Kyler Katz

Name of the Vulnerable Software and Affected Versions: Jenkins HTML Publisher Plugin versions prior to 426 Description: The Jenkins HTML Publisher Plugin versions prior to 426 displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, potentially exposing information about the Jenkins controller file system in the build log. Recommendations: Upgrade to Jenkins HTML Publisher Plugin version 426 or later.

Name of the Vulnerable Software and Affected Versions: iotdb-jdbc versions 0.10.0 through 1.3.3 iotdb-jdbc versions 2.0.1-beta through 2.0.2 Description: The issue is related to the exposure of sensitive information to an unauthorized actor and the insertion of sensitive information into log files in the Apache IoTDB JDBC driver. Users are advised to upgrade to resolve the issue. Recommendations: For iotdb-jdbc versions 0.10.0 through 1.3.3, upgrade to version 1.3.4. For iotdb-jdbc versions 2.0.1-beta through 2.0.2, upgrade to version 2.0.2.

Name of the Vulnerable Software and Affected Versions: Apache IoTDB versions 0.10.0 through 1.3.3 Apache IoTDB versions 2.0.1-beta through 2.0.2 Description: The issue is related to the exposure of sensitive information to an unauthorized actor and the insertion of sensitive information into log files in the OpenIdAuthorizer of Apache IoTDB. Recommendations: For Apache IoTDB versions 0.10.0 through 1.3.3, upgrade to version 1.3.4. For Apache IoTDB versions 2.0.1-beta through 2.0.2, upgrade to version 2.0.2.

Name of the Vulnerable Software and Affected Versions: Apache Pulsar IO versions prior to 3.0.11 Apache Pulsar IO versions prior to 3.3.6 Apache Pulsar IO versions prior to 4.0.4 Description: The issue affects Apache Pulsar IO's Apache Kafka connectors, where sensitive configuration properties are logged in plain text in application logs. This can lead to unintended exposure of credentials in log files, potentially allowing attackers with access to these logs to obtain Apache Kafka credentials. The impact is limited by the fact that an attacker would need access to the application logs to exploit this issue. Recommendations: For versions 3.0.x, upgrade to at least version 3.0.11. For versions 3.3.x, upgrade to at least version 3.3.6. For versions 4.0.x, upgrade to at least version 4.0.4. For versions prior to those listed above, upgrade to the aforementioned patched versions or newer versions.