Federico Pellegrin

**Name of the Vulnerable Software and Affected Versions** Jenkins Valgrind Plugin versions 0.28 and earlier **Description** The issue concerns the configuration of the XML parser in the Jenkins Valgrind Plugin, which does not prevent XML external entity (XXE) attacks. This allows a user who can control the input files for the Valgrind plugin parser to have Jenkins parse a crafted file that uses external entities. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Valgrind Plugin versions 0.28 and earlier, consider disabling the XML parser or restricting the input files for the Valgrind plugin parser until a patch is available. As a temporary workaround, restrict access to the plugin's configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Klocwork Analysis Plugin versions 2020.2.1 and earlier **Description** The issue concerns an XML external entity (XXE) attack. This occurs because the XML parser is not configured to prevent such attacks, allowing a user who can control the input files for the Klocwork plugin parser to have Jenkins parse a crafted file. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Klocwork Analysis Plugin versions 2020.2.1 and earlier, consider disabling the XML parser functionality until a patch is available to prevent XXE attacks. Restrict access to the plugin's input files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Valgrind Plugin versions 0.28 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not properly escape content in Valgrind XML reports. This allows attackers who can control the contents of these reports to exploit the vulnerability. **Recommendations** For Jenkins Valgrind Plugin versions 0.28 and earlier, update to a version later than 0.28 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Parasoft Findings Plugin versions 10.4.3 and earlier **Description** The issue allows a user who can control the input files for the Parasoft Findings parser to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Parasoft Findings Plugin versions 10.4.3 and earlier, update to version 10.4.4 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Code Coverage API Plugin versions 1.1.4 and earlier **Description** The issue allows a user who can control the input files for the "Publish Coverage Report" post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Code Coverage API Plugin versions 1.1.4 and earlier, update to version 1.1.5 or later, which disables external entity resolution for its XML parser. As a temporary workaround, consider restricting access to the "Publish Coverage Report" post-build step to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins FitNesse Plugin versions 1.31 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not correctly escape report contents before showing them on the Jenkins UI. This vulnerability is exploitable by users who can control the XML input files processed by the plugin. **Recommendations** For Jenkins FitNesse Plugin versions 1.31 and earlier, update to version 1.32 or later, which escapes content from XML input files before rendering it on the Jenkins UI.

**Name of the Vulnerable Software and Affected Versions** Jenkins Rundeck Plugin versions 3.6.6 and earlier **Description** The issue allows a user with Overall/Read access to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Rundeck Plugin versions 3.6.6 and earlier, update to version 3.6.7 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Cobertura Plugin versions 1.15 and earlier **Description** The issue allows a user who can control the input files for the 'Publish Cobertura Coverage Report' post-build step to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secrets from the Jenkins controller or server-side request forgery due to the XML parser not being configured to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Cobertura Plugin versions 1.15 and earlier, update to version 1.16 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Cobertura Plugin versions 1.15 and earlier **Description** The issue allows attackers who can control the coverage report file contents to overwrite any file on the Jenkins master file system. This is due to an arbitrary file write vulnerability. The Cobertura Plugin 1.16 sanitizes the file paths to prevent escape from the base directory, indicating that versions prior to 1.16 are affected. **Recommendations** For Jenkins Cobertura Plugin versions 1.15 and earlier, update to version 1.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the coverage report file contents to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins FitNesse Plugin versions 1.30 and earlier **Description** The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins FitNesse Plugin versions 1.30 and earlier, update to version 1.31 or later, which disables external entity processing for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins NUnit Plugin versions 0.25 and earlier **Description** The issue allows a user who can control the input files for the post-build step to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks. The problem arises because the XML parser is not configured to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins NUnit Plugin versions 0.25 and earlier, update to version 0.26 or later, which disables external entity processing for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Code Coverage API Plugin versions 1.1.2 and earlier **Description** The issue is related to a stored XSS vulnerability. It occurs because the filename of the coverage report used in its view is not properly escaped, allowing users who can change job configurations to exploit this weakness. This results in a stored cross-site scripting vulnerability. **Recommendations** For Jenkins Code Coverage API Plugin versions 1.1.2 and earlier, update to version 1.1.3 or later, which properly escapes the filename of the coverage report used in its view.

**Name of the Vulnerable Software and Affected Versions** Jenkins Robot Framework Plugin versions 2.0.0 and earlier **Description** The issue allows users with specific permissions to have Jenkins parse crafted XML documents, potentially leading to extraction of secrets from the Jenkins controller, server-side request forgery, or denial-of-service attacks. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. A user able to control the input files for the 'Publish Robot Framework' post-build step can exploit this. **Recommendations** For Jenkins Robot Framework Plugin versions 2.0.0 and earlier, update to version 2.0.1 or later, which disables external entity resolution for its XML parser.