Marc Heyries

**Name of the Vulnerable Software and Affected Versions** Jenkins MSTest Plugin version 1.0.0 and earlier **Description** The issue is related to the configuration of the XML parser, which does not prevent XML external entity (XXE) attacks. **Recommendations** For Jenkins MSTest Plugin version 1.0.0 and earlier, update to a version that configures its XML parser to prevent XXE attacks.

**Name of the Vulnerable Software and Affected Versions** Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier **Description** The issue concerns the storage and display of the BigPanda API key in the plugin's configuration. The BigPanda API key is stored unencrypted in the `BigpandaGlobalNotifier.xml` file on the Jenkins controller. This key can be accessed by users with file system access to the Jenkins controller. Furthermore, the global configuration form does not mask the API key, making it possible for attackers to observe and capture it. **Recommendations** For Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the API key being viewed. As a temporary workaround, manually encrypt and securely store the BigPanda API key until a patch is available. Avoid using the plugin's global configuration form to input the API key until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier **Description** The issue concerns the storage of the BigPanda API key in an unencrypted form within the global configuration file on the Jenkins controller. This file can be accessed by users with permission to the Jenkins controller file system. The global configuration form also fails to mask the API key, potentially allowing attackers to observe and capture it. The key is stored in the `BigpandaGlobalNotifier.xml` file as part of the plugin's configuration. **Recommendations** For Jenkins BigPanda Notifier Plugin versions 1.4.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the API key being viewed by unauthorized users. As a temporary workaround, limit the access to the `BigpandaGlobalNotifier.xml` file until a patch is available. Additionally, avoid displaying the API key in the global configuration form to prevent potential observation and capture by attackers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to execute arbitrary code without sandbox protection if the victim is an administrator. **Recommendations** For Jenkins Autocomplete Parameter Plugin versions 1.1 and earlier, update to a version that fixes this issue to prevent arbitrary code execution. As a temporary workaround, consider restricting access to administrative functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over FTP Plugin versions 1.16 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to connect to an FTP server using attacker-specified credentials. **Recommendations** For Jenkins Publish Over FTP Plugin versions 1.16 and earlier, update to a version later than 1.16 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over FTP Plugin versions 1.16 and earlier **Description** The issue is related to missing permission checks in the Jenkins Publish Over FTP Plugin, which allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. **Recommendations** For Jenkins Publish Over FTP Plugin versions 1.16 and earlier, update to version 1.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin for users with Overall/Read permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier **Description** A missing permission check in the Jenkins RocketChat Notifier Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. This issue also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests in the form validation method. **Recommendations** For Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier, update to version 1.5.0 or later, which requires POST requests and Overall/Administer permission for the affected form validation method, thus mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Proxmox Plugin versions 0.5.0 and earlier **Description** The issue concerns the storage of the Proxmox Datacenter password in an unencrypted manner within the global config.xml file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view the password. **Recommendations** For Jenkins Proxmox Plugin versions 0.5.0 and earlier, consider restricting access to the global config.xml file on the Jenkins controller to minimize the risk of password exposure until a fix is available. As a temporary workaround, limit user access to the Jenkins controller file system to prevent unauthorized viewing of the Proxmox Datacenter password.

**Name of the Vulnerable Software and Affected Versions** Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue arises because the plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to exploit the vulnerability. Furthermore, the form validation method does not require POST requests, contributing to the CSRF vulnerability. **Recommendations** For Jenkins RocketChat Notifier Plugin versions 1.4.10 and earlier, update to version 1.5.0, which requires POST requests and Overall/Administer permission for the affected form validation method, thus mitigating the issue. As a temporary workaround, consider restricting access to the form validation method to users with Overall/Administer permission until the update to version 1.5.0 is applied.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Authentication Plugin versions 1.13 and earlier **Description** The issue concerns the storage of the GitLab client secret in an unencrypted form within the global config.xml file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view the client secret. **Recommendations** For Jenkins GitLab Authentication Plugin versions 1.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the client secret being viewed by unauthorized users. As a temporary workaround, consider encrypting the GitLab client secret manually until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over SSH Plugin versions 1.22 and earlier **Description** The issue allows passwords to be stored unencrypted in the global configuration file on the Jenkins controller. This can be viewed by users with access to the Jenkins controller file system. **Recommendations** For Jenkins Publish Over SSH Plugin versions 1.22 and earlier, consider updating to a version that properly encrypts passwords in the global configuration file to prevent unauthorized access. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over SSH Plugin versions 1.22 and earlier **Description** The issue allows attackers with Item/Configure permission to discover the name of the Jenkins controller files due to a path traversal vulnerability. This occurs because the plugin performs a validation of the file name, specifying whether it is present or not. **Recommendations** For Jenkins Publish Over SSH Plugin versions 1.22 and earlier, update to a version later than 1.22 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's file validation functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over SSH Plugin versions 1.22 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. **Recommendations** For Jenkins Publish Over SSH Plugin versions 1.22 and earlier, update to a version later than 1.22 to resolve the issue. As a temporary workaround, consider restricting Overall/Read access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Publish Over SSH Plugin versions 1.22 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to connect to an attacker-specified SSH server using attacker-specified credentials. **Recommendations** For Jenkins Publish Over SSH Plugin versions 1.22 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the SSH server configuration to minimize the risk of unauthorized connections.

**Name of the Vulnerable Software and Affected Versions** Jenkins Selenium HTML report Plugin versions 1.0 and earlier **Description** The issue arises from the plugin not configuring its XML parser to prevent XML external entity (XXE) attacks, allowing attackers who can control the report files parsed by this plugin to craft a report file that uses external entities. This can lead to the extraction of secrets from the Jenkins controller or server-side request forgery. **Recommendations** For Jenkins Selenium HTML report Plugin versions 1.0 and earlier, update to version 1.1 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins Generic Webhook Trigger Plugin versions 1.72 and earlier **Description** The issue allows attackers to have Jenkins parse a crafted XML request body that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. This is due to the XML parser not being configured to prevent XML external entity (XXE) attacks. Attackers with the ability to call webhooks configured to extract parameters using XPath can exploit this. **Recommendations** For Jenkins Generic Webhook Trigger Plugin versions 1.72 and earlier, update to version 1.74 or later, which disables external entity resolution for its XML parser.

**Name of the Vulnerable Software and Affected Versions** Jenkins P4 Plugin versions 1.11.4 and earlier **Description** The issue allows attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified `username` and `password`. This is due to a lack of permission checks in multiple HTTP endpoints. **Recommendations** For Jenkins P4 Plugin versions 1.11.4 and earlier, update to version 1.11.5 or later, which requires Overall/Administer permission for the affected HTTP endpoints.

**Name of the Vulnerable Software and Affected Versions** Jenkins P4 Plugin versions 1.11.4 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified Perforce server using attacker-specified `username` and `password`. The issue is mitigated in version 1.11.5, which requires POST requests for the affected HTTP endpoints. **Recommendations** For Jenkins P4 Plugin versions 1.11.4 and earlier, update to version 1.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Extra Columns Plugin versions 1.22 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability due to the plugin not escaping parameter values in the build parameters column. This vulnerability is exploitable by attackers with Job/Configure permission. Additionally, for a view containing such a job, the attacker needs either the build parameters column to be configured or View/Configure permission. **Recommendations** For Jenkins Extra Columns Plugin versions 1.22 and earlier, update to version 1.23 or later, which escapes parameter values in the build parameters column, to resolve the issue.