Yaroslav Afenkin

**Name of the Vulnerable Software and Affected Versions** Jenkins Redpen - Pipeline Reporter for Jira Plugin versions 1.054.v7b 9517b 6b 202 and earlier **Description** The Jenkins Redpen - Pipeline Reporter for Jira Plugin does not properly validate file paths within the workspace directory during artifact uploads to Jira. This allows individuals with Item/Configure permissions to access files located on the Jenkins controller's workspace directory. The issue arises from insufficient path validation, potentially enabling unauthorized file retrieval. **Recommendations** Update Jenkins Redpen - Pipeline Reporter for Jira Plugin to a version later than 1.054.v7b 9517b 6b 202.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Plugin versions 1.9.6 and earlier **Description** The issue is related to an incorrect permission check in the Jenkins GitLab Plugin. This allows attackers with global Item/Configure permission, but lacking Item/Configure permission on any particular job, to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins. These credential IDs can be used as part of an attack to capture the credentials using another vulnerability. **Recommendations** For Jenkins GitLab Plugin versions 1.9.6 and earlier, upgrade to version 1.9.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the global Item/Configure permission to minimize the risk of exploitation. Additionally, restrict access to the HTTP endpoint related to the GitLab Plugin to prevent enumeration of credential IDs.

**Name of the Vulnerable Software and Affected Versions** Jenkins Folder-based Authorization Strategy Plugin versions 217.vd5b 18537403e and earlier **Description** The issue potentially allows users who were formerly granted certain permissions to access functionality they are no longer entitled to, because the plugin does not verify that the configured permissions are enabled. This typically involves optional permissions. **Recommendations** For Jenkins Folder-based Authorization Strategy Plugin versions 217.vd5b 18537403e and earlier, as a temporary workaround, consider reviewing and manually validating the permissions configured for each user to ensure they align with the intended access levels, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Jenkins Delphix Plugin versions 3.0.1 through 3.1.0 **Description** The global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower (DCT) connections does not take effect until Jenkins is restarted when switching from disabled validation to enabled validation. **Recommendations** For Jenkins Delphix Plugin versions 3.0.1 through 3.1.0, restart Jenkins after switching from disabled to enabled SSL/TLS certificate validation to ensure the change takes effect.

**Name of the Vulnerable Software and Affected Versions** Jenkins iceScrum Plugin versions 1.1.6 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not sanitize iceScrum project URLs on build views. Attackers who can configure jobs may exploit this. **Recommendations** For versions 1.1.6 and earlier, update to a version that fixes the sanitization of iceScrum project URLs to prevent stored XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier **Description** The issue is related to the use of a non-constant time comparison function when checking whether the provided and expected webhook token are equal. This potentially allows attackers to use statistical methods to obtain a valid webhook token, which could lead to unauthorized access to confidential information. **Recommendations** For Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier, update to a version that uses a constant-time comparison function, such as version 688.v5fa 356ee8520, to prevent attackers from obtaining a valid webhook token using statistical methods.

**Name of the Vulnerable Software and Affected Versions** Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier **Description** A cross-site request forgery (CSRF) vulnerability exists due to the lack of permission checks in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified `username` and `password`. This endpoint also does not require POST requests, further contributing to the vulnerability. **Recommendations** For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier, consider updating to version 2.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint, thus mitigating the issue. As a temporary workaround, restrict access to the connection test HTTP endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier **Description** A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified `username` and `password`. The connection test HTTP endpoint is vulnerable, and it does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. **Recommendations** For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier, consider upgrading to version 2.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint. As a temporary workaround, restrict access to the connection test HTTP endpoint to minimize the risk of exploitation. Avoid using the `username` and `password` variables in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins Edgewall Trac Plugin versions 1.13 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability because the Trac website URL on the build page is not escaped. This vulnerability is exploitable by attackers with Item/Configure permission. **Recommendations** For versions 1.13 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Zanata Plugin versions 0.6 and earlier **Description** The issue is related to the use of a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal. This potentially allows attackers to use statistical methods to obtain a valid webhook token. **Recommendations** For Jenkins Zanata Plugin versions 0.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Multibranch Scan Webhook Trigger Plugin versions 1.0.9 and earlier **Description** The issue is related to information disclosure. It potentially allows a remote attacker to gain unauthorized access to protected information. The problem lies in the non-constant time comparison function used when checking the provided and expected webhook token for equality. This could allow attackers to use statistical methods to obtain a valid webhook token. **Recommendations** For Jenkins Multibranch Scan Webhook Trigger Plugin versions 1.0.9 and earlier, as a temporary workaround, consider disabling the webhook token comparison function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins MSTeams Webhook Trigger Plugin versions 0.1.1 and earlier **Description** The issue is related to information disclosure. It may allow a remote attacker to gain unauthorized access to protected information. The problem lies in the non-constant time comparison function used when checking the provided and expected webhook token for equality. This potentially allows attackers to use statistical methods to obtain a valid webhook token. **Recommendations** For Jenkins MSTeams Webhook Trigger Plugin versions 0.1.1 and earlier, as a temporary workaround, consider disabling the webhook token comparison function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Plugin versions 1.37.3 and earlier **Description** The issue results in a stored cross-site scripting (XSS) vulnerability. This occurs because the GitHub project URL on the build page is not properly escaped when showing changes. Attackers with Item/Configure permission can exploit this vulnerability. **Recommendations** For Jenkins GitHub Plugin versions 1.37.3 and earlier, update to version 1.37.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the build page for users with Item/Configure permission until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.423 and earlier, LTS versions 2.414.1 and earlier **Description** The issue is related to the lack of escaping of the `caption` constructor parameter value of `ExpandableDetailsNote`, resulting in a stored cross-site scripting (XSS) vulnerability. This vulnerability can be exploited by attackers who can control this parameter, potentially allowing them to manage files in workspaces. The `ExpandableDetailsNote` feature allows annotating build log content with additional information that can be revealed when interacted with. **Recommendations** For Jenkins versions 2.423 and earlier, update to version 2.424 or later. For LTS versions 2.414.1 and earlier, update to version 2.414.2 or later. As a temporary workaround, consider restricting access to the `ExpandableDetailsNote` feature until a patch is available. Avoid using the `caption` parameter in the affected `ExpandableDetailsNote` constructor until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. It occurs because the Jenkins Build Failure Analyzer Plugin does not escape Failure Cause names in build logs. This makes it exploitable by attackers who can create or update Failure Causes. **Recommendations** For Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier, update to version 2.4.2 or later, which escapes Failure Cause names in build logs, to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b 1154b 3fb **Description** The issue is related to a non-constant time comparison function used when checking whether the provided and expected CSRF protection nonce are equal. This potentially allows attackers to use statistical methods to obtain a valid nonce. **Recommendations** For Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b 1154b 3fb , consider updating to a version that uses a constant time comparison function to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins SSH2 Easy Plugin versions 1.4 and earlier **Description** The issue is related to the verification of permissions configured to be granted. It potentially allows users who were formerly granted certain permissions, such as Overall/Manage, to access functionality they are no longer entitled to. This is because the plugin does not verify that these permissions are enabled. **Recommendations** For Jenkins SSH2 Easy Plugin versions 1.4 and earlier, consider updating to a version that includes the fix for this issue, as the current version does not properly verify permissions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Pipeline Maven Integration Plugin versions 1330.v18e473854496 and earlier **Description** The issue concerns the Jenkins Pipeline Maven Integration Plugin, which does not properly mask usernames of credentials specified in custom Maven settings in Pipeline build logs when "Treat username as secret" is checked. This affects the security of credentials by potentially exposing them in the build logs. **Recommendations** For Jenkins Pipeline Maven Integration Plugin versions 1330.v18e473854496 and earlier, consider disabling the "Treat username as secret" option until a patch is available, or restrict access to the Pipeline build logs to minimize the risk of credential exposure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Assembla Auth Plugin versions 1.14 and earlier **Description** The issue results in users with EDIT permissions being granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted. This occurs because the plugin does not verify that the permissions it grants are enabled. **Recommendations** For Jenkins Assembla Auth Plugin versions 1.14 and earlier, update to a version that includes the fix for this issue to prevent users with EDIT permissions from being granted unnecessary permissions.

**Name of the Vulnerable Software and Affected Versions** Jenkins Frugal Testing Plugin versions 1.1 and earlier **Description** A cross-site request forgery (CSRF) vulnerability allows attackers to connect to Frugal Testing using attacker-specified credentials, and to retrieve test IDs and names from Frugal Testing, if a valid credential corresponds to the attacker-specified username. **Recommendations** For Jenkins Frugal Testing Plugin versions 1.1 and earlier, update to a version that fixes this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.