Thomas De Grenier De Latour

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier **Description** A missing permission check in form-related methods of the Jenkins Pipeline GitHub Notify Step Plugin allowed users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This functionality provides a list of applicable credential IDs to users configuring the plugin, but it does not correctly check permissions. As a result, any user with Overall/Read permission can obtain a list of valid credentials IDs, which can be used as part of an attack to capture the credentials using another vulnerability. **Recommendations** For Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier, update to version 1.0.5 or later, which requires the permission to configure a project for an enumeration of credentials IDs. As a temporary workaround, consider restricting access to the plugin's configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. **Recommendations** For Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier, consider restricting access to the plugin until a patch is available, and limit the use of Overall/Read permission to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier **Description** A cross-site request forgery issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. **Recommendations** For Jenkins Pipeline GitHub Notify Step Plugin versions 1.0.4 and earlier, update to a version later than 1.0.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Sounds Plugin version 0.5 and earlier **Description** A cross-site request forgery issue allows an attacker to execute arbitrary OS commands as the OS user account running Jenkins. **Recommendations** For Jenkins Sounds Plugin version 0.5 and earlier, update to a version later than 0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Sounds Plugin version 0.5 and earlier **Description** The issue allows attackers with Overall/Read access to execute arbitrary OS commands as the OS user account running Jenkins, due to a lack of permission checks in URLs performing form validation. **Recommendations** For Jenkins Sounds Plugin version 0.5 and earlier, update to a version that includes the necessary permission checks to prevent arbitrary OS command execution.

**Name of the Vulnerable Software and Affected Versions** Jenkins 360 FireLine Plugin (affected versions not specified) **Description** The issue is related to an XML external entities (XXE) vulnerability, which allows attackers with Overall/Read access to have Jenkins resolve external entities. This can result in the extraction of secrets from the Jenkins agent, server-side request forgery, or denial-of-service attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Deploy WebLogic Plugin (affected versions not specified) **Description** A cross-site request forgery issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials or determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system. The plugin does not perform permission checks on a method implementing form validation, allowing users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL or confirm the existence of any file or directory on the Jenkins controller. This also results in a CSRF vulnerability due to the form validation method not requiring POST requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Deploy WebLogic Plugin (affected versions not specified) **Description** The issue is related to a missing permission check in the Jenkins Deploy WebLogic Plugin. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. It also enables them to determine whether a file or directory with an attacker-specified path exists on the Jenkins master file system. Furthermore, the form validation method in the plugin does not perform permission checks, allowing users with Overall/Read access to send an HTTP HEAD request to a user-specified URL or confirm the existence of any file or directory on the Jenkins controller. This also results in a CSRF vulnerability due to the method not requiring POST requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Jenkins Cloud Foundry Plugin versions 2.3.1 and earlier Description: A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to a specified URL using attacker-specified credentials IDs, potentially capturing stored credentials in Jenkins. The issue stems from a lack of permission checks on a form validation method, which also led to a cross-site request forgery vulnerability due to not requiring POST requests. Recommendations: For Jenkins Cloud Foundry Plugin versions 2.3.1 and earlier, update the plugin to enforce permission checks and require POST requests for the form validation method, ensuring Overall/Administer or Item/Configure permissions are in place. As a temporary workaround, consider restricting access to the AbstractCloudFoundryPushDescriptor.java component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Jenkins OctopusDeploy Plugin versions 1.8.1 and earlier Description: A server-side request forgery issue exists that allows attackers with Overall/Read permission to have the server connect to an attacker-specified URL and obtain the HTTP response code if successful, or an exception error message otherwise. Recommendations: For Jenkins OctopusDeploy Plugin versions 1.8.1 and earlier, consider restricting access to the OctopusDeployPlugin.java file until a patch is available. As a temporary workaround, limit the Overall/Read permission to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Jenkins Kanboard Plugin versions 1.5.10 and earlier Description: A server-side request forgery issue exists that allows attackers with Overall/Read permission to submit a GET request to an attacker-specified URL, potentially leading to unauthorized access. Recommendations: For Jenkins Kanboard Plugin versions 1.5.10 and earlier, consider restricting access to the KanboardGlobalConfiguration.java configuration until a patch is available. As a temporary workaround, limit the Overall/Read permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.137 and earlier Jenkins versions 2.121.2 and earlier **Description** A denial of service issue exists due to a form validation problem in CronTab.java for cron expressions. This issue can cause a request handling thread to enter an infinite loop when certain rare dates are entered, potentially resulting in a denial of service. Attackers with Overall/Read permission can exploit this issue. **Recommendations** For Jenkins versions 2.137 and earlier, update to a version that fixes the Cron expression form validation issue to prevent infinite loops. For Jenkins versions 2.121.2 and earlier, update to a version that fixes the Cron expression form validation issue to prevent infinite loops. As a temporary workaround, consider restricting access to the cron expression form validation to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Openstack Cloud Plugin versions 2.35 and earlier **Description** A sensitive information exposure issue exists, allowing attackers with Overall/Read access to Jenkins to connect to a specified URL using attacker-specified credentials IDs. This enables the capture of credentials stored in Jenkins and submission of HTTP requests to attacker-specified URLs. The issue is related to several Java files, including BootSource.java, InstancesToRun.java, and others. **Recommendations** For Jenkins Openstack Cloud Plugin versions 2.35 and earlier, consider restricting access to sensitive information and credentials until a fix is available. As a temporary workaround, restrict the use of the affected Java files, such as BootSource.java and InstancesToRun.java, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins SAML Plugin versions 1.0.6 and earlier **Description** A session fixation issue exists in the Jenkins SAML Plugin that allows unauthorized attackers to impersonate another user if they can control the pre-authentication session. This is due to a flaw in SamlSecurityRealm.java. **Recommendations** For Jenkins SAML Plugin versions 1.0.6 and earlier, update to version 1.0.7 or later, which invalidates the previous session during login and creates a new one.

**Name of the Vulnerable Software and Affected Versions** Jenkins URLTrigger Plugin versions 0.41 and earlier **Description** A server-side request forgery issue exists that allows attackers with Overall/Read access to cause the server to send a GET request to a specified URL. This is due to a vulnerability in the URLTrigger.java file. The issue is resolved in version 0.43, where the form validation method no longer connects to a user-provided URL. **Recommendations** For Jenkins URLTrigger Plugin versions 0.41 and earlier, update to version 0.43 or later to resolve the issue. As a temporary workaround, consider restricting access to the URLTrigger.java file or limiting the Overall/Read access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Git Plugin version 3.9.0 and older **Description** A server-side request forgery issue exists that allows attackers with Overall/Read access to cause the system to send a GET request to a specified URL. This is due to vulnerabilities in certain Java files, including AssemblaWeb.java, GitBlitRepositoryBrowser.java, Gitiles.java, TFS2013GitRepositoryBrowser.java, and ViewGitWeb.java. **Recommendations** For Jenkins Git Plugin version 3.9.0 and older, consider restricting access to sensitive URLs and limiting the Overall/Read permissions to minimize the risk of exploitation. As a temporary workaround, consider disabling the affected Java files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Black Duck Detect Plugin versions 1.4.0 and older **Description** A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The vulnerability is due to a lack of permission checks on methods implementing form validation, which also results in a CSRF vulnerability because these methods do not require POST requests. **Recommendations** For Jenkins Black Duck Detect Plugin versions 1.4.0 and older, update the plugin to a version that requires Overall/Administer permissions for form validation methods and mandates POST requests to prevent CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Black Duck Hub Plugin versions 4.0.0 and older **Description** A sensitive information exposure issue exists, allowing attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs. This could potentially capture credentials stored in Jenkins. **Recommendations** For Jenkins Black Duck Hub Plugin versions 4.0.0 and older, consider restricting access to the PostBuildScanDescriptor.java component until a fix is available. As a temporary workaround, limit the Overall/Read access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Absint Astree Plugin versions 1.0.5 and older **Description** A command execution issue exists in the AstreeBuilder.java file, allowing attackers with Overall/Read access to execute commands on the Jenkins master. **Recommendations** For Jenkins Absint Astree Plugin versions 1.0.5 and older, consider restricting access to the AstreeBuilder.java file until a patch is available. As a temporary workaround, limit Overall/Read access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins CAS Plugin versions 1.4.1 and older **Description** A server-side request forgery issue exists in the CasSecurityRealm.java component, allowing attackers with Overall/Read access to cause the server to send a GET request to a specified URL. This issue is also accompanied by a CSRF vulnerability due to inadequate form validation, which did not initially require POST requests. **Recommendations** For Jenkins CAS Plugin versions 1.4.1 and older, update to version 1.4.2 or later, which requires POST requests for form validation and the Overall/Administer permission, mitigating the issue.