Latest News

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Computer/Create permission but without Computer/Configure permission to copy an agent, gaining access to encrypted secrets in its configuration. This is due to an incomplete fix of [SECURITY-3495](https://www.jenkins.io/security/advisory/2025-03-05/#SECURITY-3495)/CVE-2025-27622. Jenkins 2.504, LTS 2.492.3 requires Computer/Configure permission to copy an agent containing secrets.

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

Jenkins Stack Hammer Plugin 1.0.6 and earlier stores Stack Hammer API keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires Computer/Extended Read permission to copy an agent.

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.set_language are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters.

China-linked APT group FamousSparrow hits targets in the Americas using upgraded SparrowDoor malware in new cyberespionage campaign, ESET reports.

### Summary `image-size` is vulnerable to a Denial of Service vulnerability when processing specially crafted images. The issue occurs because of an infine loop in `findBox` when processing certain images with a box with size `0`. ### Details If the first bytes of the input does not match any bytes in `firstBytes`, then the package tries to validate the image using other handlers: ```js // https://github.com/image-size/image-size/blob/v1.2.0/lib/detector.ts#L20-L31 export function detector(input: Uint8Array): imageType | undefined { const byte = input[0] if (byte in firstBytes) { const type = firstBytes[byte] if (type && typeHandlers[type].validate(input)) { return type } } const finder = (key: imageType) => typeHandlers[key].validate(input) //<-- return keys.find(finder) } ``` Some handlers that call `findBox` to validate or calculate the image size are `jxl`, `heif` and `jp2`. `JXL` handler calls `findBox` inside `validate`. To reach the `findBox` ...