Daniel Beck

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.540 and earlier Jenkins LTS versions 2.528.2 and earlier **Description** A missing permission check allows attackers with View/Read permission to view encrypted password values in views. **Recommendations** Update Jenkins to a version later than 2.540. Update Jenkins LTS to a version later than 2.528.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.527 and earlier Jenkins LTS versions 2.516.2 and earlier **Description** Jenkins does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu, such as whether the Credentials Plugin is installed. **Recommendations** Update Jenkins to a version later than 2.527. Update Jenkins LTS to a version later than 2.516.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins global-build-stats Plugin versions 322.v22f4db 18e2dd and earlier **Description** The Jenkins global-build-stats Plugin does not perform permission checks in its REST API endpoints. Attackers with Overall/Read permission can enumerate graph IDs. **Recommendations** Update to a version later than 322.v22f4db 18e2dd.

**Name of the Vulnerable Software and Affected Versions** Jenkins Git client Plugin versions 6.3.2 and earlier **Description** The Git URL field form validation responses differ based on whether the specified file path exists on the Jenkins controller when using the `amazon-s3` protocol with JGit. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. **Recommendations** Upgrade Jenkins Git client Plugin to a version later than 6.3.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins Gatling Plugin version 136.vb 9009b 3d33a e **Description** The issue allows users who can change report content to exploit a cross-site scripting (XSS) vulnerability due to the manner in which Gatling reports are served, bypassing the Content-Security-Policy protection introduced in certain Jenkins versions. **Recommendations** For Jenkins Gatling Plugin version 136.vb 9009b 3d33a e, consider disabling the serving of Gatling reports until a patch is available to prevent exploitation of the XSS vulnerability.

Name of the Vulnerable Software and Affected Versions: Jenkins Health Advisor by CloudBees Plugin versions 374.v194b d4f0c8c8 and earlier Description: The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not escape responses from the Jenkins Health Advisor server, making it exploitable by attackers who can control these responses. Recommendations: For versions 374.v194b d4f0c8c8 and earlier, update to a version that properly escapes responses from the Jenkins Health Advisor server to prevent stored XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.503 and earlier Jenkins LTS versions 2.492.2 and earlier **Description** A missing permission check in Jenkins allows attackers with `Computer/Create` permission but without `Computer/Extended Read` permission to copy an agent, gaining access to its configuration. **Recommendations** For Jenkins versions 2.503 and earlier, update to a version that includes the fix for the missing permission check. For Jenkins LTS versions 2.492.2 and earlier, update to a version that includes the fix for the missing permission check. As a temporary workaround, consider restricting the `Computer/Create` permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.503 and earlier Jenkins LTS versions 2.492.2 and earlier **Description** A missing permission check in Jenkins allows attackers with `Computer/Create` permission but without `Computer/Configure` permission to copy an agent, gaining access to encrypted secrets in its configuration. **Recommendations** For Jenkins versions 2.503 and earlier, update to a version that includes the fix for the missing permission check. For Jenkins LTS versions 2.492.2 and earlier, update to a version that includes the fix for the missing permission check. As a temporary workaround, consider restricting access to the agent copying feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.499 and earlier, LTS versions 2.492.1 and earlier **Description** The issue allows attackers with View/Read permission to view encrypted values of secrets when accessing `config.xml` of views via REST API or CLI. This occurs because Jenkins does not redact encrypted values of secrets in the specified versions. **Recommendations** For Jenkins versions 2.499 and earlier, update to version 2.500 or later to redact encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission. For LTS versions 2.492.1 and earlier, update to version 2.492.2 or later to redact encrypted values of secrets stored in view `config.xml` accessed via REST API or CLI for users lacking View/Configure permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.499 and earlier Jenkins LTS versions 2.492.1 and earlier **Description** The issue allows attackers with Agent/Extended Read permission to view encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI. This is because Jenkins does not redact encrypted values of secrets in these scenarios. Attackers may potentially store attacker-controlled content in other users' profiles. **Recommendations** For Jenkins versions 2.499 and earlier, update to version 2.500 or later to ensure encrypted values of secrets are redacted when accessing `config.xml` of agents via REST API or CLI. For Jenkins LTS versions 2.492.1 and earlier, update to version 2.492.2 or later to ensure encrypted values of secrets are redacted when accessing `config.xml` of agents via REST API or CLI. As a temporary workaround, consider restricting access to the REST API and CLI for users with Agent/Extended Read permission to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Jenkins Filesystem List Parameter Plugin versions 0.0.14 and earlier Description: The issue allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system due to a lack of restriction on the path used for the File system objects list Parameter. Recommendations: For Jenkins Filesystem List Parameter Plugin versions 0.0.14 and earlier, update to version 0.0.15 or later, which restricts paths used by the File system objects list Parameter to an allow list, with the default base directory set to $JENKINS HOME/userContent/. Additionally, consider configuring the allow list to include custom base directories as needed.

**Name of the Vulnerable Software and Affected Versions** Jenkins Shared Library Version Override Plugin versions 17.v786074c9fce7 and earlier **Description** The issue allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection, as these overrides are declared as trusted and not executed in the Script Security sandbox. This could potentially be exploited by attackers to run malicious code without the protection of the sandbox. **Recommendations** For versions 17.v786074c9fce7 and earlier, update to a version that declares folder-scoped library overrides as untrusted, such as version 19.v3a c975738d4a , to ensure that these overrides are executed in the Script Security sandbox. As a temporary workaround, consider restricting the Item/Configure permission on folders to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.470 and earlier Jenkins LTS versions 2.452.3 and earlier **Description** The issue arises from a lack of permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views". Additionally, attackers with global View/Configure and View/Delete permissions can modify other users' "My Views". **Recommendations** For Jenkins versions 2.470 and earlier, update to version 2.471 or later to restrict access to a user’s "My Views" to the owning user and administrators. For Jenkins LTS versions 2.452.3 and earlier, update to version 2.452.4 or later, or version 2.462.1 or later, to restrict access to a user’s "My Views" to the owning user and administrators.

**Name of the Vulnerable Software and Affected Versions** Jenkins Report Info Plugin versions 1.2 and earlier **Description** The issue arises from the lack of path validation of the workspace directory while serving report files, leading to a path traversal vulnerability. This allows attackers with Item/Configure permission to retrieve sensitive information, including Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors, from the controller file system by manipulating the workspace path. Additionally, the Report Info Plugin does not support distributed builds. **Recommendations** For Jenkins Report Info Plugin versions 1.2 and earlier, as a temporary workaround, consider restricting access to the workspace directory to minimize the risk of exploitation. Avoid using the plugin until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Git server Plugin versions 114.v068a c7cc2574 and earlier **Description** The issue is related to a lack of permission check for read access to a Git repository over SSH. Attackers with a previously configured SSH public key but lacking Overall/Read permission can access these repositories. This allows unauthorized access to Git repositories. **Recommendations** For Jenkins Git server Plugin versions 114.v068a c7cc2574 and earlier, update to a version that requires Overall/Read permission to access Git repositories over SSH, such as version 117.veb 68868fa 027. As a temporary workaround, consider restricting SSH access to Git repositories or ensuring that all users with configured SSH public keys have Overall/Read permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins Subversion Partial Release Manager Plugin versions 1.0.1 and earlier **Description** The issue arises when a build is triggered from a release tag, causing the plugin to programmatically set the Java system property `hudson.model.ParametersAction.keepUndefinedParameters`. This action disables a previously implemented fix. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For Jenkins Subversion Partial Release Manager Plugin versions 1.0.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins docker-build-step Plugin versions 2.11 and earlier **Description** A missing permission check in an HTTP endpoint allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions. **Recommendations** For Jenkins docker-build-step Plugin versions 2.11 and earlier, update to a version later than 2.11 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's HTTP endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins docker-build-step Plugin versions 2.11 and earlier **Description** A cross-site request forgery issue allows attackers to connect to a specified TCP or Unix socket URL and reconfigure the plugin, affecting future build step executions. **Recommendations** For Jenkins docker-build-step Plugin versions 2.11 and earlier, update to a version later than 2.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins MQ Notifier Plugin versions 1.4.0 and earlier **Description** The issue concerns the logging of potentially sensitive build parameters as part of debug information in build logs by default. **Recommendations** For Jenkins MQ Notifier Plugin versions 1.4.0 and earlier, consider disabling the debug logging feature to prevent sensitive build parameters from being logged until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Delphix Plugin version 3.0.1 **Description** The issue concerns a global option in the Jenkins Delphix Plugin that allows administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections. This option is disabled by default. **Recommendations** For Jenkins Delphix Plugin version 3.0.1, consider enabling the global option for SSL/TLS certificate validation to enhance the security of Data Control Tower connections. As a temporary workaround, restrict the use of DCT connections until a more permanent solution is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.