Steve Marlowe

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 2.6 and earlier **Description** The issue allows attackers with access to the Jenkins controller file system to recover the plain text password of a local user account used as an anti-lockout feature, likely gaining administrator access to Jenkins. This is due to the password being stored in a recoverable format. **Recommendations** For versions 2.6 and earlier, update to a version later than 2.6 to resolve the issue. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Artifactory Plugin versions 2.16.1 and earlier **Description** An issue exists where credentials are not sufficiently protected, allowing attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin. This issue is related to the `ArtifactoryBuilder.java` and `CredentialsConfig.java` files. **Recommendations** For Jenkins Artifactory Plugin versions 2.16.1 and earlier, consider restricting access to the `ArtifactoryBuilder.java` and `CredentialsConfig.java` files as a temporary workaround until a patch is available. Additionally, review and update credential configurations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Gitlab Hook Plugin versions 1.4.2 and older **Description** A sensitive information exposure issue exists, allowing attackers with local Jenkins master file system access or control of a Jenkins administrator's web browser to retrieve the configured Gitlab token. This is due to a vulnerability in the gitlab notifier.rb and views/gitlab notifier/global.erb files. **Recommendations** For Jenkins Gitlab Hook Plugin versions 1.4.2 and older, consider restricting access to the gitlab notifier.rb and views/gitlab notifier/global.erb files until a patch is available. As a temporary workaround, restrict the use of the Gitlab token in the Jenkins configuration to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older **Description** An exposure of sensitive information issue exists in the Jenkins GitHub Pull Request Builder Plugin that allows an attacker with local file system access to obtain GitHub credentials. The issue is related to the `GhprbCause.java` file. Builds started before the plugin was updated will retain the encoded credentials on disk. **Recommendations** For Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older, update to version 1.40.0 or newer, as it no longer stores serialized objects containing the credential on disk. Additionally, revoke old GitHub credentials used in Jenkins. Use the provided script in the Script Console to attempt to remove old stored credentials from `build.xml` files.

**Name of the Vulnerable Software and Affected Versions** Jenkins Perforce Plugin versions prior to 1.3.37 **Description** A sensitive information exposure issue exists, allowing attackers with local file system access to obtain and decrypt encrypted Perforce passwords. This is due to a vulnerability in the PerforcePasswordEncryptor.java file. **Recommendations** For Jenkins Perforce Plugin versions prior to 1.3.37, update to version 1.3.37 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older Jenkins GitHub Pull Request Builder Plugin versions prior to 1.32.1 **Description** A sensitive information exposure issue exists, allowing an attacker with local file system access to obtain GitHub credentials. The GitHub Pull Request Builder Plugin stored the webhook secret shared between Jenkins and GitHub in plain text, which could be retrieved by users with local file system access or Jenkins administrators. This could lead to exposure of passwords through various means, such as browser extensions or cross-site scripting vulnerabilities. **Recommendations** For Jenkins GitHub Pull Request Builder Plugin versions 1.39.0 and older, update to version 1.32.1 or newer, which stores the webhook secret encrypted on disk. For Jenkins GitHub Pull Request Builder Plugin versions prior to 1.32.1, update to version 1.32.1 or newer to ensure the webhook secret is stored encrypted.

Name of the Vulnerable Software and Affected Versions: Jenkins Subversion Plugin versions 2.10.2 and earlier Description: An improper authorization issue exists that allows an attacker with network access to obtain a list of nodes and users. This is due to a problem in SubversionStatus.java and SubversionRepositoryStatus.java. The issue is resolved in version 2.10.3, where the class handling requests to "/subversion/" no longer extends the class handling requests to the "/search/" sub-path, causing such requests to fail. Recommendations: For Jenkins Subversion Plugin versions 2.10.2 and earlier, update to version 2.10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/subversion/` endpoint and the `SubversionStatus.java` and `SubversionRepositoryStatus.java` classes until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Jenkins Coverity Plugin versions 1.10.0 and earlier Description: A plaintext storage of a password issue exists in CIMInstance.java, allowing an attacker with local file system access or control of a Jenkins administrator's web browser to retrieve the configured keystore and private key passwords. Recommendations: For Jenkins Coverity Plugin versions 1.10.0 and earlier, update to version 1.11.0, which integrates with Credentials Plugin to securely store passwords and automatically migrates existing passwords.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.56 and earlier Jenkins version 2.46.1 LTS and earlier **Description** The issue exists in the Jenkins user database authentication realm. It allows creating an account if signup is enabled, or creating an account if the victim is an administrator. This could possibly delete the existing default admin user, allowing a wide variety of impacts. **Recommendations** For Jenkins versions 2.56 and earlier, update to a version later than 2.56 to resolve the issue. For Jenkins version 2.46.1 LTS and earlier, update to a version later than 2.46.1 LTS to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Build-Publisher plugin versions 1.21 and earlier **Description** The Jenkins Build-Publisher plugin stores credentials to other Jenkins instances in the file `hudson.plugins.build publisher.BuildPublisher.xml` in the Jenkins master home directory. These credentials are stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials are transmitted in plain text as part of the configuration form, which could result in exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations. **Recommendations** For Jenkins Build-Publisher plugin versions 1.21 and earlier, update to version 1.22 or later, which encrypts the credentials on disk and only transmits their encrypted form to users viewing the configuration form.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.498 **Description** A security issue was found where the re-key admin monitor in Jenkins created a backup directory with old secrets and the key used to encrypt them. This directory was world-readable and not removed after the re-encryption process. The issue affects Jenkins instances where the re-key admin monitor was introduced, potentially exposing sensitive information. **Recommendations** For versions prior to 1.498, check for the directory $JENKINS HOME/jenkins.security.RekeySecretAdminMonitor/backups and delete it if present to prevent unauthorized access to sensitive information. Upgrading to version 1.498 or later will prevent the creation of the backup directory.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 2.3 Jenkins LTS versions prior to 1.651.2 **Description** The issue allows remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration. **Recommendations** For Jenkins versions prior to 2.3, update to version 2.3 or later. For Jenkins LTS versions prior to 1.651.2, update to version 1.651.2 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 2.3 Jenkins LTS versions prior to 1.651.2 **Description** The issue allows remote authenticated users with multiple accounts to cause a denial of service, resulting in an inability to login, by editing the `full name`. **Recommendations** For Jenkins versions prior to 2.3, update to version 2.3 or later. For Jenkins LTS versions prior to 1.651.2, update to version 1.651.2 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions prior to 1.650 Jenkins LTS versions prior to 1.642.2 **Description** The issue makes it easier for remote attackers to determine API tokens via a brute-force approach because a constant-time algorithm is not used to verify API tokens. **Recommendations** For Jenkins versions prior to 1.650, update to version 1.650 or later. For Jenkins LTS versions prior to 1.642.2, update to version 1.642.2 or later.