Stephen Connolly

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 2.3 Jenkins LTS versions prior to 1.651.2 **Description** The issue allows remote authenticated users to inject arbitrary build parameters into the build environment via environment variables. This can be achieved by manipulating environment variables. **Recommendations** For Jenkins versions prior to 2.3, update to version 2.3 or later to resolve the issue. For Jenkins LTS versions prior to 1.651.2, update to version 1.651.2 or later to resolve the issue. As a temporary workaround, consider restricting access to environment variables in the build environment until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.583 Jenkins LTS versions prior to 1.565.3 **Description** The issue allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel. **Recommendations** For Jenkins versions prior to 1.583, update to version 1.583 or later. For Jenkins LTS versions prior to 1.565.3, update to version 1.565.3 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.583 Jenkins LTS versions prior to 1.565.3 **Description** The issue allows remote authenticated users with the Job/READ permission to obtain the default value for the `password` field of a parameterized job by reading the DOM. **Recommendations** For Jenkins versions prior to 1.583, update to version 1.583 or later. For Jenkins LTS versions prior to 1.565.3, update to version 1.565.3 or later.