The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.

CVE-2019-20204: Postie

An authentication issue was addressed with improved state management. This issue is fixed in macOS Mojave 10.14.5. A user may be unexpectedly logged in to another user’s account.

Released May 13, 2019

**Accessibility Framework**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8603: Phoenhex and qwerty (@\_niklasb, @qwertyoruiopz, @bkth\_) working with Trend Micro's Zero Day Initiative

**AMD**

Available for: macOS Mojave 10.14.4

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8635: Lilang Wu and Moony Li of TrendMicro Mobile Security Research Team working with Trend Micro's Zero Day Initiative

**Application Firewall**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A logic issue was addressed with improved restrictions.

CVE-2019-8590: The UK’s National Cyber Security Centre (NCSC)

**Archive Utility**

Available for: macOS Mojave 10.14.4

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved validation.

CVE-2019-8640: Ash Fox of Fitbit Product Security

Entry added August 1, 2019

**Bluetooth**

Available for: macOS Mojave 10.14.4

Impact: Due to a misconfiguration in the Bluetooth pairing protocols of a Bluetooth Low Energy (BLE) version of FIDO Security Keys it may be possible for an attacker with physical proximity to be able to intercept Bluetooth traffic during pairing

Description: This issue was addressed by disabling accessories with insecure Bluetooth connections. Customers using the Bluetooth Low Energy (BLE) version of the Titan Security Key by Google should review Android’s June Bulletins and Google’s advisory and take appropriate action.

CVE-2019-2102: Matt Beaver and Erik Peterson of Microsoft Corp.

Entry added September 17, 2019

**CoreAudio**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4, macOS High Sierra 10.13.6

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved error handling.

CVE-2019-8592: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry updated October 8, 2019

**CoreAudio**

Available for: macOS Mojave 10.14.4

Impact: Processing a maliciously crafted movie file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8585: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

**CoreText**

Available for: macOS Mojave 10.14.4

Impact: Processing a maliciously crafted font may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8582: riusksk of VulWar Corp working with Trend Micro's Zero Day Initiative

Entry added July 25, 2019

**DesktopServices**

Available for: macOS Mojave 10.14.4

Impact: A malicious application may bypass Gatekeeper checks

Description: This issue was addressed with improved checks.

CVE-2019-8589: Andreas Clementi, Stefan Haselwanter, and Peter Stelzhammer of AV-Comparatives

**Disk Images**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4, macOS High Sierra 10.13.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8560: Nikita Pupyshev of Bauman Moscow State Technological University

Entry updated May 14, 2019

**EFI**

Available for: macOS Mojave 10.14.4

Impact: A user may be unexpectedly logged in to another user’s account

Description: An authentication issue was addressed with improved state management.

CVE-2019-8634: Jenny Sprenger and Maik Hoepfel

**Intel Graphics Driver**

Available for: macOS Mojave 10.14.4

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8616: Lilang Wu and Moony Li of Trend Micro Mobile Security Research Team working with Trend Micro's Zero Day Initiative

**Intel Graphics Driver**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory initialization issue was addressed with improved memory handling.

CVE-2019-8629: Arash Tohidi of Solita Oy

**IOAcceleratorFamily**

Available for: macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2018-4456: Tyler Bohan of Cisco Talos

**IOKit**

Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: A local user may be able to load unsigned kernel extensions

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2019-8606: Phoenhex and qwerty (@\_niklasb, @qwertyoruiopz, @bkth\_) working with Trend Micro's Zero Day Initiative

**Kernel**

Available for: macOS Mojave 10.14.4, macOS High Sierra 10.13.6

Impact: An application may be able to read restricted memory

Description: A validation issue was addressed with improved input sanitization.

CVE-2019-8633: Zhuo Liang of Qihoo 360 Vulcan Team

Entry added July 25, 2019, updated September 17, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CVE-2019-8525: Zhuo Liang and shrek\_wzw of Qihoo 360 Nirvan Team

Entry added May 14, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: A remote attacker may be able to leak memory

Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation.

CVE-2019-8547: derrek (@derrekr6)

Entry added May 14, 2019

**Kernel**

Available for: macOS Mojave 10.14.4

Impact: A local user may be able to cause unexpected system termination or read kernel memory

Description: An out-of-bounds read was addressed with improved bounds checking.

CVE-2019-8576: Brandon Azad of Google Project Zero, Junho Jang and Hanul Choi of LINE Security Team

Entry updated May 30, 2019

**Kernel**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: An application may be able to cause unexpected system termination or write kernel memory

Description: A type confusion issue was addressed with improved memory handling.

CVE-2019-8591: Ned Williamson working with Google Project Zero

**Messages**

Available for: macOS Mojave 10.14.4

Impact: A remote attacker may be able to cause a system denial of service

Description: An input validation issue was addressed with improved input validation.

CVE-2019-8573: natashenka of Google Project Zero

Entry added July 3, 2019

**Messages**

Available for: macOS Mojave 10.14.4

Impact: Users removed from an iMessage conversation may still be able to alter state

Description: A logic issue was addressed with improved state management.

CVE-2019-8631: Jamie Bishop of Dynastic

Entry added August 1, 2019

**Microcode**

Available for: macOS Mojave 10.14.4

Impact: Load ports, fill buffers, and store buffers in systems with microprocessors utilizing speculative execution may allow an attacker with local user access to potentially enable information disclosure via a side channel

Description: Multiple information disclosure issues were addressed partially by updating the microcode and changing the OS scheduler to isolate the system from web content running in the browser. To completely address these issues, there are additional opt-in mitigations to disable hyper threading and enable microcode-based mitigations for all processes by default. Details of the mitigations can be found at https://support.apple.com/kb/HT210107.

CVE-2018-12126: Ke Sun, Henrique Kawakami, Kekai Hu, and Rodrigo Branco from Intel; Lei Shi - Qihoo 360 CERT; Marina Minkin; Daniel Genkin from University of Michigan; and Yuval Yarom from University of Adelaide

CVE-2018-12127: Brandon Falk from Microsoft Windows Platform Security Team; and Ke Sun, Henrique Kawakami, Kekai Hu, and Rodrigo Branco from Intel

CVE-2018-12130: Giorgi Maisuradze from Microsoft Research; Ke Sun, Henrique Kawakami, Kekai Hu, and Rodrigo Branco from Intel; Moritz Lipp, Michael Schwarz, and Daniel Gruss from Graz University of Technology; Stephan van Schaik, Alyssa Milburn, Sebastian Osterlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida from VUSec group at VU Amsterdam; Volodymyr Pikhur; and Dan Horea Lutas from BitDefender

CVE-2019-11091: Ke Sun, Henrique Kawakami, Kekai Hu, and Rodrigo Branco from Intel; and Moritz Lipp, Michael Schwarz, and Daniel Gruss from Graz University of Technology

Entry added May 14, 2019

**Security**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.4

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8604: Fluoroacetate working with Trend Micro's Zero Day Initiative

**SQLite**

Available for: macOS Mojave 10.14.4

Impact: An application may be able to gain elevated privileges

Description: An input validation issue was addressed with improved memory handling.

CVE-2019-8577: Omer Gull of Checkpoint Research

**SQLite**

Available for: macOS Mojave 10.14.4

Impact: A maliciously crafted SQL query may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved input validation.

CVE-2019-8600: Omer Gull of Checkpoint Research

**SQLite**

Available for: macOS Mojave 10.14.4

Impact: A malicious application may be able to read restricted memory

Description: An input validation issue was addressed with improved input validation.

CVE-2019-8598: Omer Gull of Checkpoint Research

**SQLite**

Available for: macOS Mojave 10.14.4

Impact: A malicious application may be able to elevate privileges

Description: A memory corruption issue was addressed by removing the vulnerable code.

CVE-2019-8602: Omer Gull of Checkpoint Research

**StreamingZip**

Available for: macOS Mojave 10.14.4

Impact: A local user may be able to modify protected parts of the file system

Description: A validation issue existed in the handling of symlinks. This issue was addressed with improved validation of symlinks.

CVE-2019-8568: Dany Lisiansky (@DanyL931)

**sysdiagnose**

Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.4, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: The issue was addressed with improved permissions logic.

CVE-2019-8574: Dayton Pidhirney (@\_watbulb) of Seekintoo (@seekintoo)

Entry updated March 26, 2021

**Touch Bar Support**

Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6

Impact: An application may be able to execute arbitrary code with system privileges

Description: A memory corruption issue was addressed with improved memory handling.

CVE-2019-8569: Viktor Oreshkin (@stek29)

**WebKit**

Available for: macOS Mojave 10.14.4

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

CVE-2019-6237: G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team

CVE-2019-8571: 01 working with Trend Micro's Zero Day Initiative

CVE-2019-8583: sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca\_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech

CVE-2019-8584: G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative

CVE-2019-8586: an anonymous researcher

CVE-2019-8587: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8594: Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab

CVE-2019-8595: G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative

CVE-2019-8596: Wen Xu of SSLab at Georgia Tech

CVE-2019-8597: 01 working with Trend Micro Zero Day Initiative

CVE-2019-8601: Fluoroacetate working with Trend Micro's Zero Day Initiative

CVE-2019-8608: G. Geshev working with Trend Micro Zero Day Initiative

CVE-2019-8609: Wen Xu of SSLab, Georgia Tech

CVE-2019-8610: Anonymous working with Trend Micro Zero Day Initiative

CVE-2019-8611: Samuel Groß of Google Project Zero

CVE-2019-8615: G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative

CVE-2019-8619: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab

CVE-2019-8622: Samuel Groß of Google Project Zero

CVE-2019-8623: Samuel Groß of Google Project Zero

CVE-2019-8628: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab

**WebKit**

Available for: macOS Mojave 10.14.4

Impact: Processing maliciously crafted web content may result in the disclosure of process memory

Description: An out-of-bounds read was addressed with improved input validation.

CVE-2019-8607: Junho Jang and Hanul Choi of LINE Security Team

**Wi-Fi**

Available for: macOS Mojave 10.14.4

Impact: An attacker in a privileged network position can modify driver state

Description: A logic issue was addressed with improved state management.

CVE-2019-8612: Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt

Entry added May 14, 2019

CVE-2019-8634: About the security content of macOS Mojave 10.14.5, Security Update 2019-003 High Sierra, Security Update 2019-003 Sierra

Jenkins Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to change these properties.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   Build Failure Analyzer Plugin
*   buildgraph-view Plugin
*   Gerrit Trigger Plugin
*   Mantis Plugin
*   Maven Release Plug-in Plugin
*   Mission Control Plugin
*   Pipeline Aggregator View Plugin
*   RapidDeploy Plugin
*   Redgate SQL Change Automation Plugin
*   Rundeck Plugin
*   SCTMExecutor Plugin
*   Spira Importer Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

**Descriptions****XXE vulnerability in Maven Release Plug-in Plugin**

**SECURITY-1681 / CVE-2019-16549 (XXE), CVE-2019-16550 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: m2release**  
**Description:**

Maven Release Plug-in Plugin retrieves XML from Nexus repository manager APIs. Maven Release Plug-in Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be exploited via man-in-the-middle attacks, especially if it’s not an HTTPS URL.

Additionally, a connection test form validation method does not require POST requests, resulting in a cross-site request forgery vulnerability. Combined, these two vulnerabilities allow attackers to have Jenkins parse crafted XML documents that use external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks.

Maven Release Plug-in Plugin 0.16.2 configures its XML parser to prevent XML external entity (XXE) attacks. It also now requires that requests to the connection test form validation method are done via POST, which protects from cross-site request forgery attacks.

**CSRF vulnerability and missing permission checks in Gerrit Trigger Plugin**

**SECURITY-1527 / CVE-2019-16551 (CSRF), CVE-2019-16552 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: gerrit-trigger**  
**Description:**

Gerrit Trigger Plugin 2.30.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins controller file system.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

Gerrit Trigger Plugin 2.30.2 requires POST requests and Overall/Administer permission for the affected form validation methods.

**CSRF vulnerability and missing permission check in Build Failure Analyzer Plugin allow ReDoS**

**SECURITY-1651 / CVE-2019-16553 (CSRF), CVE-2019-16554 (missing permission check), CVE-2019-16555 (resource consumption)**  
**Severity (CVSS):** Medium  
**Affected plugin: build-failure-analyzer**  
**Description:**

Build Failure Analyzer Plugin 1.24.1 and earlier does not perform a permission check in a method performing form validation. This allows users with Overall/Read access to supply a computationally expensive regular expression that will hang the request handling thread.

Additionally, this form validation method does not require POST requests, resulting in a CSRF vulnerability.

Build Failure Analyzer Plugin 1.24.2 requires POST requests and implements a permission check for the affected form validation methods so that only authorized users are able to submit regular expressions.

Additionally, the regular expression is implemented in an interruptible way, so that unintentionally expensive regular expression processing can be interrupted.

**Stored XSS vulnerability in Pipeline Aggregator View Plugin**

**SECURITY-1593 / CVE-2019-16564**  
**Severity (CVSS):** Medium  
**Affected plugin: pipeline-aggregator-view**  
**Description:**

Pipeline Aggregator View Plugin 1.8 and earlier does not escape the information shown on the view it provides, such as stage names or job names.

This results in a stored cross-site scripting vulnerability exploitable by users able to configure jobs, define pipeline stages, or otherwise affect the information shown by Pipeline Aggregator View Plugin.

Pipeline Aggregator View Plugin 1.9 escapes user-controlled information on the view it provides.

**Rundeck Plugin stored credentials in plain text**

**SECURITY-1636 / CVE-2019-16556**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.5 and earlier stores credentials as part of its global configuration file org.jenkinsci.plugins.rundeck.RundeckNotifier.xml and job config.xml files on the Jenkins controller. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system.

Rundeck Plugin 3.6.6 stores credentials in its configuration encrypted once global and/or job configurations are saved again.

**Redgate SQL Change Automation Plugin stores credentials in plain text**

**SECURITY-1598 / CVE-2019-16557**  
**Severity (CVSS):** Medium  
**Affected plugin: redgate-sql-ci**  
**Description:**

Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins controller as part of its build step configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Redgate SQL Change Automation Plugin 2.0.4 stores its credentials encrypted once job configurations are saved again.

**SSL/TLS certificate validation globally and unconditionally disabled by Spira Importer Plugin**

**SECURITY-1580 / CVE-2019-16558**  
**Severity (CVSS):** Medium  
**Affected plugin: inflectra-spira-integration**  
**Description:**

Spira Importer Plugin 3.2.3 and earlier unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM.

Spira Importer Plugin 3.2.4 no longer disables SSL/TLS certificate validation.

**CSRF vulnerability and missing permission checks in WebSphere Deployer Plugin**

**SECURITY-1371 / CVE-2019-16559 (permission check), CVE-2019-16560 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, determine whether files with an attacker-specified path exist on the Jenkins controller file system, and obtain limited information about the Jenkins and plugin configuration based on the responses. The latter include the ability to set plugin configuration options.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**SSL/TLS certificate validation globally and unconditionally disabled by WebSphere Deployer Plugin**

**SECURITY-1581 / CVE-2019-16561**  
**Severity (CVSS):** Medium  
**Affected plugin: websphere-deployer**  
**Description:**

WebSphere Deployer Plugin 1.6.1 and earlier allows users with Overall/Read access to disable SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM, or specify a new Java keystore from a file stored on the Jenkins controller filesystem.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in buildgraph-view Plugin**

**SECURITY-1591 / CVE-2019-16562**  
**Severity (CVSS):** Medium  
**Affected plugin: buildgraph-view**  
**Description:**

buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change the build description.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Mission Control Plugin**

**SECURITY-1592 / CVE-2019-16563**  
**Severity (CVSS):** Medium  
**Affected plugin: mission-control-view**  
**Description:**

Mission Control Plugin 0.9.16 and earlier does not escape job display names and build names in the view it provides.

This results in a stored cross-site scripting vulnerability that can be exploited by users able to change these properties.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Team Concert Plugin allows capturing credentials**

**SECURITY-1605 (1) / CVE-2019-16565 (CSRF), CVE-2019-16566 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Users with Overall/Read access can enumerate credential IDs in Team Concert Plugin**

**SECURITY-1605 (2) / CVE-2019-16567**  
**Severity (CVSS):** Medium  
**Affected plugin: teamconcert**  
**Description:**

Team Concert Plugin 1.3.0 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use.

This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an attack to capture the credentials using another vulnerability.

As of publication of this advisory, there is no fix.

**SCTMExecutor Plugin stores credentials in plain text**

**SECURITY-1521 / CVE-2019-16568**  
**Severity (CVSS):** Low  
**Affected plugin: SCTMExecutor**  
**Description:**

SCTMExecutor Plugin 2.2 and earlier stores Silk Central credentials in the global Jenkins configuration and in job config.xml files.

While these credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form. This can result in exposure of these credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Mantis Plugin**

**SECURITY-1603 / CVE-2019-16569**  
**Severity (CVSS):** Medium  
**Affected plugin: mantis**  
**Description:**

Mantis Plugin 0.26 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Mantis-related paths on an attacker-specified web server using attacker-specified credentials.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in RapidDeploy Plugin allow SSRF**

**SECURITY-1604 / CVE-2019-16570 (CSRF), CVE-2019-16571 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: rapiddeploy-jenkins**  
**Description:**

RapidDeploy Plugin 4.1 and earlier does not perform a permission check on form validation methods. This allows users with Overall/Read access to Jenkins to connect to RapidDeploy-related paths on an attacker-specified web server.

Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**Weibo Plugin stores credentials in plain text**

**SECURITY-1597 / CVE-2019-16572**  
**Severity (CVSS):** Low  
**Affected plugin: weibo**  
**Description:**

Weibo Plugin 1.0.1 and earlier stores a credential unencrypted in its global configuration file org.jenkinsci.plugins.weibo.WeiboNotifier.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in Alauda DevOps Pipeline Plugin allows capturing credentials**

**SECURITY-1600 / CVE-2019-16573 (CSRF), CVE-2019-16574 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-devops-pipeline**  
**Description:**

Alauda DevOps Pipeline Plugin 2.3.2 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

**CSRF vulnerability in Alauda Kubernetes Suport Plugin**

**SECURITY-1602 / CVE-2019-16575 (CSRF), CVE-2019-16576 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: alauda-kubernetes-support**  
**Description:**

Alauda Kubernetes Suport Plugin 2.3.0 and earlier does not require POST requests on a connection test method, resulting in a CSRF vulnerability. This allows attackers to have Jenkins connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing 'Secret Text' credentials stored in Jenkins.

Additionally, if no credentials ID is specified, the connection uses the default Kubernetes token from /var/run/secrets/kubernetes.io/serviceaccount/token.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1371: Medium
*   SECURITY-1521: Low
*   SECURITY-1527: Medium
*   SECURITY-1580: Medium
*   SECURITY-1581: Medium
*   SECURITY-1591: Medium
*   SECURITY-1592: Medium
*   SECURITY-1593: Medium
*   SECURITY-1597: Low
*   SECURITY-1598: Medium
*   SECURITY-1600: Medium
*   SECURITY-1602: Medium
*   SECURITY-1603: Medium
*   SECURITY-1604: Medium
*   SECURITY-1605 (1): High
*   SECURITY-1605 (2): Medium
*   SECURITY-1636: Medium
*   SECURITY-1651: Medium
*   SECURITY-1681: High

**Affected Versions**

*   **Alauda DevOps Pipeline Plugin** up to and including 2.3.2
*   **Alauda Kubernetes Suport Plugin** up to and including 2.3.0
*   **Build Failure Analyzer Plugin** up to and including 1.24.1
*   **buildgraph-view Plugin** up to and including 1.8
*   **Gerrit Trigger Plugin** up to and including 2.30.1
*   **Mantis Plugin** up to and including 0.26
*   **Maven Release Plug-in Plugin** up to and including 0.16.1
*   **Mission Control Plugin** up to and including 0.9.16
*   **Pipeline Aggregator View Plugin** up to and including 1.8
*   **RapidDeploy Plugin** up to and including 4.1
*   **Redgate SQL Change Automation Plugin** up to and including 2.0.3
*   **Rundeck Plugin** up to and including 3.6.5
*   **SCTMExecutor Plugin** up to and including 2.2
*   **Spira Importer Plugin** up to and including 3.2.3
*   **Team Concert Plugin** up to and including 1.3.0
*   **WebSphere Deployer Plugin** up to and including 1.6.1
*   **Weibo Plugin** up to and including 1.0.1

**Fix**

*   **Build Failure Analyzer Plugin** should be updated to version 1.24.2
*   **Gerrit Trigger Plugin** should be updated to version 2.30.2
*   **Maven Release Plug-in Plugin** should be updated to version 0.16.2
*   **Pipeline Aggregator View Plugin** should be updated to version 1.9
*   **Redgate SQL Change Automation Plugin** should be updated to version 2.0.4
*   **Rundeck Plugin** should be updated to version 3.6.6
*   **Spira Importer Plugin** should be updated to version 3.2.4

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Alauda DevOps Pipeline Plugin
*   Alauda Kubernetes Suport Plugin
*   buildgraph-view Plugin
*   Mantis Plugin
*   Mission Control Plugin
*   RapidDeploy Plugin
*   SCTMExecutor Plugin
*   Team Concert Plugin
*   WebSphere Deployer Plugin
*   Weibo Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Alex Earl (@alexcearl), Marvell Semiconductor, Inc.** for SECURITY-1527
*   **Cheng Gao, Alibaba Cloud Intelligence Security Team, https://www.aliyun.com/** for SECURITY-1681
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1371, SECURITY-1580, SECURITY-1581, SECURITY-1651
*   **James Holderness, IB Boost** for SECURITY-1521
*   **Viktor Gazdag NCC Group** for SECURITY-1591, SECURITY-1592, SECURITY-1593, SECURITY-1597, SECURITY-1598, SECURITY-1600, SECURITY-1602, SECURITY-1603, SECURITY-1604, SECURITY-1605 (1), SECURITY-1605 (2)
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1636

CVE-2019-16563: Jenkins Security Advisory 2019-12-17

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the description of builds shown in its view, resulting in a stored XSS vulnerability exploitable by users able to change build descriptions.

CVE-2019-16562: Jenkins Security Advisory 2019-12-17

Jenkins Pipeline Aggregator View Plugin 1.8 and earlier does not escape information shown on its view, resulting in a stored XSS vulnerability exploitable by attackers able to affects view content such as job display name or pipeline stage names.

CVE-2019-16564: Jenkins Security Advisory 2019-12-17

In Apache Incubator Superset before 0.32, a user can view database names that he has no access to on a dropdown list in SQLLab

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2019-12414

Octeth Oempro 4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.

**Latest Octeth News**

**3 Lorem ipsum dolor sit amet, consectetur adipiscing**

Heading 1 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis vitae pulvinar velit. Vestibulum nisl metus, pretium sed suscipit quis, auctor viverra leo. Nam scelerisque ipsum sapien, at interdum

Read More

**2 Lorem ipsum dolor sit amet, consectetur adipiscing elit**

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis vitae pulvinar velit. Vestibulum nisl metus, pretium sed suscipit quis, auctor viverra leo. Nam scelerisque ipsum sapien, at interdum nisl tincidunt

Read More

**1 Lorem ipsum dolor sit amet, consectetur adipiscing elit**

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis vitae pulvinar velit. Vestibulum nisl metus, pretium sed suscipit quis, auctor viverra leo. Nam scelerisque ipsum sapien, at interdum nisl tincidunt

Read More

**Widget Title**

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

**Widget Title**

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

**Join our mail list to get future updates, latest news from the email marketing world.**

Email

CVE-2019-19740: Email Marketing Articles - Octeth

Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE-2019-19650: Release Notes - New features

Out of bounds write in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2019-13734: 1025466 - chromium - An open-source project to help move the web forward.

Insufficient data validation in SQLite in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass defense-in-depth measures via a crafted HTML page.

Tag

#sql