Jeff Thompson

**Name of the Vulnerable Software and Affected Versions** Jenkins Security Inspector Plugin versions 117.v6eecc36919c2 and earlier **Description** The issue is related to insufficient authentication of executed POST requests, allowing a remote attacker to perform a cross-site request forgery (CSRF) attack. This vulnerability enables attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the `/report` URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result. **Recommendations** For Jenkins Security Inspector Plugin versions 117.v6eecc36919c2 and earlier, as a temporary workaround, consider restricting access to the `/report` URL until a patch is available. Additionally, be cautious of reports generated by the plugin, as they may be based on attacker-specified options. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Lucene-Search Plugin versions 370.v62a5f618cd3a and earlier **Description** The issue is related to insufficient authorization procedures in the Jenkins Lucene-Search Plugin, allowing attackers with Overall/Read permission to access protected information. Specifically, the plugin does not perform permission checks in several HTTP endpoints, enabling attackers to reindex the database and obtain information about jobs that would otherwise be inaccessible to them. **Recommendations** For Jenkins Lucene-Search Plugin versions 370.v62a5f618cd3a and earlier, consider disabling access to the vulnerable HTTP endpoints until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Overall/Read permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins Coverage/Complexity Scatter Plot Plugin versions 1.1.1 and earlier **Description** The issue allows attackers to control input files for the 'Public Coverage / Complexity Scatter Plot' post-build step, enabling them to have Jenkins parse a crafted file that uses external entities. This can lead to extraction of secrets from the Jenkins controller or server-side request forgery due to the XML parser not being configured to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Coverage/Complexity Scatter Plot Plugin versions 1.1.1 and earlier, as a temporary workaround, consider disabling the 'Public Coverage / Complexity Scatter Plot' post-build step until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Flaky Test Handler Plugin versions 1.2.1 and earlier **Description** The issue is related to the configuration of the XML parser, which does not prevent XML external entity (XXE) attacks. This allows for potential exploitation. **Recommendations** For Jenkins Flaky Test Handler Plugin versions 1.2.1 and earlier, update to a version that configures its XML parser to prevent XXE attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier **Description** The issue is related to the Phoenix AutoTest Plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. This allows attackers who can control the input files for the `readXml` or `writeXml` build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Pipeline: Phoenix AutoTest Plugin versions 1.3 and earlier, consider disabling the `readXml` and `writeXml` build steps until a patch is available to prevent XML external entity attacks. Restrict access to these build steps to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.286 and earlier Jenkins LTS versions 2.277.1 and earlier **Description** The issue arises from the improper validation of newly created view names, allowing attackers with View/Create permission to create views with invalid or already-used names. This occurs because when a form to create a view is submitted, the name is included twice, with one instance being validated and the other instance being used for view creation. This discrepancy enables the creation of views with names that should be restricted. **Recommendations** For Jenkins versions 2.286 and earlier, update to version 2.287 or later to resolve the issue. For Jenkins LTS versions 2.277.1 and earlier, update to version 2.277.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.286 and earlier Jenkins LTS versions 2.277.1 and earlier **Description** The issue arises from the lack of validation of the type of object created after loading data submitted to the "config.xml" REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. **Recommendations** For Jenkins versions 2.286 and earlier, update to version 2.287 or later to resolve the issue. For Jenkins LTS versions 2.277.1 and earlier, update to version 2.277.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `config.xml` REST API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Visualworks Store Plugin versions 1.1.3 and earlier **Description** The issue allows attackers with the ability to control the output of a script that runs Visualworks with StoreCI, or able to control an agent process, to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins Visualworks Store Plugin versions 1.1.3 and earlier, update to version 1.1.4 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Maven Cascade Release Plugin versions 1.3.2 and earlier **Description** The issue concerns a lack of permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to start cascade builds and layout builds, and reconfigure the plugin. **Recommendations** For Jenkins Maven Cascade Release Plugin versions 1.3.2 and earlier, consider restricting access to the plugin's configuration and build start functionality to minimize the risk of exploitation. As a temporary workaround, limit the permissions of users who do not need to start cascade builds or reconfigure the plugin. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Shared Objects Plugin versions 0.44 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to configure shared objects. This can be exploited by attackers to perform unauthorized actions. **Recommendations** For Jenkins Shared Objects Plugin versions 0.44 and earlier, update to a version later than 0.44 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's configuration options to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Maven Cascade Release Plugin versions 1.3.2 and earlier **Description** A cross-site request forgery issue allows attackers to start cascade builds and layout builds, and reconfigure the plugin. **Recommendations** For Jenkins Maven Cascade Release Plugin versions 1.3.2 and earlier, update to a version later than 1.3.2 to resolve the issue.