Ben Walding

Name of the Vulnerable Software and Affected Versions: Jenkins versions prior to 2.44 Jenkins versions prior to 2.32.2 Description: The issue is related to the use of AES ECB block cipher mode without IV for encrypting secrets, which poses unnecessary risks to Jenkins and the stored secrets. Recommendations: For versions prior to 2.44, update to version 2.44 or later to resolve the issue. For versions prior to 2.32.2, update to version 2.32.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.73.1 and earlier, 2.83 and earlier **Description** The default form control for passwords and other secrets in Jenkins supports form validation, which could potentially log secrets to HTTP access logs in non-default configurations. This issue arises because form validation AJAX requests were sent via GET. Form validation is now sent via POST, which is typically not logged. **Recommendations** For Jenkins versions 2.73.1 and earlier, 2.83 and earlier, update the form validation to send requests via POST to prevent secrets from being logged to HTTP access logs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Image Gallery plugin versions prior to 1.4 **Description** A directory traversal issue in the Image Gallery plugin allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields. **Recommendations** For Jenkins Image Gallery plugin versions prior to 1.4, update to version 1.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.638 Jenkins LTS versions prior to 1.625.2 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to the CLI command overview and help pages. **Recommendations** For versions prior to 1.638, update to version 1.638 or later. For LTS versions prior to 1.625.2, update to version 1.625.2 or later.