Aris Issad

**Name of the Vulnerable Software and Affected Versions:** Jenkins Aqua Security Scanner Plugin versions 3.2.8 and earlier **Description:** The Jenkins Aqua Security Scanner Plugin stores Scanner Tokens for the Aqua API unencrypted in `job config.xml` files on the Jenkins controller. These tokens are accessible to users with Item/Extended Read permission or those with access to the Jenkins controller file system. **Recommendations:** Versions prior to 3.2.8: Ensure access to `job config.xml` files on the Jenkins controller is restricted to authorized personnel only. Limit Item/Extended Read permissions to only those users who require them. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

### Name of the Vulnerable Software and Affected Versions: Jenkins IFTTT Build Notifier Plugin versions 1.2 and earlier ### Description: The Jenkins IFTTT Build Notifier Plugin stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or those with access to the Jenkins controller file system. ### Recommendations: Update to a version of the Jenkins IFTTT Build Notifier Plugin later than 1.2.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Apica Loadtest Plugin versions 1.10 and earlier **Description:** The Jenkins Apica Loadtest Plugin stores Apica Loadtest LTP authentication tokens unencrypted in `job config.xml` files on the Jenkins controller. These tokens are accessible to users with Item/Extended Read permission or those with access to the Jenkins controller file system. **Recommendations:** Versions prior to 1.10 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Apica Loadtest Plugin versions 1.10 and earlier **Description:** The Jenkins Apica Loadtest Plugin does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, potentially allowing attackers to observe and capture them. The plugin also stores these tokens unencrypted in `config.xml` files on the Jenkins controller, making them accessible to users with Item/Extended Read permission or file system access. **Recommendations:** Versions prior to 1.10: At the moment, there is no information about a newer version that contains a fix for this vulnerability.