Adith Sudhakar

**Name of the Vulnerable Software and Affected Versions** Jenkins pom2config Plugin versions 1.2 and earlier **Description** The issue allows attackers with Overall/Read and Item/Read permissions to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins pom2config Plugin versions 1.2 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the plugin or disabling the XML parser to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Performance Plugin versions 3.20 and earlier **Description** The issue is related to the XML parser not being configured to prevent XML external entity (XXE) attacks. This allows attackers who can control workspace contents to have Jenkins parse a crafted XML report file, potentially leading to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Performance Plugin versions 3.20 and earlier, as a temporary workaround, consider disabling the XML parser until a patch is available. Restrict access to the workspace contents to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Brakeman Plugin versions 0.12 and earlier **Description** The issue is related to a stored cross-site scripting vulnerability. It occurs because the plugin does not escape values received from parsed JSON files when rendering them. This vulnerability can be exploited by users who can control the Brakeman post-build step input data. **Recommendations** For Jenkins Brakeman Plugin versions 0.12 and earlier, update to version 0.13 or later to resolve the issue. Note that the fix in version 0.13 only applies to newly recorded data after the updated plugin is installed, and historical data may still contain unsafe values. As a temporary workaround, consider restricting access to the Brakeman post-build step input data to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Jenkins CCM Plugin versions 3.1 and earlier Description: The issue allows attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins CCM Plugin versions 3.1 and earlier, update to a version later than 3.1 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins Android Lint Plugin versions 2.5 and earlier Description: The issue allows attackers with user permissions to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For versions 2.5 and earlier, update to a version later than 2.5 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins Warnings Plugin versions 4.64 and earlier Description: The issue allows attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins Warnings Plugin versions 4.64 and earlier, update to a version later than 4.64 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins PMD Plugin versions 3.49 and earlier Description: The issue allows attackers with user permissions to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins PMD Plugin versions 3.49 and earlier, update to a version later than 3.49 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins Checkstyle Plugin versions 3.49 and earlier Description: The issue allows attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins Checkstyle Plugin versions 3.49 and earlier, update to a version later than 3.49 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins DRY Plugin versions 2.49 and earlier Description: The issue allows attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins DRY Plugin versions 2.49 and earlier, update to a version later than 2.49 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Jenkins FindBugs Plugin versions 4.71 and earlier Description: The issue allows attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks by processing XML external entities in files it parses as part of the build process. Recommendations: For Jenkins FindBugs Plugin versions 4.71 and earlier, update to a version later than 4.71 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Monit versions prior to 5.20.0 **Description** The issue allows for a cross-site request forgery attack. Successful exploitation enables an attacker to disable or enable all monitoring for a particular host or disable or enable monitoring for a specific service. **Recommendations** For versions prior to 5.20.0, update to version 5.20.0 or later to resolve the issue.