Oleg Nenashev

**Name of the Vulnerable Software and Affected Versions** Jenkins Sonar Gerrit Plugin versions 377.v8f3808963dc5 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to have Jenkins connect to Gerrit servers using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. This could be achieved by attackers obtaining credentials IDs through another method. **Recommendations** For Jenkins Sonar Gerrit Plugin versions 377.v8f3808963dc5 and earlier, as a temporary workaround, consider restricting access to the plugin until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier **Description** The issue allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller. **Recommendations** For Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier, consider restricting the Item/Configure permission to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier **Description** A cross-site request forgery vulnerability allows attackers to connect to an attacker-specified URL. The issue arises because the plugin does not perform a permission check on form validation methods, allowing attackers with Overall/Read permission to exploit this. Furthermore, these form validation methods do not require POST requests, resulting in the vulnerability. **Recommendations** For versions 346.vd87693c5a 86c and earlier, consider disabling the form validation methods until a patch is available to prevent exploitation. Restrict access to the plugin to minimize the risk of exploitation, especially for users with Overall/Read permission. Avoid using the plugin for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL. The form validation methods do not perform a permission check and do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. **Recommendations** For Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier, consider disabling the form validation methods until a patch is available to prevent attackers from connecting to an attacker-specified URL. Restrict access to the plugin's functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Checkmarx Plugin versions 2022.1.2 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified webserver using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The issue arises from the lack of permission checks in several HTTP endpoints, which can be exploited by attackers with Overall/Read permission. These endpoints also do not require POST requests, further facilitating the CSRF vulnerability. **Recommendations** For Jenkins Checkmarx Plugin versions 2022.1.2 and earlier, consider disabling the affected HTTP endpoints until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Database Plugin versions 1.6 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to execute arbitrary SQL scripts because the database console does not require POST requests. This issue enables attackers to perform unauthorized actions. **Recommendations** For Jenkins Database Plugin versions 1.6 and earlier, update to version 1.7 or later, which removes the vulnerable database console.

**Name of the Vulnerable Software and Affected Versions** Jenkins database Plugin versions 1.6 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified database server using attacker-specified credentials. The vulnerability affects the form validation method, which in version 1.7 and later requires POST requests. **Recommendations** For Jenkins database Plugin versions 1.6 and earlier, update to version 1.7 or later, which requires POST requests for the affected form validation method, mitigating the CSRF risk.

**Name of the Vulnerable Software and Affected Versions** Jenkins Database Plugin versions 1.6 and earlier **Description** A missing permission check in the Jenkins Database Plugin allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified credentials. The issue is resolved in version 1.7, which requires Overall/Administer permission for the affected form validation method. **Recommendations** For Jenkins Database Plugin versions 1.6 and earlier, update to version 1.7 or later to resolve the issue. As a temporary workaround, consider restricting Overall/Read access to Jenkins to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.244 and earlier Jenkins LTS versions 2.235.1 and earlier **Description** The issue results from incorrect escaping of the `href` attribute of links to downstream jobs displayed in the build console page, leading to a stored cross-site scripting vulnerability. This vulnerability is exploitable by users with Job/Configure permission. **Recommendations** For Jenkins versions 2.244 and earlier, update to version 2.245 or later to resolve the issue. For Jenkins LTS versions 2.235.1 and earlier, update to version 2.235.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the build console page for users with Job/Configure permission until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier **Description** A cross-site request forgery issue allows attackers to add or remove agent labels. The Swarm Plugin adds API endpoints to manage agent labels, but in versions 3.20 and earlier, these endpoints only require a global Swarm secret and do not perform regular permission checks. This allows users with Agent/Create permission to modify labels of any agent. Furthermore, these API endpoints can be exploited without requiring POST requests, leading to a cross-site request forgery vulnerability. **Recommendations** For Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier, update to version 3.21 or later, which requires POST requests and Agent/Configure permission for the affected agent to access the API endpoints, and no longer uses the global Swarm secret for these operations.

**Name of the Vulnerable Software and Affected Versions** Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier **Description** The issue concerns the lack of permission checks on API endpoints that allow adding and removing agent labels. This allows users with Agent/Create permission to modify labels of any agent. The affected API endpoints require only a global Swarm secret to use, without performing a regular permission check. **Recommendations** For Jenkins Self-Organizing Swarm Plug-in Modules Plugin versions 3.20 and earlier, update to version 3.21 or later, which requires Agent/Configure permission for the affected agent to access the API endpoints and no longer uses the global Swarm secret for these endpoints.

**Name of the Vulnerable Software and Affected Versions** Jenkins CVS Plugin versions 2.15 and earlier **Description** A cross-site request forgery issue allows attackers to create and manipulate tags, and to connect to an attacker-specified URL, by exploiting HTTP endpoints that do not require POST requests. This enables attackers to perform unauthorized actions. **Recommendations** For Jenkins CVS Plugin versions 2.15 and earlier, update to version 2.16 or later, which requires POST requests for the affected HTTP endpoints, mitigating the cross-site request forgery risk.

**Name of the Vulnerable Software and Affected Versions** Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier **Description** A cross-site request forgery issue allows attackers to provision instances. The vulnerability is due to the plugin not requiring POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. This allows an attacker to provision instances with an attacker-specified template ID. **Recommendations** For Jenkins Amazon EC2 Plugin versions 1.50.1 and earlier, update to version 1.50.2 or later, which requires POST requests for the affected HTTP endpoints.

**Name of the Vulnerable Software and Affected Versions** Jenkins Amazon EC2 Plugin versions 1.47 and earlier **Description** A missing permission check in the Jenkins Amazon EC2 Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. This issue may also potentially allow attackers to capture credentials stored in Jenkins, although this has not been confirmed. Additionally, the form validation methods are vulnerable to CSRF attacks because they do not require POST requests. **Recommendations** For Jenkins Amazon EC2 Plugin versions 1.47 and earlier, update to version 1.48 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods, thus mitigating the issue. As a temporary workaround, consider restricting access to the plugin's form validation methods to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Amazon EC2 Plugin versions 1.47 and earlier **Description** A cross-site request forgery issue allows attackers to connect to an attacker-specified URL within the AWS region using attacker-specified credentials IDs obtained through another method. The vulnerability is due to the lack of permission checks in methods performing form validation, which can be exploited by users with Overall/Read access to Jenkins. This might also potentially allow attackers to capture credentials stored in Jenkins, although this has not been confirmed. The form validation methods are also vulnerable to CSRF as they do not require POST requests. **Recommendations** For Jenkins Amazon EC2 Plugin versions 1.47 and earlier, update to version 1.48 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods, mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Sonar Gerrit Plugin (affected versions not specified) **Description** The issue concerns the storage of credentials in an unencrypted manner in job config.xml files on the Jenkins master. These credentials can be accessed by users who have Extended Read permission or direct access to the master file system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin (affected versions not specified) **Description** A cross-site request forgery issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. Note that Jenkins has suspended distribution of this plugin. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Libvirt Slaves Plugin (affected versions not specified) **Description** A missing permission check in form-related methods of the Jenkins Libvirt Slaves Plugin allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin (affected versions not specified) **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Note that Jenkins has suspended distribution of this plugin. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin (affected versions not specified) **Description** A missing permission check in form-related methods of the Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. Note that Jenkins has suspended distribution of this plugin. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.