James Nord

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.540 and earlier Jenkins LTS versions 2.528.2 and earlier **Description** Jenkins does not mask build authorization tokens displayed on the job configuration form, potentially allowing attackers to observe and capture them. **Recommendations** Update Jenkins to a version later than 2.540. Update Jenkins LTS to a version later than 2.528.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.540 and earlier Jenkins LTS versions 2.528.2 and earlier **Description** Jenkins stores build authorization tokens unencrypted in `config.xml` files on the Jenkins controller. This allows users with Item/Extended Read permission, or access to the Jenkins controller file system, to view these tokens. **Recommendations** Update Jenkins to a version later than 2.540. Update Jenkins LTS to a version later than 2.528.2.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b d3945fa and earlier, except version 4.438.440.v3f5f201de5dc **Description** The issue allows attackers to log in as any user by providing a username that differs only in letter case on Jenkins instances configured with a case-sensitive OpenID Connect provider, potentially gaining administrator access to Jenkins. This is due to the plugin treating usernames as case-insensitive. **Recommendations** For Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b d3945fa and earlier, except version 4.438.440.v3f5f201de5dc, update to version 4.453.v4d7765c854f4 or later, which introduces an advanced configuration option to manage username case sensitivity with a default to case-sensitive. For versions that cannot be updated to 4.453.v4d7765c854f4 or later, consider configuring the OpenID Connect provider to be case-insensitive or restrict access to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier **Description** The issue concerns the Jenkins OpenId Connect Authentication Plugin, which does not check the `aud` (Audience) claim of an ID Token during its authentication flow. This allows attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. The `aud` claim is a value used to verify that the token is issued for the correct client. **Recommendations** For Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier, update to version 4.355.v3a fb fca b 96d4 or later, which checks the `aud` (Audience) claim of an ID Token during its authentication flow. As a temporary workaround, consider reviewing configurations for unauthorized access and restricting access to sensitive areas of Jenkins until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier **Description** The issue is related to a flaw in the authentication procedure of the Jenkins OpenId Connect plugin. This flaw allows a remote attacker to bypass the authentication process by exploiting the lack of verification of the `iss` (Issuer) claim in an ID Token. This could potentially grant the attacker administrator access to Jenkins. **Recommendations** For Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier, update to version 4.355.v3a fb fca b 96d4 or later, which includes a fix for this issue by checking the `iss` (Issuer) claim of an ID Token during the authentication flow when the Issuer is known. As a temporary workaround, consider restricting access to the Jenkins authentication flow to minimize the risk of exploitation until the update can be applied.

**Name of the Vulnerable Software and Affected Versions** Jenkins Google Compute Engine Plugin versions 4.550.vb 327fca 3db 11 and earlier **Description** The issue is related to incorrect permission checks in the Jenkins Google Compute Engine Plugin. Attackers with global Item/Configure permission, but lacking Item/Configure permission on any particular job, can enumerate system-scoped credentials IDs of credentials stored in Jenkins. They can also connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method to obtain information about existing projects. **Recommendations** For Jenkins Google Compute Engine Plugin versions 4.550.vb 327fca 3db 11 and earlier, update to version 4.3.17.1 or later, which includes the backported fix. For version 4.551.v5a 4dc98f6962 and later, ensure that Overall/Administer permission is required for the affected HTTP endpoints.

**Name of the Vulnerable Software and Affected Versions** Jenkins Config File Provider Plugin versions 952.va 544a 6234b 46 and earlier **Description** The issue concerns the Jenkins Config File Provider Plugin, where credentials specified in configuration files are not masked when written to the build log. This means that sensitive information, such as passwords, is visible in plain text, potentially exposing it to unauthorized access. The problem affects versions of the plugin up to 952.va 544a 6234b 46. **Recommendations** For Jenkins Config File Provider Plugin versions 952.va 544a 6234b 46 and earlier, update to version 953.v0432a 802e4d2 or later, which masks credentials configured in configuration files if they appear in the build log.

**Name of the Vulnerable Software and Affected Versions** Jenkins NodeJS Plugin versions 1.6.0 and earlier **Description** The issue is related to the improper masking of credentials in the Npm config file in Pipeline build logs. This could allow a remote attacker to gain unauthorized access to protected information. The vulnerability is associated with errors in processing credentials in the Pipeline build log. **Recommendations** For Jenkins NodeJS Plugin versions 1.6.0 and earlier, update to version 1.6.1 or later, which properly masks credentials specified in the Npm config file in Pipeline build logs.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier **Description** The issue arises when Jenkins creates a temporary file in the default temporary directory with default permissions for newly created files during plugin installation. This potentially allows attackers with access to the Jenkins controller file system to read and write the file before it is used, which could result in arbitrary code execution. The vulnerability is particularly relevant on operating systems that use a shared temporary directory for all users, such as Linux. Typically, the default permissions only allow attackers to read the temporary file. **Recommendations** For Jenkins versions 2.393 and earlier, update to version 2.394 or later to resolve the issue. For Jenkins LTS versions 2.375.3 and earlier, update to version 2.375.4 or later, or version 2.387.1 or later, to resolve the issue. As a temporary workaround for those unable to immediately update Jenkins, consider setting a different path as the default temporary directory using the Java system property `java.io.tmpdir`.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline Utility Steps Plugin versions 2.13.1 and earlier **Description** The issue allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system. This is due to the lack of restriction on the set of enabled prefix interpolators and the inclusion of Apache Commons Configuration library versions that enable the `file:` prefix interpolator by default. **Recommendations** For Jenkins Pipeline Utility Steps Plugin versions 2.13.1 and earlier, update to version 2.13.2 or later, which restricts the set of prefix interpolators enabled by default. As a temporary workaround, consider setting the Java system property `org.jenkinsci.plugins.pipeline.utility.steps.conf.ReadPropertiesStepExecution.CUSTOM PREFIX INTERPOLATOR LOOKUPS` to customize which prefix interpolators are enabled, excluding the `file:` prefix interpolator.

**Name of the Vulnerable Software and Affected Versions** Jenkins Git client Plugin versions 3.11.0 and earlier **Description** The issue is related to the lack of SSH host key verification when connecting to Git repositories via SSH, which enables man-in-the-middle attacks. This is due to shortcomings in the authentication procedure. The exploitation of this issue can allow a remote attacker to implement a man-in-the-middle attack. **Recommendations** For Jenkins Git client Plugin versions 3.11.0 and earlier, update to version 3.11.1 or later, which provides strategies for performing host key verification, allowing administrators to select the one that meets their security needs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Shared Groovy Libraries Plugin versions 564.ve62a 4eb b e039 and earlier, except version 2.21.3 **Description** The issue allows attackers who can submit pull requests, but not commit directly to the configured SCM, to change the Pipeline behavior by modifying the definition of a dynamically retrieved library in their pull request. This is possible even if the Pipeline is configured to not trust them. The vulnerability exploits the `library` step with a `retriever` argument pointing to a library in the current build's repository and branch. **Recommendations** For Jenkins Pipeline: Shared Groovy Libraries Plugin versions 564.ve62a 4eb b e039 and earlier, except version 2.21.3, update to a version that includes the fix, such as Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a a 3334a 555 or version 2.21.3, which aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted. For version 2.21.3, no additional action is required as it already includes the necessary protection. As a temporary workaround, consider restricting the use of the `library` step with a `retriever` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Subversion Plugin versions 2.15.3 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL. This issue arises because the Subversion Plugin does not require POST requests for several form validation methods, resulting in CSRF vulnerabilities. **Recommendations** For Jenkins Subversion Plugin versions 2.15.3 and earlier, update the plugin to a version that addresses the CSRF vulnerability. As a temporary workaround, consider restricting access to the plugin's form validation methods to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Authentication Plugin versions 1.13 and earlier **Description** The issue allows attackers with access to Jenkins to craft a URL that will redirect users to an attacker-specified URL after logging in. This is caused by the plugin recording the HTTP `Referer` header as part of the URL query parameters when the authentication process starts. **Recommendations** For Jenkins GitLab Authentication Plugin versions 1.13 and earlier, update to a version later than 1.13 to resolve the issue. As a temporary workaround, consider restricting access to the authentication process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Support Core Plugin versions 2.79 and earlier **Description** The issue concerns the Jenkins Support Core Plugin, which does not properly redact some sensitive information in the support bundle. This could potentially expose sensitive data. Support Core Plugin 2.79.1 adds a list of keywords whose associated values are redacted, indicating an improvement in handling sensitive information. **Recommendations** For Jenkins Support Core Plugin versions 2.79 and earlier, update to version 2.79.1 or later to ensure that sensitive information is properly redacted in the support bundle.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier **Description** The issue allows attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline, as password parameters from the original build are included in replayed builds. **Recommendations** For versions 2648.va9433432b33c and earlier, update to a version that does not allow builds containing password parameters to be replayed, such as Pipeline: Groovy Plugin 2656.vf7a e7b 75a 457. As a temporary workaround, consider restricting the Run/Replay permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Configuration as Code Plugin versions 1.55 and earlier **Description** The issue arises from the use of a non-constant time comparison function when validating an authentication token, allowing attackers to potentially use statistical methods to obtain a valid authentication token. This could enable unauthorized access. **Recommendations** For Jenkins Configuration as Code Plugin versions 1.55 and earlier, update to version 1.55.1 or later to resolve the issue. For versions prior to 1.54.1, update to version 1.54.1 or later. For versions prior to 1.53.1, update to version 1.53.1 or later. For versions prior to 1.47.1, update to version 1.47.1 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.314 and earlier Jenkins LTS versions 2.303.1 and earlier **Description** The issue arises from Jenkins accepting names of jobs and other entities with a trailing dot character on Windows, potentially allowing users with appropriate permissions to change or replace configurations of jobs and other entities. This is because on Windows, a file or folder with a trailing dot character is treated as if that character was not present. For example, `example.` is treated as `example`. This could lead to unintended replacement of configuration and data of other entities. **Recommendations** For Jenkins versions 2.314 and earlier, update to version 2.315 or later to resolve the issue. For Jenkins LTS versions 2.303.1 and earlier, update to version 2.303.2 or later to resolve the issue. As a temporary workaround, consider restricting the creation of jobs and other entities with names that could potentially conflict with existing ones, especially those with trailing dot characters.

Name of the Vulnerable Software and Affected Versions: Jenkins Distributed Fork plugin version 1.5.0 and earlier Description: A security issue was discovered in the Distributed Fork plugin for Jenkins, where permission checks were not properly performed before and including version 1.5.0. This allowed individuals with Overall/Read permission to execute arbitrary shell commands on all connected nodes using the dist-fork CLI command. Recommendations: For Jenkins Distributed Fork plugin version 1.5.0 and earlier, consider restricting access to the dist-fork CLI command until a patch is available. As a temporary workaround, review and limit the Overall/Read permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Black Duck Hub Plugin versions 3.1.0 and older **Description** A XML external entity processing issue exists that allows attackers with Overall/Read permission to make Jenkins process XML external entities in an XML document. This is due to a vulnerability in the PostBuildScanDescriptor.java file. **Recommendations** For Jenkins Black Duck Hub Plugin versions 3.1.0 and older, update to a version newer than 3.1.0 to resolve the issue.