Pierre Beitz

**Name of the Vulnerable Software and Affected Versions** Jenkins Eggplant Runner Plugin versions 0.0.1.301.v963cffe8ddb 8 and earlier **Description** The Jenkins Eggplant Runner Plugin versions 0.0.1.301.v963cffe8ddb 8 and earlier configures the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value. This action disables a security feature within the Java runtime environment, potentially weakening protection mechanisms. **Recommendations** Update to a newer version of the Jenkins Eggplant Runner Plugin.

Name of the Vulnerable Software and Affected Versions: Jenkins DingTalk Plugin versions 2.7.3 and earlier Description: The issue concerns the unconditional disabling of SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. This affects the security of the connections, potentially exposing them to man-in-the-middle attacks or other security risks. Recommendations: For Jenkins DingTalk Plugin versions 2.7.3 and earlier, consider disabling the plugin until a patched version is available that properly handles SSL/TLS certificate and hostname validation. As a temporary workaround, restrict access to the DingTalk webhooks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Red Hat Dependency Analytics Plugin versions 0.7.1 and earlier **Description** The issue is related to the lack of Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. This allows a remote attacker to perform cross-site scripting (XSS) attacks with the possibility of managing files in workspaces. The Red Hat Dependency Analytics Plugin programmatically disables Content-Security-Policy protection for user-generated content when the 'Invoke Red Hat Dependency Analytics (RHDA)' build step is executed. **Recommendations** For Jenkins Red Hat Dependency Analytics Plugin versions 0.7.1 and earlier, consider disabling the 'Invoke Red Hat Dependency Analytics (RHDA)' build step until a patch is available to prevent the disabling of Content-Security-Policy protection. Restrict access to user-generated content in workspaces and archived artifacts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Lockable Resources Plugin versions 2.8 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. This issue arises because the plugin does not require POST requests for several HTTP endpoints, making it vulnerable to CSRF attacks. The vulnerability enables attackers to perform unauthorized actions on resources. **Recommendations** For Jenkins Lockable Resources Plugin versions 2.8 and earlier, update to version 2.9 or later, which requires POST requests for the affected HTTP endpoints, thereby mitigating the CSRF vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.251 and earlier Jenkins LTS versions 2.235.3 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the project naming strategy description is not properly escaped, allowing users with Overall/Manage permission to exploit it. The vulnerability is exploitable when the description is displayed on item creation. **Recommendations** For Jenkins versions 2.251 and earlier, update to version 2.252 or later to resolve the issue. For Jenkins LTS versions 2.235.3 and earlier, update to version 2.235.4 or later to resolve the issue.