Kevin Guerroudj

**Name of the Vulnerable Software and Affected Versions** Jenkins Coverage Plugin versions 2.3054.ve1ff7b a a 123b and earlier **Description** The Jenkins Coverage Plugin does not properly validate the configured coverage results ID when creating coverage results. Specifically, the validation occurs only during UI configuration, not through the REST API. This allows attackers possessing Item/Configure permission to utilize a `javascript:` scheme URL as an identifier when configuring a job via the REST API, leading to a stored cross-site scripting (XSS) issue. The vulnerable configuration occurs when setting the identifier through the ''/job/<jobname>/api/json' endpoint using the `coverageResultsId` parameter. **Recommendations** Update Jenkins Coverage Plugin to a version later than 2.3054.ve1ff7b a a 123b . As a temporary workaround, restrict access to the REST API endpoint ''/job/<jobname>/api/json'' for users with Item/Configure permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins MCP Server Plugin versions 0.84.v50ca 24ef83f2 and earlier **Description** The Jenkins MCP Server Plugin does not properly enforce permission checks in several MCP tools. This allows attackers to initiate builds and access sensitive job and cloud configuration details that they are not authorized to view. **Recommendations** Update Jenkins MCP Server Plugin to a version later than 0.84.v50ca 24ef83f2.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenTelemetry Plugin versions 3.1543.v8446b 92b cd64 and earlier **Description** A missing permission check allows attackers with Overall/Read permission to connect to a URL specified by the attacker, using credentials IDs obtained through other means. This can result in the capture of credentials stored in Jenkins. **Recommendations** Update to a newer version of the Jenkins OpenTelemetry Plugin.

**Name of the Vulnerable Software and Affected Versions** Jenkins WSO2 Oauth Plugin versions 1.0 and earlier **Description** The issue allows unauthenticated attackers to log in to controllers using the "WSO2 Oauth" security realm with any username and any password, including usernames that do not exist, due to authentication claims being accepted without validation. It is estimated that over 720,000 Jenkins instances are exposed to the internet, potentially affected by this issue. **Recommendations** For Jenkins WSO2 Oauth Plugin versions 1.0 and earlier, consider disabling the "WSO2 Oauth" security realm until a patch is available to prevent unauthenticated access. Restrict access to controllers using this security realm to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Plugin versions 1.9.6 and earlier **Description** The issue is related to an incorrect permission check in the Jenkins GitLab Plugin. This allows attackers with global Item/Configure permission, but lacking Item/Configure permission on any particular job, to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. These credential IDs can be used as part of an attack to capture the credentials using another vulnerability. **Recommendations** For Jenkins GitLab Plugin versions 1.9.6 and earlier, upgrade to version 1.9.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the global Item/Configure permission to minimize the risk of exploitation. Additionally, restrict access to the HTTP endpoint related to the GitLab Plugin to prevent enumeration of credential IDs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure Service Fabric Plugin versions 1.6 and earlier **Description** A missing permission check in the Jenkins Azure Service Fabric Plugin allows attackers with Overall/Read permission to enumerate the IDs of Azure credentials stored in Jenkins. This issue can be exploited by attackers to potentially capture the credentials using another vulnerability. The affected plugin does not perform permission checks in several HTTP endpoints, making it possible for attackers to enumerate credentials IDs. **Recommendations** For Jenkins Azure Service Fabric Plugin versions 1.6 and earlier, consider disabling the plugin until a patch is available to prevent attackers from enumerating credentials IDs of Azure credentials stored in Jenkins. As a temporary workaround, restrict access to the plugin's HTTP endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure Service Fabric Plugin versions 1.6 and earlier **Description** A Cross-Site Request Forgery (CSRF) issue allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs obtained through another method. This enables attackers to potentially access sensitive information or perform unauthorized actions. **Recommendations** For Jenkins Azure Service Fabric Plugin versions 1.6 and earlier, consider disabling the plugin until a patch is available to prevent exploitation of the CSRF vulnerability. Restrict access to the Service Fabric URL to minimize the risk of unauthorized connections. Avoid using attacker-specified credentials IDs in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Groovy Plugin versions 3990.vd281dd77a 388 and earlier, except version 3975.3977.v478dd9e956c3 **Description** The issue allows attackers with Item/Build permission to rebuild a previous build whose `Jenkinsfile` script is no longer approved, because the main script for a rebuilt build is not checked for approval. This can be exploited by attackers with the necessary permissions to rebuild previous builds with unapproved scripts. **Recommendations** For versions 3990.vd281dd77a 388 and earlier, except version 3975.3977.v478dd9e956c3, update to a version that includes the fix, such as version 3993.v3e20a 37282f8, which refuses to rebuild a build whose main `Jenkinsfile` script is unapproved. At the moment, there is no other information about additional mitigation measures.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline: Declarative Plugin versions 2.2214.vb b 34b 2ea 9b 83 and earlier **Description** The issue allows attackers with Item/Build permission to restart a previous build whose `Jenkinsfile` script is no longer approved, as the plugin does not check whether the main script used to restart a build from a specific stage is approved. This can be exploited by attackers with the necessary permissions. **Recommendations** For Jenkins Pipeline: Declarative Plugin versions 2.2214.vb b 34b 2ea 9b 83 and earlier, update to version 2.2218.v56d0cda 37c72 or later, which refuses to restart a build whose main `Jenkinsfile` script is unapproved. As a temporary workaround, consider restricting the Item/Build permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Authorize Project Plugin versions 1.7.2 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs when a string containing the job name is evaluated with JavaScript on the Authorization view. This vulnerability is exploitable by attackers with Item/Configure permission. **Recommendations** For Jenkins Authorize Project Plugin versions 1.7.2 and earlier, update to version 1.8.0 or later, which no longer evaluates a string containing the job name with JavaScript on the Authorization view.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 4.418.vccc7061f5b 6d and earlier **Description** The issue arises because the plugin does not invalidate the previous session on login, allowing attackers to potentially use social engineering techniques to gain administrator access to Jenkins. **Recommendations** For Jenkins OpenId Connect Authentication Plugin versions 4.418.vccc7061f5b 6d and earlier, update to version 4.421.v5422614eb e0a or later to ensure the existing session is invalidated on login.

**Name of the Vulnerable Software and Affected Versions** Jenkins Credentials Plugin versions 1380.va 435002fa 924 and earlier, except version 1371.1373.v4eb fa b 7161e9 **Description** The issue concerns the Jenkins Credentials Plugin, which does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI. This allows attackers with Item/Extended Read permission to view encrypted `SecretBytes` values in credentials, including Certificate credentials and Secret file credentials from Plain Credentials Plugin. The issue is similar to a previous security advisory from 2016. **Recommendations** For Jenkins Credentials Plugin versions 1380.va 435002fa 924 and earlier, except version 1371.1373.v4eb fa b 7161e9, update to version 1381.v2c3a 12074da b or later, but ensure the Jenkins version is 2.479 or newer, or LTS 2.462.3 or newer, to effectively redact encrypted values of credentials using the `SecretBytes` type. As a temporary workaround, consider restricting access to the `config.xml` file via REST API or CLI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins HTML Publisher Plugin versions 1.32 and earlier **Description** The issue exists due to the lack of protection for the web page structure. This can be exploited by a remote attacker to conduct cross-site scripting attacks. The vulnerability is a stored cross-site scripting (XSS) issue, which can be exploited by attackers with Item/Configure permission. The `job names`, `report names`, and `index page titles` are not escaped, leading to this vulnerability. **Recommendations** For Jenkins HTML Publisher Plugin versions 1.32 and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the report frame and ensuring that only trusted users have Item/Configure permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins HTML Publisher Plugin versions 1.16 through 1.32 **Description** The issue arises from the plugin's failure to properly sanitize input, allowing attackers with Item/Configure permission to implement cross-site scripting (XSS) attacks. This can also enable attackers to determine whether a specific path exists on the Jenkins controller file system. **Recommendations** For Jenkins HTML Publisher Plugin versions 1.16 through 1.32, update to a version outside of this range to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins HTML Publisher Plugin versions 1.32 and earlier **Description** The issue is related to the incorrect restriction of the directory path name with limited access. Exploitation may allow a remote attacker to read arbitrary files using a specially crafted HTTP request. Attackers with Item/Configure permission can determine whether a path on the Jenkins controller file system exists, without being able to access it. **Recommendations** For Jenkins HTML Publisher Plugin versions 1.32 and earlier, update to a version later than 1.32 to resolve the issue. At the moment, there is no information about other specific fixes for this issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins AppSpider Plugin versions 1.0.16 and earlier **Description** The issue allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names due to a lack of permission checks in several HTTP endpoints. **Recommendations** For Jenkins AppSpider Plugin versions 1.0.16 and earlier, as a temporary workaround, consider restricting access to the affected HTTP endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. The vulnerability is caused by the plugin not requiring POST requests for a form validation endpoint. **Recommendations** For Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier, update to a version that requires POST requests for the affected form validation endpoint, such as GitLab Branch Source Plugin 688.v5fa 356ee8520. As a temporary workaround, consider restricting access to the form validation endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Deployment Dashboard Plugin versions 1.0.10 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to copy jobs. **Recommendations** For Jenkins Deployment Dashboard Plugin versions 1.0.10 and earlier, update to a version later than 1.0.10 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins OpenId Connect Authentication Plugin versions 2.6 and earlier **Description** The issue allows attackers to perform phishing attacks by improperly determining that a redirect URL after login is legitimately pointing to Jenkins. **Recommendations** For Jenkins OpenId Connect Authentication Plugin versions 2.6 and earlier, update to a version later than 2.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins HTMLResource Plugin versions 1.02 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to delete arbitrary files on the Jenkins controller file system. This can be exploited by attackers to potentially disrupt or compromise the system. **Recommendations** For Jenkins HTMLResource Plugin versions 1.02 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the plugin to minimize the risk of exploitation.