Matt Sicker

**Name of the Vulnerable Software and Affected Versions** Jenkins Build-Publisher Plugin versions 1.22 and earlier **Description** The issue is related to a missing permission check in an HTTP endpoint, which allows attackers with Overall/Read permission to obtain the names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers. **Recommendations** For Jenkins Build-Publisher Plugin versions 1.22 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the affected HTTP endpoint until a patch is available. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins Recipe Plugin version 1.2 and earlier **Description** A cross-site request forgery issue allows attackers to send an HTTP request to a specified URL and parse the response as XML. **Recommendations** For Jenkins Recipe Plugin version 1.2 and earlier, update to a version later than 1.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Recipe Plugin versions 1.2 and earlier **Description** The issue is related to missing permission checks in the Jenkins Recipe Plugin, allowing attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin allows users to export the full configuration of jobs as part of a recipe, granting access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission. **Recommendations** For Jenkins Recipe Plugin versions 1.2 and earlier, consider disabling the plugin until a patch is available to prevent attackers from sending HTTP requests to attacker-specified URLs. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Overall/Read or Item/Read permissions. Avoid using the plugin to export job configurations until the issue is resolved to prevent unauthorized access to sensitive data.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Authentication Plugin versions 1.13 and earlier **Description** The issue concerns the storage of the GitLab client secret in an unencrypted form within the global config.xml file on the Jenkins controller. This allows users with access to the Jenkins controller file system to view the client secret. **Recommendations** For Jenkins GitLab Authentication Plugin versions 1.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the client secret being viewed by unauthorized users. As a temporary workaround, consider encrypting the GitLab client secret manually until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Fortify Plugin versions 20.2.34 and earlier **Description** The issue allows attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system. This is due to the lack of sanitization of the `appName` and `appVersion` parameters in the Pipeline steps. The attackers cannot control the content of the files. **Recommendations** For versions 20.2.34 and earlier, update to version 20.2.35 or later, which sanitizes the `appName` and `appVersion` parameters of its Pipeline steps.

**Name of the Vulnerable Software and Affected Versions** Jenkins requests-plugin Plugin versions 2.2.7 and earlier **Description** The issue is related to a missing permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to send test emails to an attacker-specified email address. This affects versions of the Jenkins requests-plugin Plugin prior to version 2.2.8, which now requires Overall/Administer permission to send test emails. **Recommendations** For Jenkins requests-plugin Plugin versions 2.2.7 and earlier, update to version 2.2.8 or later, which requires Overall/Administer permission to send test emails, mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins requests-plugin Plugin versions 2.2.6 and earlier **Description** A missing permission check in the Jenkins requests-plugin Plugin allows attackers with Overall/Read permission to view the list of pending requests. This issue is related to an HTTP endpoint that does not perform a permission check, enabling attackers to access sensitive information. **Recommendations** For Jenkins requests-plugin Plugin versions 2.2.6 and earlier, update to version 2.2.7 or later, which requires Overall/Administer permission to view the list of pending requests, thus mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Configuration Slicing Plugin versions 1.51 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to apply different slice configurations to attacker-specified jobs. This issue arises because the form submission endpoint for reconfiguring slices does not require POST requests, making it vulnerable to CSRF attacks. **Recommendations** For Jenkins Configuration Slicing Plugin versions 1.51 and earlier, update to version 1.52 or later, which requires POST requests for the affected HTTP endpoint, thus mitigating the CSRF vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.274 and earlier Jenkins LTS versions 2.263.1 and earlier **Description** The issue results from the failure to escape button labels in the Jenkins UI, leading to a cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who have the ability to control button labels. For example, buttons with user-controlled labels, such as those in the Pipeline `input` step, can be used to exploit this issue. **Recommendations** For Jenkins versions 2.274 and earlier, update to version 2.275 or later to resolve the issue. For Jenkins LTS versions 2.263.1 and earlier, update to version 2.263.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.274 and earlier Jenkins LTS versions 2.263.1 and earlier **Description** The issue results from the failure to escape notification bar response contents, leading to a cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who can influence the contents of the notification bar, typically shown after form submissions via the Apply button. **Recommendations** For Jenkins versions 2.274 and earlier, update to version 2.275 or later. For Jenkins LTS versions 2.263.1 and earlier, update to version 2.263.2 or later.

**Name of the Vulnerable Software and Affected Versions** Jenkins Active Directory Plugin versions 2.19 and earlier **Description** A missing permission check in the Jenkins Active Directory Plugin allows attackers with Overall/Read permission to access the domain health check diagnostic page. This issue is resolved in version 2.20, which requires Overall/Administer permission to access the domain health check diagnostic page. **Recommendations** For Jenkins Active Directory Plugin versions 2.19 and earlier, update to version 2.20 or later to require Overall/Administer permission for accessing the domain health check diagnostic page. As a temporary workaround, consider restricting access to the domain health check diagnostic page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Health Advisor by CloudBees Plugin versions 3.2.0 and earlier **Description** The issue arises from an incorrect permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to view the endpoint, which includes an administrative configuration page. **Recommendations** For Jenkins Health Advisor by CloudBees Plugin versions 3.2.0 and earlier, update to version 3.2.1 or later, which requires Overall/Administer permission to view the administrative configuration page, thus mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier **Description** A cross-site request forgery issue exists in the ComputeEngineCloud#doProvision function, which could be used to provision new agents. The Google Compute Engine Plugin version 4.2.0 mitigates this by requiring POST requests for the affected API endpoint. **Recommendations** For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, consider updating to version 4.2.0 or later, which requires POST requests for the affected API endpoint, to prevent cross-site request forgery attacks. As a temporary workaround, consider restricting access to the ComputeEngineCloud#doProvision function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier **Description** The issue is related to missing permission checks in various API endpoints, allowing attackers with Overall/Read permission to obtain limited information about the plugin configuration and environment. This could potentially be exploited by attackers to gain insights into the system's setup. **Recommendations** For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, update to version 4.2.0 or later, which requires the appropriate Job/Configure permission to view metadata, thereby addressing the missing permission checks issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier **Description** The issue allows man-in-the-middle attacks due to the lack of SSH host key verification when connecting agents created by the plugin. This enables potential attackers to intercept and manipulate communications. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For Jenkins Google Compute Engine Plugin versions 4.1.1 and earlier, update to version 4.2.0 or later, which verifies SSH host keys before executing any commands on agents.

**Name of the Vulnerable Software and Affected Versions** Jenkins Google Kubernetes Engine Plugin versions prior to 0.7.1 **Description** A missing permission check in the Jenkins Google Kubernetes Engine Plugin allowed attackers with Overall/Read permission to obtain limited information about the scope of a credential with an attacker-specified `credentials ID`. **Recommendations** For versions prior to 0.7.1, update to version 0.7.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.196 and earlier Jenkins LTS versions 2.176.3 and earlier **Description** The issue allows for a stored XSS vulnerability due to the f:combobox form control interpreting its item labels as HTML. This can be exploited by users who have permission to define the contents of the form control. **Recommendations** For Jenkins versions 2.196 and earlier, update to a version later than 2.196 to resolve the issue. For Jenkins LTS versions 2.176.3 and earlier, update to a version later than 2.176.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.196 and earlier, LTS versions 2.176.3 and earlier **Description** The issue concerns a stored XSS vulnerability. It occurs because the f:expandableTextBox form control interprets its content as HTML when expanded. This can be exploited by users who have permission to define its contents, typically those with access to Job/Configure. **Recommendations** For Jenkins versions 2.196 and earlier, update to a version later than 2.196 to resolve the issue. For Jenkins LTS versions 2.176.3 and earlier, update to a version later than 2.176.3 to resolve the issue.