Tim Jacomb

**Name of the Vulnerable Software and Affected Versions** Jenkins Kubernetes Plugin versions 3909.v1f2c633e8590 and earlier **Description** The issue arises from the Jenkins Kubernetes Plugin not properly masking credentials in the build log when push mode for durable task logging is enabled. This results in credentials being exposed in the build log, potentially leading to unauthorized access. **Recommendations** For Jenkins Kubernetes Plugin versions 3909.v1f2c633e8590 and earlier, consider disabling the push mode for durable task logging until a patch is available to properly mask credentials in the build log. Restrict access to the build logs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure Key Vault Plugin versions 187.va cd5fecd198a and earlier **Description** The issue arises when the push mode for durable task logging is enabled, causing the plugin to not properly mask credentials in the build log. This means that instead of being replaced with asterisks, credentials are visible, potentially exposing sensitive information. **Recommendations** For Jenkins Azure Key Vault Plugin versions 187.va cd5fecd198a and earlier, consider disabling the push mode for durable task logging until a fix is available to prevent credentials from being exposed in the build log.

**Name of the Vulnerable Software and Affected Versions** Jenkins Thycotic DevOps Secrets Vault Plugin versions 1.0.0 and earlier **Description** The issue arises from the improper masking of credentials in the build log when push mode for durable task logging is enabled. This means that credentials are not replaced with asterisks as they should be, potentially exposing sensitive information. **Recommendations** For Jenkins Thycotic DevOps Secrets Vault Plugin versions 1.0.0 and earlier, consider disabling the push mode for durable task logging until a proper fix is available to ensure credentials are masked correctly in the build log.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier **Description** A missing permission check in the Jenkins Pipeline Maven Integration Plugin allows users with Overall/Read access to enumerate credentials ID of credentials stored in Jenkins. This issue affects the plugin's HTTP endpoint, enabling attackers to obtain credentials IDs, which can be used in conjunction with another vulnerability to capture the credentials. **Recommendations** For Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier, update to version 3.8.3 or later, which requires appropriate permissions for enumerating credentials IDs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier **Description** A missing permission check in the plugin allows users with Overall/Read access to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. The form validation method is also vulnerable to cross-site request forgery (CSRF) as it does not require POST requests. **Recommendations** For Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier, update to version 3.8.3 or later, which requires POST requests and Job/Configure permission for the affected form validation method, mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier **Description** A cross-site request forgery (CSRF) vulnerability exists, allowing attackers to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. This issue arises due to a lack of permission checks in a form validation method, which can be exploited by users with Overall/Read access to Jenkins. The form validation method is also vulnerable to CSRF attacks because it does not require POST requests. **Recommendations** For Jenkins Pipeline Maven Integration Plugin versions 3.8.2 and earlier, update to version 3.8.3 or later, which requires POST requests and Job/Configure permission for the affected form validation method, mitigating the CSRF vulnerability.