF), CVE-2022-34781 (missing
authorization)

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission
checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP server using attacker-specified credentials IDs
obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/
Administer permission for the affected form validation methods.

Incorrect permission check in requests-plugin Plugin allows viewing pending
requests  

SECURITY-2650 / CVE-2022-34782

requests-plugin Plugin 2.2.16 and earlier does not correctly perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view the list of pending
requests.

 This is basically the same vulnerability as SECURITY-1995, whose fix was
 ineffective.

requests-plugin Plugin 2.2.17 requires Overall/Administer permission to view
the list of pending requests.

Stored XSS vulnerability in Plot Plugin  

SECURITY-2220 / CVE-2022-34783

Plot Plugin 2.1.10 and earlier does not escape plot descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in build-metrics Plugin  

SECURITY-1118 / CVE-2022-34784

build-metrics Plugin 1.3 does not escape the build description on one of its
views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Build/Update permission.

As of publication of this advisory, there is no fix.

Missing permission checks in build-metrics Plugin  

SECURITY-2643 / CVE-2022-34785

build-metrics Plugin 1.3 and earlier does not perform a permission check in
multiple HTTP endpoints.

This allows attackers with Overall/Read permission to obtain information about
jobs otherwise inaccessible to them.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Rich Text Publisher Plugin  

SECURITY-2332 / CVE-2022-34786

Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set
by its post-build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers able to configure jobs.

As of publication of this advisory, there is no fix.

XSS vulnerability in Project Inheritance Plugin  

SECURITY-1919 / CVE-2022-34787

Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a
build is blocked in tooltips.

This results in a cross-site scripting (XSS) vulnerability exploitable by
attackers able to control the reason a queue item is blocked.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Matrix Reloaded Plugin  

SECURITY-1926 / CVE-2022-34788

Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in
tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Agent/Configure permission.

As of publication of this advisory, there is no fix.

CSRF vulnerability in Matrix Reloaded Plugin  

SECURITY-2016 / CVE-2022-34789

Matrix Reloaded Plugin 1.1.3 and earlier does not require POST requests for an
HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to rebuild previous matrix builds.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in eXtreme Feedback Panel Plugin  

SECURITY-1939 / CVE-2022-34790

eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names
used in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Validating Email Parameter Plugin  

SECURITY-2165 / CVE-2022-34791

Validating Email Parameter Plugin 1.10 and earlier does not escape the name and
description of its parameter type.

Additionally, it disables the security hardening added in Jenkins 2.44 and LTS
2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build
With Parameters" and "Parameters" pages from vulnerabilities like this by
default.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with Item/Configure permission.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Recipe Plugin allow XXE  

SECURITY-2000 / CVE-2022-34792 (CSRF), CVE-2022-34793 (XXE), CVE-2022-34794
(missing permission check)

Recipe Plugin 1.2 and earlier does not perform a permission check in multiple
HTTP endpoints.

This allows attackers with Overall/Read permission to send an HTTP request to
an attacker-specified URL and parse the response as XML.

As the plugin does not configure its XML parser to prevent XML external entity
(XXE) attacks, attackers can have Jenkins parse a crafted XML response that
uses external entities for extraction of secrets from the Jenkins controller or
server-side request forgery.

Additionally, this form validation method does not require POST requests,
resulting in a cross-site request forgery (CSRF) vulnerability.

Additionally, the plugin allows users to export the full configuration of jobs
as part of a recipe, granting access to job configuration XML data to every
user with Item/Read permission. The encrypted values of secrets stored in the
job configuration are not redacted, as they would be by the config.xml API for
users without Item/Configure permission.

As of publication of this advisory, there is no fix.

Stored XSS vulnerability in Deployment Dashboard Plugin  

SECURITY-2799 / CVE-2022-34795

Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment
names on its Deployment Dashboard view.

This results in a stored cross-site scripting (XSS) vulnerability exploitable
by attackers with View/Configure permission.

As of publication of this advisory, there is no fix.

Missing permission checks in Deployment Dashboard Plugin allow enumerating
credentials IDs  

SECURITY-2798 (1) / CVE-2022-34796

Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Deployment Dashboard Plugin
 

SECURITY-2798 (2) / CVE-2022-34797 (CSRF), CVE-2022-34798 (missing
authorization)

Deployment Dashboard Plugin 1.0.10 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an
attacker-specified HTTP URL using attacker-specified username and password.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Password stored in plain text by Deployment Dashboard Plugin  

SECURITY-2070 / CVE-2022-34799

Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in
its global configuration file
de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as
part of its configuration.

This password can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

Tokens stored in plain text by Build Notifications Plugin  

SECURITY-2056 / CVE-2022-34800 (storage), CVE-2022-34801 (transmission)

Build Notifications Plugin 1.5.0 and earlier stores multiple tokens unencrypted
in its global configuration files on the Jenkins controller as part of its
configuration:

  o Pushover Application Token in
    tools.devnull.jenkins.plugins.buildnotifications.PushoverNotifier.xml

  o Slack Bot Token in
    tools.devnull.jenkins.plugins.buildnotifications.SlackNotifier.xml

  o Telegram Bot Token in
    tools.devnull.jenkins.plugins.buildnotifications.TelegramNotifier.xml

Additionally, they are transmitted in plain text as part of the global
configuration form.

These tokens can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

Secrets stored in plain text by RocketChat Notifier Plugin  

SECURITY-2088 / CVE-2022-34802

RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and
webhook token unencrypted in its global configuration file
RocketChatNotifier.xml on the Jenkins controller as part of its configuration.

These secrets can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

API Key stored in plain text by OpsGenie Plugin  

SECURITY-1877 / CVE-2022-34803 (storage), CVE-2022-34804 (transmission)

OpsGenie Plugin 1.9 and earlier stores API keys unencrypted in its global
configuration file com.opsgenie.integration.jenkins.OpsGenieNotifier.xml and in
job config.xml files on the Jenkins controller as part of its configuration.

Additionally, they are transmitted in plain text as part of the respective
configuration forms.

These API keys can be viewed by users with Item/Extended Read permission (job
config.xml only) or access to the Jenkins controller file system (both).

As of publication of this advisory, there is no fix.

Password stored in plain text by Skype notifier Plugin  

SECURITY-2160 / CVE-2022-34805

Skype notifier Plugin 1.1.0 and earlier stores a password unencrypted in its
global configuration file hudson.plugins.skype.im.transport.SkypePublisher.xml
on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Jigomerge Plugin  

SECURITY-2083 / CVE-2022-34806

Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml
files on the Jenkins controller as part of its configuration.

These passwords can be viewed by users with Item/Extended Read permission or
access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by Elasticsearch Query Plugin  

SECURITY-2073 / CVE-2022-34807

Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its
global configuration file
org.jenkinsci.plugins.elasticsearchquery.ElasticsearchQueryBuilder.xml on the
Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

Token stored in plain text by Cisco Spark Plugin  

SECURITY-2055 / CVE-2022-34808

Cisco Spark Plugin 1.1.1 and earlier stores bearer tokens unencrypted in its
global configuration file org.jenkinsci.plugins.spark.SparkNotifier.xml on the
Jenkins controller as part of its configuration.

These bearer tokens can be viewed by users with access to the Jenkins
controller file system.

As of publication of this advisory, there is no fix.

Password stored in plain text by RQM Plugin  

SECURITY-2155 / CVE-2022-34809

RQM Plugin 2.8 and earlier stores a password unencrypted in its global
configuration file net.praqma.jenkins.rqm.RqmBuilder.xml on the Jenkins
controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file
system.

As of publication of this advisory, there is no fix.

Missing permission check in RQM Plugin allows enumerating credentials IDs  

SECURITY-2806 / CVE-2022-34810

RQM Plugin 2.8 and earlier does not perform a permission check in an HTTP
endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs
of credentials stored in Jenkins. Those can be used as part of an attack to
capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

Missing permission check in XPath Configuration Viewer Plugin allows accessing
XPath Configuration Viewer page  

SECURITY-2002 / CVE-2022-34811

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the XPath
Configuration Viewer page. Given appropriate XPath expressions, this page
grants access to job configuration XML data to every user with Item/Read
permission. The encrypted values of secrets stored in the job configuration are
not redacted, as they would be by the config.xml API for users without Item/
Configure permission.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in XPath Configuration Viewer
Plugin  

SECURITY-2658 / CVE-2022-34812 (CSRF), CVE-2022-34813 (missing permission
check)

XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform permission
checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create and delete XPath
expressions.

Additionally, these HTTP endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Incorrect permission check in Request Rename Or Delete Plugin  

SECURITY-1996 / CVE-2022-34814

Request Rename Or Delete Plugin 1.1.0 and earlier does not correctly perform a
permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative
configuration page listing pending requests.

As of publication of this advisory, there is no fix.

CSRF vulnerability in Request Rename Or Delete Plugin  

SECURITY-2657 / CVE-2022-34815

Request Rename Or Delete Plugin 1.1.0 and earlier does not require POST
requests for HTTP endpoint, resulting in a cross-site request forgery (CSRF)
vulnerability.

This vulnerability allows attackers to accept pending requests, thereby
renaming or deleting jobs.

As of publication of this advisory, there is no fix.

Passwords stored in plain text by HPE Network Virtualization Plugin  

SECURITY-2080 / CVE-2022-34816

HPE Network Virtualization Plugin 1.0 stores passwords unencrypted in its
global configuration file
org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins
controller as part of its configuration.

These passwords can be viewed by users with access to the Jenkins controller
file system.

As of publication of this advisory, there is no fix.

CSRF vulnerability and missing permission checks in Failed Job Deactivator
Plugin allow disabling jobs  

SECURITY-2061 / CVE-2022-34817 (CSRF), CVE-2022-34818 (missing authorization)

Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission
checks in several views and HTTP endpoints.

This allows attackers with Overall/Read permission to disable jobs.

Additionally, these endpoints do not require POST requests, resulting in a
cross-site request forgery (CSRF) vulnerability.

 This CSRF vulnerability is only exploitable in Jenkins 2.286 and earlier, LTS
 2.277.1 and earlier. See the LTS upgrade guide.

As of publication of this advisory, there is no fix.

Severity  

  o SECURITY-1118: High
  o SECURITY-1877: Medium
  o SECURITY-1919: High
  o SECURITY-1926: High
  o SECURITY-1939: High
  o SECURITY-1996: Medium
  o SECURITY-2000: High
  o SECURITY-2002: Medium
  o SECURITY-2016: Medium
  o SECURITY-2055: Low
  o SECURITY-2056: Low
  o SECURITY-2061: Medium
  o SECURITY-2070: Low
  o SECURITY-2073: Low
  o SECURITY-2080: Low
  o SECURITY-2083: Low
  o SECURITY-2088: Low
  o SECURITY-2155: Low
  o SECURITY-2160: Low
  o SECURITY-2165: High
  o SECURITY-2220: High
  o SECURITY-2316: High
  o SECURITY-2332: High
  o SECURITY-2643: Medium
  o SECURITY-2650: Medium
  o SECURITY-2657: Medium
  o SECURITY-2658: Medium
  o SECURITY-2773 (1): Medium
  o SECURITY-2773 (2): Medium
  o SECURITY-2788: High
  o SECURITY-2798 (1): Medium
  o SECURITY-2798 (2): Medium
  o SECURITY-2799: High
  o SECURITY-2806: Medium

Affected Versions  

  o Build Notifications Plugin up to and including 1.5.0
  o build-metrics Plugin up to and including 1.3
  o Cisco Spark Plugin up to and including 1.1.1
  o Deployment Dashboard Plugin up to and including 1.0.10
  o Elasticsearch Query Plugin up to and including 1.2
  o eXtreme Feedback Panel Plugin up to and including 2.0.1
  o Failed Job Deactivator Plugin up to and including 1.2.1
  o GitLab Plugin up to and including 1.5.34
  o HPE Network Virtualization Plugin up to and including 1.0
  o Jigomerge Plugin up to and including 0.9
  o Matrix Reloaded Plugin up to and including 1.1.3
  o OpsGenie Plugin up to and including 1.9
  o Plot Plugin up to and including 2.1.10
  o Project Inheritance Plugin up to and including 21.04.03
  o Recipe Plugin up to and including 1.2
  o Request Rename Or Delete Plugin up to and including 1.1.0
  o requests-plugin Plugin up to and including 2.2.16
  o Rich Text Publisher Plugin up to and including 1.4
  o RocketChat Notifier Plugin up to and including 1.5.2
  o RQM Plugin up to and including 2.8
  o Skype notifier Plugin up to and including 1.1.0
  o TestNG Results Plugin up to and including 554.va4a552116332
  o Validating Email Parameter Plugin up to and including 1.10
  o XebiaLabs XL Release Plugin up to and including 22.0.0
  o XPath Configuration Viewer Plugin up to and including 1.1.1

Fix  

  o GitLab Plugin should be updated to version 1.5.35
  o requests-plugin Plugin should be updated to version 2.2.17
  o TestNG Results Plugin should be updated to version 555.va0d5f66521e3
  o XebiaLabs XL Release Plugin should be updated to version 22.0.1

These versions include fixes to the vulnerabilities described above. All prior
versions are considered to be affected by these vulnerabilities unless
otherwise indicated.

As of publication of this advisory, no fixes are available for the following
plugins:

  o Build Notifications Plugin
  o build-metrics Plugin
  o Cisco Spark Plugin
  o Deployment Dashboard Plugin
  o Elasticsearch Query Plugin
  o eXtreme Feedback Panel Plugin
  o Failed Job Deactivator Plugin
  o HPE Network Virtualization Plugin
  o Jigomerge Plugin
  o Matrix Reloaded Plugin
  o OpsGenie Plugin
  o Plot Plugin
  o Project Inheritance Plugin
  o Recipe Plugin
  o Request Rename Or Delete Plugin
  o Rich Text Publisher Plugin
  o RocketChat Notifier Plugin
  o RQM Plugin
  o Skype notifier Plugin
  o Validating Email Parameter Plugin
  o XPath Configuration Viewer Plugin

Credit  

The Jenkins project would like to thank the reporters for discovering and
reporting these vulnerabilities:

  o Daniel Beck, CloudBees, Inc. for SECURITY-1118, SECURITY-2061
  o Justin Philip, Kevin Guerroudj, Marc Heyries for SECURITY-2332
  o Kevin Guerroudj for SECURITY-2220
  o Kevin Guerroudj, CloudBees, Inc. for SECURITY-2643, SECURITY-2650,
    SECURITY-2657, SECURITY-2658, SECURITY-2798 (1), SECURITY-2798 (2),
    SECURITY-2799, SECURITY-2806
  o Kevin Guerroudj, Marc Heyries, Justin Philip, Wadeck Follonier, CloudBees,
    Inc. for SECURITY-2316
  o Long Nguyen, Viettel Cyber Security for SECURITY-2055, SECURITY-2056,
    SECURITY-2070, SECURITY-2073, SECURITY-2080, SECURITY-2083
  o Long Nguyen, Viettel Cyber Security and, independently, Son Nguyen
    (@s0nnguy3n_), and Marc Heyries for SECURITY-2088
  o Matt Sicker, ClouBees, Inc., Daniel Beck, CloudBees, Inc. and Kevin
    Guerroudj, CloudBees, Inc. for SECURITY-2000
  o Matt Sicker, CloudBees, Inc. for SECURITY-1996, SECURITY-2002
  o Son Nguyen (@s0nnguy3n_) for SECURITY-2155, SECURITY-2160
  o Son Nguyen (@s0nnguy3n_), and independently, Kevin Guerroudj for
    SECURITY-2165
  o Valdes Che Zogou, CloudBees, Inc. for SECURITY-2773 (1), SECURITY-2773 (2),
    SECURITY-2788
  o Wadeck Follonier, CloudBees, Inc. for SECURITY-1919, SECURITY-1926,
    SECURITY-1939, SECURITY-2016
  o github.com/jetersen for SECURITY-1877

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYsJ2jckNZI30y1K9AQgu7g/+P1ttcel0Iu1tegUdd3dKeJ6wxkyAiwFg
UPO8RViC62ocPHUO/GhBQedMnDR++gb6Vyl4oHW0nghqAHJlQ6CXAeWg9ZK2SKxp
pGVkcisnOUSVV38yQg+gZ+bzGYc62x0/S7zFmdK9PsdOnoLFlErYTslzsqIsTQKh
rloUDNGBIDG8EP/df0T5Qpf0x9+owY1USsp0C2PXeoaVHH2dnRFozmF3GvyybWM6
WIpiOWh1LNuZ0I+c88MywxIrjiw8kbL/+hjx7hiN1SGfEAbOh4eZ3KcdzSd+VeNY
+NjrOhTqvZ0SXDSUz7AYoiom15vzBKu5UcDf1TcoyzaUSzGsx/+1LFZHJHknUzkC
lpMAn4kIezvfxCGZvTugCNLHXpX+fkvhc/glZJ5jAFk8e+rQOkgHYQFVdYZ18ZiB
U2LtRf2b2PADITnzSI+cHbvstMSpAS3NfdtDr5ubNvwHYc9dAu+OkSsLh+MKYdtl
Q1K7ZqF73dDo8PYqbYjEi5HgSB25tFXIPofHH2+14+KODlPKL3ksqYuQrDQWhqJ7
Xd3So3CDThGUkruVaSeuPtIyIevJ0HODhT7gi9wFeJdfSbMe7nQew6/xwdJVUlxJ
JaEAWqrBkuWqD2Pd3BMV5F3eOai20lz3JmyhaxoK7GmwP8GQrs7OyyfZhj5UF/Zs
MD1WRkwedPA=
=eAda
-----END PGP SIGNATURE-----