Source
ghsa
Jenkins Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain"). Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled. Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.
Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers with Item/Build permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery. External Monitor Job Type Plugin 207.v98a_a_37a_85525 disables external entity resolution for its XML parser.
Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds. Oracle Cloud Infrastructure Compute Plugin 1.0.17 provides strategies for performing host key validation for administrators to select the one that meets their security needs.
Jenkins Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.
Jenkins mabl Plugin 0.0.46 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An enumeration of credentials IDs in mabl Plugin 0.0.47 requires the appropriate permissions.
Jenkins SAML Single Sign On(SSO) Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to download a string representation of the current security realm (Java `Object#toString()`), which potentially includes sensitive information. SAML Single Sign On(SSO) Plugin 2.3.1 requires Overall/Administer permission to access the affected HTTP endpoint, and only allows downloading a string representation if the current security realm is this plugin’s.
Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to rebuild a previous build.
Jenkins Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Jenkins mabl Plugin 0.0.46 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. mabl Plugin 0.0.47 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
Parsing a range with a mask larger than 32 bits causes a panic.