Multiple Jenkins Plugins Multiple Security Vulnerabilities

Jenkins plugins are prone to the following vulnerabilities:

1. A cross-site request-forgery vulnerability
2. Multiple information disclosure vulnerabilities
3. Multiple cross-site scripting vulnerabilities
4. An HTML-injection vulnerability

An attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, perform certain administrative actions and gain unauthorized access to the affected application. This may aid in further attacks.

The following Jenkins plugins versions are vulnerable:

Caliper CI plugin version 2.3 and prior are vulnerable.
Dependency Graph Viewer plugin version 0.13 and prior are vulnerable
Docker plugin version 1.1.6 and prior are vulnerable
Embeddable Build Status plugin version 2.0.1 and prior are vulnerable
Gogs plugin version 1.0.14 and prior are vulnerable
Mashup Portlets plugin version 1.0.9 and prior are vulnerable
Port Allocator plugin version 1.8 and prior are vulnerable


Privacy Statement
Copyright 2010, SecurityFocus