Kitri Bob

**Name of the Vulnerable Software and Affected Versions** Apache Ivy versions prior to 2.5.2 **Description** The issue is related to improper restriction of XML external entity references, which can lead to XML injection, also known as blind XPath injection. When Apache Ivy parses XML files, it allows downloading external document type definitions and expands any entity references contained therein. This can be used to exfiltrate data, access resources, or disturb the execution of Ivy. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Apache Ivy versions prior to 2.5.2, users can use Java system properties to restrict processing of external DTDs, as described in Oracle's "Java API for XML Processing (JAXP) Security Guide". As a temporary workaround, consider disabling DTD processing when parsing XML files to minimize the risk of exploitation. Update to Apache Ivy version 2.5.2 or later, where DTD processing is disabled by default, except when parsing Maven POMs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier **Description** The issue concerns the storage and display of the HashiCorp Consul ACL Token in the Jenkins Consul KV Builder Plugin. Specifically, the token is stored unencrypted in the global configuration file `org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml` on the Jenkins controller. This file can be accessed by users with access to the Jenkins controller file system, potentially allowing them to view the token. Furthermore, the global configuration form does not mask the token, increasing the risk of it being observed and captured by attackers. **Recommendations** For Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the HashiCorp Consul ACL Token being viewed by unauthorized users. As a temporary workaround, limit access to the global configuration form to prevent attackers from observing and capturing the token. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Report Portal Plugin versions 0.5 and earlier **Description** The Jenkins Report Portal Plugin stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. The configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. **Recommendations** For Jenkins Report Portal Plugin versions 0.5 and earlier, consider restricting access to the Jenkins controller file system and limiting Item/Extended Read permission to minimize the risk of exploitation. As a temporary workaround, consider masking ReportPortal access tokens in the configuration form until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier **Description** The issue concerns the storage of the HashiCorp Consul ACL Token in the global configuration file on the Jenkins controller. This token is stored unencrypted and can be viewed by users with access to the Jenkins controller file system. The global configuration form does not mask the token, increasing the potential for attackers to observe and capture it. The file in question is `org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml`. **Recommendations** For Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the HashiCorp Consul ACL Token being viewed by unauthorized users. As a temporary workaround, limit access to the global configuration form to prevent the token from being observed and captured. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Performance Publisher Plugin versions 8.09 and earlier **Description** The issue is related to the XML parser not being configured to prevent XML external entity (XXE) attacks. This allows attackers who can control PerfPublisher report files to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Performance Publisher Plugin versions 8.09 and earlier, update to a version that configures its XML parser to prevent XXE attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Crap4J Plugin versions 0.9 and earlier **Description** The issue is related to the configuration of the XML parser, which does not prevent XML external entity (XXE) attacks. This allows attackers who can control Crap Report file contents to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Crap4J Plugin versions 0.9 and earlier, update to a version that configures its XML parser to prevent XXE attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Visual Studio Code Metrics Plugin versions 1.7 and earlier **Description** The issue is related to the XML parser not being configured to prevent XML external entity (XXE) attacks. This allows attackers who can control VS Code Metrics File contents to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Visual Studio Code Metrics Plugin versions 1.7 and earlier, consider disabling the XML parser or restricting its use until a patch is available to prevent XXE attacks. As a temporary workaround, restrict access to the VS Code Metrics File to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Phabricator Differential Plugin versions 2.1.5 and earlier **Description** The issue is related to the configuration of the XML parser, which does not prevent XML external entity (XXE) attacks. This allows attackers who can control coverage report file contents for the `Post to Phabricator` post-build action to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Phabricator Differential Plugin versions 2.1.5 and earlier, consider disabling the XML parser or restricting its use until a patch is available. As a temporary workaround, restrict access to the `Post to Phabricator` post-build action to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins AbsInt a³ Plugin versions 1.1.0 and earlier **Description** The issue arises from the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. This allows attackers who can control the `Project File (APX)` contents to have Jenkins parse a crafted XML document, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins AbsInt a³ Plugin versions 1.1.0 and earlier, consider disabling the XML parser functionality until a patch is available to prevent XXE attacks. Restrict access to the `Project File (APX)` to minimize the risk of exploitation. Avoid using external entities in XML documents until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins MSTest Plugin version 1.0.0 and earlier **Description** The issue is related to the configuration of the XML parser, which does not prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins MSTest Plugin version 1.0.0 and earlier, update to a version that configures its XML parser to prevent XXE attacks.

**Name of the Vulnerable Software and Affected Versions** Jenkins JIRA Pipeline Steps Plugin versions 2.0.165.v8846cf59f3db and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified `credentials IDs` obtained through another method, capturing credentials stored in Jenkins. **Recommendations** For Jenkins JIRA Pipeline Steps Plugin versions 2.0.165.v8846cf59f3db and earlier, update to a version that includes the fix for the missing permission check. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Plugin Jenkins Plot, versões 2.1.11 e anteriores **Descrição** A vulnerabilidade permite que invasores capazes de controlar arquivos de entrada XML para a etapa de compilação “Plot build data” façam com que o Jenkins analise um arquivo malicioso que utiliza entidades externas para extrair segredos do controlador do Jenkins ou para falsificação de solicitações no lado do servidor. Isso ocorre porque o analisador XML não está configurado para impedir ataques de entidade externa XML (XXE). **Recomendações** Para as versões 2.1.11 e anteriores do Jenkins Plot Plugin, atualize para a versão 2.1.12 ou posterior, que desativa a resolução de entidades externas para seu analisador XML.

**Nome do software vulnerável e versões afetadas** Plugin Jenkins Associated Files, versões 0.2.1 e anteriores **Descrição** O problema está relacionado a uma vulnerabilidade de script entre sites (XSS) armazenada. Isso ocorre porque o plugin não escapa adequadamente os nomes dos arquivos associados. Invasores com permissão de Item/Configurar podem explorar essa vulnerabilidade. **Recomendações** Para as versões 0.2.1 e anteriores do plugin Jenkins Associated Files, no momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.