Valdes Che Zogou

**Name of the Vulnerable Software and Affected Versions** Jenkins Docker Swarm Plugin versions 1.11 and earlier **Description** The issue is related to the Jenkins Docker Swarm Plugin, which does not properly escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting (XSS) vulnerability that can be exploited by attackers who can control responses from Docker. The vulnerability allows remote attackers to conduct cross-site scripting attacks using a specially crafted link. **Recommendations** For Jenkins Docker Swarm Plugin versions 1.11 and earlier: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the Docker Swarm Dashboard view to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved or a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method. The plugin does not perform permission checks in several HTTP endpoints, which also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests. **Recommendations** For Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier, update to version 853.v4a 1a dd947520 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method. The issue arises because the plugin does not perform permission checks in several HTTP endpoints, such as `/api/v1/login` or other unspecified endpoints, and these endpoints do not require POST requests. This enables attackers with Overall/Read permission to exploit the vulnerability. **Recommendations** For Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier, update to version 853.v4a 1a dd947520 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the vulnerable HTTP endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier **Description** A missing permission check in the Jenkins Azure VM Agents Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. The plugin does not perform permission checks in several HTTP endpoints, enabling attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs. Additionally, the lack of requirement for POST requests in these endpoints results in a cross-site request forgery (CSRF) vulnerability. **Recommendations** For Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier, update to version 853.v4a 1a dd947520 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins TestNG Results Plugin versions 730.v4c5283037693 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape several values parsed from TestNG report files and displayed on the plugin's test information pages. This makes it exploitable by attackers who can provide a crafted TestNG report file. **Recommendations** For Jenkins TestNG Results Plugin versions 730.v4c5283037693 and earlier, update to version 730.732.v959a 3a a eb a 72 or later, which escapes the affected values that are parsed from TestNG report files.

**Name of the Vulnerable Software and Affected Versions** Jenkins Email Extension Plugin versions 2.93 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering. This makes it exploitable by attackers who can create or change custom email templates. **Recommendations** For Jenkins Email Extension Plugin versions 2.93 and earlier, update to a version later than 2.93 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Orka by MacStadium Plugin versions 1.31 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. **Recommendations** For Jenkins Orka by MacStadium Plugin versions 1.31 and earlier, update to a version later than 1.31 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Orka by MacStadium Plugin versions 1.31 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. **Recommendations** For Jenkins Orka by MacStadium Plugin versions 1.31 and earlier, consider disabling the plugin until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the plugin to minimize the risk of capturing stored credentials. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Cisco Spark Notifier Plugin versions 1.1.1 and earlier **Description** The issue is related to a missing permission check in the Jenkins Cisco Spark Notifier Plugin, which allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can lead to unauthorized access to protected information. The vulnerability is associated with inadequate access control when handling HTTP endpoints. **Recommendations** For Jenkins Cisco Spark Notifier Plugin versions 1.1.1 and earlier, consider disabling the plugin until a patch is available to prevent attackers from enumerating credentials IDs. Restrict access to the plugin's HTTP endpoints to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins BearyChat Plugin versions 3.0.2 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL. **Recommendations** For Jenkins BearyChat Plugin versions 3.0.2 and earlier, update to a version that includes the missing permission check to prevent attackers from connecting to unauthorized URLs.

**Name of the Vulnerable Software and Affected Versions** Jenkins BearyChat Plugin versions 3.0.2 and earlier **Description** A cross-site request forgery (CSRF) issue allows attackers to connect to an attacker-specified URL. **Recommendations** For Jenkins BearyChat Plugin versions 3.0.2 and earlier, update to a version later than 3.0.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Pull Request Builder Plugin versions 1.42.2 and earlier **Description** A missing permission check in the Jenkins GitHub Pull Request Builder Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This can be used as part of an attack to capture the credentials using another vulnerability. The issue is related to an HTTP endpoint that does not perform a permission check. **Recommendations** For Jenkins GitHub Pull Request Builder Plugin versions 1.42.2 and earlier, as a temporary workaround, consider restricting access to the affected HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Pull Request Builder Plugin versions 1.42.2 and earlier **Description** A cross-site request forgery issue allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, potentially capturing credentials stored in Jenkins. **Recommendations** For Jenkins GitHub Pull Request Builder Plugin versions 1.42.2 and earlier, update to a version later than 1.42.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Custom Build Properties Plugin versions 2.79.vc095ccc85094 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability due to the plugin not escaping property values and build display names on the Custom Build Properties and Build Summary pages. This makes it exploitable by attackers who can set or change these values. **Recommendations** For versions 2.79.vc095ccc85094 and earlier, update to version 2.82.v16d5b d3590c7 or later, which escapes property values and build display names on the Custom Build Properties and Build Summary pages.

**Name of the Vulnerable Software and Affected Versions** Jenkins Checkmarx Plugin versions 2022.3.3 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the plugin does not escape values returned from the Checkmarx service API before inserting them into HTML reports. This could be exploited via man-in-the-middle attacks, even by users without Overall/Administer permission, as they are not allowed to configure the URL to the Checkmarx service. **Recommendations** For Jenkins Checkmarx Plugin versions 2022.3.3 and earlier, update to version 2022.4.3 or later, which escapes values returned from the Checkmarx service API before inserting them into HTML reports. As a temporary workaround, consider restricting access to the HTML reports generated by the plugin to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Spring Config Plugin versions 2.0.0 and earlier **Description** The issue is a stored cross-site scripting (XSS) vulnerability. It occurs because build display names shown on the Spring Config view are not escaped, allowing attackers who can change build display names to exploit this vulnerability. **Recommendations** For Jenkins Spring Config Plugin versions 2.0.0 and earlier, update to version 2.0.1 or later, which escapes build display names shown on the Spring Config view, thus resolving the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins BART Plugin versions 1.0.3 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins BART Plugin does not escape the parsed content of build logs before rendering it on the Jenkins UI. This allows malicious content to be stored and executed when the build logs are viewed. **Recommendations** For versions 1.0.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins CONS3RT Plugin versions 1.0.0 and earlier **Description** The issue allows users with access to the Jenkins controller file system to view the Cons3rt API token, which is stored unencrypted in job `config.xml` files on the Jenkins controller. This token is part of the plugin's configuration. **Recommendations** For Jenkins CONS3RT Plugin versions 1.0.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the Cons3rt API token being viewed by unauthorized users. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins CONS3RT Plugin versions 1.0.0 and earlier **Description** The issue arises from missing permission checks in the Jenkins CONS3RT Plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs. This can lead to the capture of credentials stored in Jenkins. Furthermore, the form validation methods in the plugin do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. **Recommendations** For Jenkins CONS3RT Plugin versions 1.0.0 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission checks and CSRF vulnerability. Restrict access to the plugin's form validation methods to minimize the risk of exploitation. Avoid using the plugin to connect to HTTP servers using attacker-specified credentials IDs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins CONS3RT Plugin versions 1.0.0 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The vulnerability is due to the lack of permission checks in methods implementing form validation, which can be exploited by attackers with Overall/Read permission. Additionally, the form validation methods do not require POST requests, contributing to the CSRF vulnerability. **Recommendations** For Jenkins CONS3RT Plugin versions 1.0.0 and earlier, consider disabling the form validation methods until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of capturing credentials stored in Jenkins. At the moment, there is no information about a newer version that contains a fix for this vulnerability.