Markus Winter

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier Jenkins versions prior to LTS 2.387.1 **Description** The issue allows attackers with Item/Workspace permission to access the contents of temporary directories related to job workspaces. These temporary directories are used by Jenkins to store temporary files related to the build and may contain credentials stored by Jenkins-controlled processes. **Recommendations** For Jenkins versions 2.393 and earlier, consider updating to version 2.394 or later. For Jenkins LTS versions 2.375.3 and earlier, consider updating to version 2.375.4 or later. For versions prior to LTS 2.387.1, consider updating to version LTS 2.387.1 or later. As a temporary workaround, do not grant Item/Workspace permission to users who lack Item/Configure permission.

**Name of the Vulnerable Software and Affected Versions** Jenkins Project Inheritance Plugin versions 21.04.03 and earlier Jenkins Project Inheritance Plugin version 19.08.02 and earlier **Description** The issue allows access to Inheritance Project job configurations in XML format without requiring the necessary Job/ExtendedRead permission. Typically, Jenkins limits access to job configuration XML data (`config.xml`) to users with Job/ExtendedRead permission, which is often implied by Job/Configure permission. The Project Inheritance Plugin has a job inspection feature using the API URL "/job/…/getConfigAsXML" for its Inheritance Project job type. This endpoint does not check permissions, granting access to job configuration XML data to every user with Job/Read permission. Furthermore, encrypted values of secrets stored in the job configuration are not redacted for users without Job/Configure permission. **Recommendations** For Jenkins Project Inheritance Plugin versions 21.04.03 and earlier, consider disabling the `/job/…/getConfigAsXML` API endpoint until a patch is available. For Jenkins Project Inheritance Plugin version 19.08.02 and earlier, restrict access to the Inheritance Project job configurations to minimize the risk of exploitation. Avoid using the `config.xml` API for users without Job/Configure permission until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins Project Inheritance Plugin versions 21.04.03 and earlier **Description** The issue concerns the transmission of job config.xml data to users without proper Job/Configure permissions. Specifically, it does not redact encrypted secrets in the "getConfigAsXML" API endpoint when sending this data. This could potentially expose sensitive information. **Recommendations** For Jenkins Project Inheritance Plugin versions 21.04.03 and earlier, consider restricting access to the "getConfigAsXML" API endpoint until a fix is available. As a temporary workaround, limit the transmission of job config.xml data to only those users with the necessary Job/Configure permissions.