Wasin Saengow

**Name of the Vulnerable Software and Affected Versions** Jenkins Metrics Plugin versions 4.0.2.8 and earlier **Description** The issue allows an access key to be stored unencrypted in the global configuration file on the Jenkins controller. This access key can be viewed by users with access to the Jenkins controller file system. The file `jenkins.metrics.api.MetricsAccessKey.xml` is specifically mentioned as part of the configuration where this access key is stored. **Recommendations** For Jenkins Metrics Plugin versions 4.0.2.8 and earlier, consider updating to version 4.0.2.8.1 or later, as it stores the access key encrypted once its configuration is saved again. As a temporary workaround, restrict access to the Jenkins controller file system to minimize the risk of the access key being viewed by unauthorized users.

**Name of the Vulnerable Software and Affected Versions** Jenkins Parameterized Remote Trigger Plugin versions 3.1.3 and earlier **Description** The issue concerns the storage of a secret in an unencrypted form within the global configuration file on the Jenkins controller. Specifically, the secret is stored in the `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` file. This allows attackers with access to the Jenkins controller file system to view the secret. **Recommendations** For Jenkins Parameterized Remote Trigger Plugin versions 3.1.3 and earlier, update to version 3.1.4 or later to ensure the secret is stored encrypted after re-saving the configuration. As a temporary workaround, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins SoapUI Pro Functional Testing Plugin versions 1.5 and earlier ReadyAPI Functional Testing Plugin versions 1.5 and earlier Jenkins versions prior to 2.236, including 2.235.x LTS **Description** The issue concerns the transmission of project passwords in plain text as part of job configuration forms, potentially exposing them. This is due to the storage of project passwords in job `config.xml` files on the Jenkins controller as part of the plugin's configuration. Although passwords are stored encrypted on disk since version 1.4, they are transmitted in plain text by versions 1.5 and earlier. Attackers with Extended Read permission can view these passwords. **Recommendations** For Jenkins SoapUI Pro Functional Testing Plugin versions 1.5 and earlier: Update to a version later than 1.5 to ensure passwords are not transmitted in plain text. For ReadyAPI Functional Testing Plugin versions 1.5 and earlier: Update to a version later than 1.5 to prevent plain text transmission of passwords. For Jenkins versions prior to 2.236, including 2.235.x LTS: Update to Jenkins version 2.236 or later to utilize the security hardening that encrypts and decrypts data used for Jenkins password form fields.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Coverage Reporter Plugin versions 1.8 and earlier Jenkins GitHub Coverage Reporter Plugin versions 1.10 and earlier **Description** The issue concerns the storage of secrets in plain text in the global configuration file on the Jenkins master. This allows users with access to the master file system or read permissions on the system configuration to view these secrets. Specifically, the GitHub access token is stored unencrypted in the `io.jenkins.plugins.gcr.PluginConfiguration.xml` file, making it accessible to users with access to the Jenkins controller file system. **Recommendations** For Jenkins GitHub Coverage Reporter Plugin versions 1.8 and earlier, update to a version later than 1.8 to ensure secrets are stored securely. For Jenkins GitHub Coverage Reporter Plugin versions 1.10 and earlier, consider restricting access to the `io.jenkins.plugins.gcr.PluginConfiguration.xml` file until a secure version is available. As a temporary workaround, consider limiting user access to the Jenkins master file system and system configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Slack Upload Plugin versions 1.7 and earlier **Description** The issue allows users with Extended Read permission, or access to the master file system, to view a secret stored unencrypted in job config.xml files on the Jenkins master. **Recommendations** For Jenkins Slack Upload Plugin versions 1.7 and earlier, consider restricting access to the master file system and limiting Extended Read permissions to minimize the risk of exploitation. As a temporary workaround, consider encrypting sensitive data stored in job config.xml files until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins White Source Plugin versions 19.1.1 and earlier Jenkins White Source Plugin versions prior to 20.8.1 **Description** The issue allows credentials to be stored unencrypted in the global configuration file and in job config.xml files on the Jenkins master. These credentials can be viewed by users with Extended Read permission or access to the master file system. The credentials are stored in plain text as part of the global configuration file `org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml` and job config.xml files on the Jenkins controller. **Recommendations** For versions 19.1.1 and earlier, update to version 20.8.1 or later to resolve the issue. For versions prior to 20.8.1, update to version 20.8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Extended Read permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins CryptoMove Plugin versions 0.1.33 and earlier **Description** The issue allows attackers with Job/Configure access to execute arbitrary OS commands on the Jenkins master as the OS user account running Jenkins. This is possible because the CryptoMove Plugin allows the configuration of an OS command to execute as part of its build step configuration, which will be executed on the Jenkins controller. Users with Job/Configure permission can exploit this to execute arbitrary OS commands on the Jenkins controller. **Recommendations** For Jenkins CryptoMove Plugin versions 0.1.33 and earlier, consider restricting access to the Job/Configure permission to minimize the risk of exploitation. As a temporary workaround, consider disabling the build step configuration that allows the execution of OS commands until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Mattermost Notification Plugin versions 2.7.0 and earlier **Description** The issue allows stored webhook URLs containing a secret token to be viewed unencrypted in the global configuration file and job config.xml files on the Jenkins master. This can be accessed by users with Extended Read permission or those who have access to the master file system. **Recommendations** For Jenkins Mattermost Notification Plugin versions 2.7.0 and earlier, update the plugin to a version that properly encrypts or secures the webhook URLs and secret tokens. As a temporary workaround, consider restricting access to the Jenkins master file system and limiting Extended Read permissions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Zulip Plugin versions 1.1.0 and earlier Jenkins Zulip Plugin versions prior to 1.1.1 **Description** The issue allows stored credentials to be viewed unencrypted in the global configuration file on the Jenkins master. This could be accessed by users with access to the master file system. **Recommendations** For Jenkins Zulip Plugin versions 1.1.0 and earlier, update to version 1.1.1 or later to resolve the issue. For Jenkins Zulip Plugin versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue.