Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones: SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site SECURITY-414: Remove any update site from the Jenkins configuration SECURITY-415: Change a user’s API token SECURITY-416: Submit system configuration SECURITY-417: Submit global security configuration SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method SECURITY-420: Update the node monitor data on all agents
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones: SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site SECURITY-414: Remove any update site from the Jenkins configuration SECURITY-415: Change a user’s API token SECURITY-416: Submit system configuration SECURITY-417: Submit global security configuration SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method SECURITY-420: Update the node monitor data on all agents
https://jenkins.io/security/advisory/2017-04-26/