Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software.
The following releases contain fixes for security vulnerabilities: * EDDSA API Plugin 0.3.0.1-16.vcb_4a_98a_3531c * Zoho QEngine Plugin 1.0.31.v4a_b_1db_6d6a_f2 Additionally, we announce unresolved security issues in the following plugins: * AnchorChain Plugin Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://www.jenkins.io/security/advisory/2025-03-19/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://www.jenkins.io/security/#reporting-vulnerabilities --- SECURITY-3404 / CVE-2020-36843 EDDSA API Plugin makes the EdDSA-Java library (`ed25519-java`) available to other plugins. EDDSA API Plugin 0.3.0-13.v7cb_69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message. SECURITY-3529 / CVE-2025-30196 AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the `javascript:` scheme. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of publication of this advisory, there is no fix. SECURITY-3511 / CVE-2025-30197 Zoho QEngine Plugin stores the QEngine API Key in job `config.xml` files on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Zoho QEngine Plugin 1.0.29.vfa_cc23396502 and earlier the job configuration form does not mask the QEngine API Key form field, increasing the potential for attackers to observe and capture it.
