This advisory announces multiple security vulnerabilities that were found in several Jenkins plugins.
Subversion Plugin was not storing credentials by using the security mechanism Jenkins core provides to plugins. As a result people with local system access on Jenkins master can compromise passwords and SSH private key passphrases Jenkins uses to access Subversion repositories. Jenkins project would like to thank Lennart Starr for finding this issue.
Exclusion-Plugin wasn't protecting itself from unauthorized access to list and release resource locks that on-going builds have held. Jenkins project would like to thank mwebber for finding this issue.
SECURITY-58 is rated low as it requires an attacker to have local access to the Jenkins master. Subversion itself does not store passwords securely anyway.
SECURITY-53 is rated medium, as it allows anyone with access to Jenkins to mount an attack. However, the impact of the attack is limited, as it can only cause builds to fail and leads to no privilege escalation nor data loss.
SECURITY-96 is rated low. To exploit this vulnerability, an attacker must be granted access to a certain permission explicitly.
- Subversion plugin 1.54 contains the fix for SECURITY-58.
- Exclusion plugin 0.9 contains the fix for SECURITY-53.
- Build failure analyzer plugin 1.5.1 contains the fix for SECURITY-96.
Please update your plugins to receive fixes. All the prior versions are affected by these vulnerabilities.