Elie Metahri

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.554 and earlier Jenkins LTS versions 2.541.2 and earlier **Description** The software does not safely handle symbolic links when extracting .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, limited by the file system access permissions of the user running Jenkins. An attacker with Item/Configure permission, or control over agent processes, can exploit this to deploy malicious scripts or plugins on the controller. **Recommendations** Update Jenkins to a version later than 2.554. Update Jenkins LTS to a version later than 2.541.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins LoadNinja Plugin versions 2.1 and earlier **Description** The Jenkins LoadNinja Plugin does not properly mask LoadNinja API keys as they are displayed on the job configuration form. This could allow attackers to observe and capture these keys. **Recommendations** Update to a newer version of the Jenkins LoadNinja Plugin that addresses this issue.