Wednesday, December 5, 2018

Security Alert: Jenkins Code Execution through Crafted URLs

The Jenkins project released a new version that fixes multiple security vulnerabilities. The most important one is the “Code execution through crafted URLs”. This vulnerability allows invoking methods that were never intended to be invoked in this way.

We recommend that you update your Jenkins installations to the latest version. Please follow our documentation to learn how to upgrade your application. If you are using the Bitnami Jenkins Docker container image, please follow the documentation in our GitHub repository.

You can find more information about this Jenkins security issue in the Jenkins Security Advisory.

Bitnami has released Jenkins version v2.150.1, in containers, Helm Charts, Multi-Tier solutions, installers, virtual machines, and cloud images to fix these vulnerabilities.

The Bitnami Jenkins stack offered in and in our cloud-specific launchpads has been updated to that new version. New launches of Bitnami Jenkins via our launchpads are secure and do not need to be updated further.

Users who launch Bitnami Jenkins via cloud marketplaces are advised to select the version v2.150.1 of Bitnami Jenkins, once it is published. Installations based on previous versions must be upgraded using the process described above.

If you have further questions or concerns about Bitnami Jenkins or about this security issue, please post to our community forum and we will be happy to help you.