This advisory announces vulnerabilities in these Jenkins plugins:
Active Directory
DistFork
Email Extension (Email-ext)
Mailer
Pipeline: Classpath Step
SSH Slaves
SSH Slaves Plugin did not verify host keys
SECURITY-161 / CVE-2017-2648
The SSH Slaves Plugin did not perform host key verification, thereby enabling Man-in-the-Middle attacks.
Active Directory Plugin did not verify certificate of AD server
SECURITY-251 / CVE-2017-2649
The Active Directory Plugin did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
Pipeline: Classpath Step plugin allowed Script Security sandbox bypass
SECURITY-336 / CVE-2017-2650
Use of this plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins.
Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin and Email Extension Plugin
SECURITY-372 / CVE-2017-2651 (Mailer) and CVE-2017-2654 (Email Extension)
The Mailer and Email Extension Plugins are able to send emails to a dynamically created list of users based on the changelogs, like authors of SCM changes since the last successful build .
This could in some cases result in emails being sent to people who have no user account in Jenkins, and in rare cases even people who were not involved in whatever project was being built, due to some mapping based on the local-part of email addresses.
Missing permission checks in Distributed Fork Plugin
SECURITY-386 / CVE-2017-2652
There were no permission checks performed in the Distributed Fork plugin that provides the dist-fork CLI command beyond the basic check for Overall/Read permission, allowing anyone with that permission to run arbitrary shell commands on all connected nodes.