James Holderness

**Name of the Vulnerable Software and Affected Versions** Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier **Description** The issue concerns the storage of a webhook secret in an unencrypted form within the global configuration file on the Jenkins controller. Specifically, the secret is stored in the `hudson.plugins.tfs.TeamPluginGlobalConfig.xml` file. This allows attackers with access to the Jenkins controller file system to view the secret. **Recommendations** For Jenkins Team Foundation Server Plugin versions 5.157.1 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation. As a temporary workaround, restrict access to the `hudson.plugins.tfs.TeamPluginGlobalConfig.xml` file until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins HP ALM Quality Center Plugin versions 1.6 and earlier **Description** The issue concerns the storage of a password in plain text in the global configuration file, specifically in `org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml`, on the Jenkins master. This allows users with access to the master file system to view the password. **Recommendations** For Jenkins HP ALM Quality Center Plugin versions 1.6 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Copr Plugin versions 0.3 and earlier **Description** The issue concerns the storage of credentials in an unencrypted manner in job config.xml files on the Jenkins master. These credentials can be accessed by users with Extended Read permission or those who have access to the master file system. The credentials are stored as part of the plugin's configuration. **Recommendations** For Jenkins Copr Plugin versions 0.3 and earlier, update to version 0.6.1 or later to ensure credentials are stored encrypted. As a temporary workaround, consider restricting access to the Jenkins master file system and limiting Extended Read permissions to minimize the risk of credential exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins Artifactory Plugin versions 3.5.0 and earlier **Description** The issue is related to the storage of the Artifactory server password in plain text in the global configuration file. This allows users with access to the Jenkins master file system to view the password. The vulnerability can be exploited by a remote attacker to obtain credentials. The password is stored unencrypted in the `org.jfrog.hudson.ArtifactoryBuilder.xml` file. **Recommendations** For Jenkins Artifactory Plugin versions 3.5.0 and earlier, update to version 3.6.0 or later, which stores the Artifactory server password encrypted. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Artifactory Plugin versions 3.6.0 and earlier **Description** The issue is related to the transmission of configured passwords in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. This can lead to the exposure of passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. The password is stored encrypted on disk since Artifactory Plugin 3.6.0, but it is transmitted in plain text by versions 3.6.0 and earlier. **Recommendations** For Jenkins Artifactory Plugin versions 3.6.0 and earlier, update to version 3.6.1 or later, which transmits the password in its global configuration encrypted. As a temporary workaround, consider restricting access to the global configuration form to minimize the risk of exploitation. Avoid using the `org.jfrog.hudson.ArtifactoryBuilder.xml` configuration file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins Logstash Plugin versions 2.3.1 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form. This potentially results in their exposure through various means, such as browser extensions or cross-site scripting vulnerabilities. The credentials are stored encrypted on disk but are transmitted in plain text by versions 2.3.1 and earlier of the Logstash Plugin. **Recommendations** For Jenkins Logstash Plugin versions 2.3.1 and earlier, update to version 2.3.2 or later, which transmits the credentials in its global configuration encrypted. As a temporary workaround, consider restricting access to the global configuration form to minimize the risk of credential exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins Zephyr Enterprise Test Management Plugin versions 1.9.1 and earlier **Description** The issue concerns the storage of the Zephyr password in plain text on the Jenkins master file system, specifically in the global configuration file `com.thed.zephyr.jenkins.reporter.ZeeReporter.xml`. This allows users with access to the Jenkins controller file system to view the password. **Recommendations** For Jenkins Zephyr Enterprise Test Management Plugin versions 1.9.1 and earlier, update to version 1.10, which integrates with the Credentials Plugin to securely store the Zephyr password.

**Name of the Vulnerable Software and Affected Versions** Jenkins Quality Gates Plugin versions 2.5 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form. This potentially results in their exposure. The credentials are stored encrypted on disk in the `quality.gates.jenkins.plugin.GlobalConfig.xml` file on the Jenkins controller but are transmitted in plain text as part of the configuration form. This can lead to exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations. **Recommendations** For Jenkins Quality Gates Plugin versions 2.5 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier **Description** The issue is related to the transmission of configured credentials in plain text as part of the global Jenkins configuration form. This potentially results in their exposure. The credentials are stored encrypted on disk in the `org.jenkinsci.plugins.openshift.DeployApplication.xml` file on the Jenkins controller but are transmitted in plain text as part of the configuration form. This can lead to exposure through browser extensions, cross-site scripting vulnerabilities, and similar situations. **Recommendations** For Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier, consider disabling the transmission of credentials in plain text as a temporary workaround until a patch is available. Restrict access to the global Jenkins configuration form to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins DeployHub Plugin versions 8.0.14 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. The credentials are stored encrypted on disk in `config.xml` files but are transmitted in plain text by the DeployHub Plugin. This could allow users with Extended Read permission to view these credentials. **Recommendations** For Jenkins DeployHub Plugin versions 8.0.14 and earlier, consider restricting access to the job configuration forms to minimize the risk of credential exposure. As a temporary workaround, limit the permissions of users to prevent those with Extended Read permission from accessing sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Repository Connector Plugin versions 1.2.6 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form. Although credentials are stored encrypted on disk in the `org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml` file on the Jenkins controller, they are sent in plain text when the configuration form is transmitted. This could lead to credential exposure through various means, including browser extensions and cross-site scripting vulnerabilities. **Recommendations** For Jenkins Repository Connector Plugin versions 1.2.6 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Sonar Quality Gates Plugin versions 1.3.1 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. The credentials are stored encrypted on disk in the `org.quality.gates.jenkins.plugin.GlobalConfig.xml` file on the Jenkins controller but are sent in plain text as part of the configuration form. This could lead to credential exposure through browser extensions, cross-site scripting vulnerabilities, or similar situations. **Recommendations** For Jenkins Sonar Quality Gates Plugin versions 1.3.1 and earlier, consider updating to a version where this issue is resolved, as the current version transmits credentials in plain text. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Skytap Cloud CI Plugin versions 2.07 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. The credentials are stored encrypted on disk in `config.xml` files but are transmitted in plain text by the plugin. This could allow users with Extended Read permission to view these credentials. **Recommendations** For Jenkins Skytap Cloud CI Plugin versions 2.07 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Backlog Plugin versions 2.4 and earlier **Description** The issue concerns the transmission of configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. Credentials are stored encrypted on disk but are transmitted in plain text as part of the configuration form. These credentials could be viewed by users with Extended Read permission. **Recommendations** For Jenkins Backlog Plugin versions 2.4 and earlier, consider updating to a version that addresses this issue, as the current version transmits credentials in plain text. As a temporary workaround, consider restricting access to job configuration forms to minimize the risk of credential exposure. Restrict users with Extended Read permission from accessing sensitive job configurations to prevent potential credential viewing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Applatix Plugin versions 1.1 and earlier **Description** The issue allows unauthorized access to unencrypted passwords stored in job config.xml files on the Jenkins master. Users with Extended Read permission or access to the master file system can view these passwords. **Recommendations** For Jenkins Applatix Plugin versions 1.1 and earlier, update to a version that properly encrypts passwords to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Jenkins Parasoft Environment Manager Plugin versions 2.14 and earlier **Description** The issue allows unauthorized access to unencrypted passwords stored in job config.xml files on the Jenkins master. Users with Extended Read permission or access to the master file system can view these passwords. **Recommendations** For Jenkins Parasoft Environment Manager Plugin versions 2.14 and earlier, update to a version later than 2.14 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Harvest SCM Plugin versions 0.5.1 and earlier **Description** The issue concerns the storage of passwords in an unencrypted manner within the global configuration file on the Jenkins master. This allows users with access to the master file system to view these passwords. Specifically, the passwords are stored in the `hudson.plugins.harvest.HarvestSCM.xml` and in job `config.xml` files on the Jenkins controller. Users with Extended Read permission can view the credentials in the job `config.xml` files, while those with access to the Jenkins controller file system can view the credentials in both files. **Recommendations** For Jenkins Harvest SCM Plugin versions 0.5.1 and earlier, consider restricting access to the Jenkins controller file system and the job `config.xml` files to minimize the risk of exploitation. As a temporary workaround, limit the use of the `hudson.plugins.harvest.HarvestSCM.xml` and job `config.xml` files until a secure method of storing passwords is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Harvest SCM Plugin versions 0.5.1 and earlier **Description** The issue allows passwords to be stored unencrypted in job config.xml files on the Jenkins master. These passwords can be viewed by users with Extended Read permission or those who have access to the master file system. **Recommendations** For Jenkins Harvest SCM Plugin versions 0.5.1 and earlier, update to a version later than 0.5.1 to ensure passwords are stored securely. As a temporary workaround, consider restricting access to the master file system and limiting Extended Read permissions to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins BMC Release Package and Deployment Plugin versions 1.1 and earlier **Description** The issue allows credentials to be stored unencrypted in the global configuration file on the Jenkins master. This can be viewed by users with access to the master file system. There is no information about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Jenkins BMC Release Package and Deployment Plugin versions 1.1 and earlier, as a temporary workaround, consider restricting access to the global configuration file on the Jenkins master to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Debian Package Builder Plugin versions 1.6.11 and earlier **Description** The issue concerns the storage of a GPG passphrase in an unencrypted manner within the global configuration file on the Jenkins master or controller. This file can be accessed by users with privileges to the master or controller file system, potentially exposing the credential. The specific configuration file affected is `ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml`. **Recommendations** For Jenkins Debian Package Builder Plugin versions 1.6.11 and earlier, consider restricting access to the Jenkins master or controller file system to minimize the risk of the GPG passphrase being viewed by unauthorized users. As a temporary workaround, limit the privileges of users who have access to the master or controller file system. At the moment, there is no information about a newer version that contains a fix for this vulnerability.