Hackers can compromise public charging hubs to steal data, install malware on phones, and more, threatening individuals and businesses alike.

US government agencies are warning that malware planted in public charging stations for phones and other electronics can sneak onto your device when you least expect it.

On April 6, the FBI Denver office published a morsel of advice. "Avoid using free charging stations in airports, hotels, or shopping centers," its tweet stated. "Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead."

The sentiment was echoed in an FCC notice about the phenomenon — known as "juice jacking." The commission added that, "in some cases, criminals may have intentionally left cables plugged in at charging stations." Also, "there have even been reports of infected cables being given away as promotional gifts."

Experts say that charging stations can carry risk, not just for individuals but also enterprises. Still, the risk is low and there are simple solutions for avoiding it altogether.

**How Hackers Can Poison Charging Stations**

"There are two different ways this happens," says Pete Nicoletti, field CISO at Check Point Software. "There are the people that actually own those stations. If they're looking for additional revenue, they might install malware on their charging stations."

This isn't the kind of scenario you'd run into at your local airport, though, he adds: "\[That's\] going to be the bad actors that compromise a legitimate station."

Ordinary outlets are immune, but USB ports in modern charging stations are different.

"There is some sort of computer or smart device behind these stations, connected to those USB charging outlets," explains Dmitry Bestuzhev, most distinguished threat researcher at BlackBerry. And because there's a computer involved, the opportunity exists for back-and-forth data transfer.

"Imagine using a phone for charging," Bestuzhev continues. "You use the same USB cable for synchronizing data on your phone with a computer, such as photos, videos, and other information. Technically, a threat actor could poison the data transmission between the malicious station and your device to steal information or install malicious code."

Were this to occur, the FCC says, hackers could "maliciously access electronic devices while they are being charged. Malware installed through a corrupted USB port can lock a device or export personal data and passwords directly to the perpetrator. Criminals can then use that information to access online accounts or sell it to other bad actors."

And any risk to travelers can have a knock-on effect for their employers.

"Most people use their phones for a mix of work and personal time," Allan Liska, threat intelligence analyst at Recorded Future, points out. For a work-from-home employee accessing corporate data from a coffee shop or airport lounge, "a successful attack not only means a phone owner's personal data is compromised, it also means that any work data stored on that phone would be accessible by the attackers." In theory, hackers could also plant malware on a BYOD phone or laptop, or hijack an employee's access to enterprise networks for further attacks.

Whether any of this is likely is another matter. "One of the challenges with the FBI tweet is that they don't provide any real-world examples," Liska says. "So while the kind of attack the FBI laid out is certainly possible, the risk is relatively low."

**Simple Solutions for Charging Safely**

For anyone concerned with charging devices in public, there is one simple solution: don't use dedicated charging stations. Ordinary electrical outlets — of the kind you'd use at home — provide a perfectly safe alternative.

Even when you're searching around the airport terminal and can't find any outlets, there are other options. "Your readers can't see it, but this is what people should be carrying," Nicoletti says over a Zoom call, while holding up his wireless phone charger. "These are 15 bucks!"

And "if a socket isn't available and you're charging a device through a USB cable, use a data blocker," Bestuzhev recommends. Data blockers — colloquially referred to as "data condoms" — are inexpensive and widespread online.

"They're essentially designed on a hardware level to block any data transmission to or from your device," he explains. "So even when you connect to a malicious charging station, if you're using a data blocker, you'll still get the electric charge for your device but data won't flow. That's because, on a hardware level, the data blocker is designed to block the circuit of those parts of the cable to transfer data. So, your data can't be transferred in any direction — just electricity."

Jacked charging stations may be rare, but because the alternatives are so cheap and simple, it's easy enough to avoid the hassle altogether. "These tools," Bestuzhev concludes, "should really be part of any 'frequent flier' or 'frequent traveler' kit."

FBI & FCC Warn on 'Juice Jacking' at Public Chargers, but What's the Risk?

Researchers at Microsoft have discovered links between a threat group tracked as DEV-0196 and an Israeli private-sector company, QuaDream, that sells a platform for exfiltrating data from mobile devices.

Microsoft has identified another Israel-based threat organization, similar to NSO Group, that is selling mobile spyware and other cyber espionage tools and services to international governments to monitor and spy on private individuals.

Microsoft Threat Intelligence researchers have discovered links between a threat group they've been tracking as DEV-0196, which offers iOS malware, and a private-sector company called QuaDream that sells a platform for exfiltrating data from mobile devices, researchers said in a blog post published April 11. Without explicitly stating so, the researchers suggested that DEV-0196 and QuaDream are actually one and the same.

"Microsoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is developed by DEV-0196 and therefore strongly linked to QuaDream," the researchers wrote. "We assess with medium confidence that the mobile malware we associate with DEV-0196 is part of the \[company's 'Reign' offering\]."

The parallels between the activity of the separately linked entities is eerily similar to that of Israel-based NSO Group, which has been widely condemned, blacklisted, and even sued for its role in selling the iOS-based spyware known as Pegasus to hostile governments to target journalists, activists, politicians, businesspeople, and other private citizens with unethical cyber espionage activity. The spyware notably targets zero-day flaws with exploits, making it difficult to mitigate or detect its nefarious activity.

**Suspicious QuaDream Activity**

Similarly, QuaDream's REIGN is a suite of exploits, malware, and infrastructure designed to extract data from mobile devices for allegedly legal purposes, however, the company suspiciously doesn't have a website, and a 2022 Reuters report suggested that QuaDream used a zero-click iOS exploit that leveraged the same vulnerability seen in NSO Group's ForcedEntry exploit.

According to the Israeli Corporations Authority, QuaDream, under the Israeli name קוודרים בע”מ, was incorporated in August 2016. A report by news outlet Haaretz, citing a QuaDream brochure, claimed that the government of Saudi Arabia — known for targeting journalists and others who speak out against its policies — was among QuaDream's clients, as was the government of Ghana.

A separate December 2022 report from Meta, which reportedly took down 250 accounts associated with QuaDream, also shed light on the activity of the company. That report claimed that QuaDream was testing its ability to exploit iOS and Android mobile devices with the intent "to exfiltrate various types of data including messages, images, video and audio files, and geolocation," the researchers said.

Meanwhile, Microsoft Threat Intelligence believes that DEV-0196 is selling both exploitation services and its KingsPawn iOS malware to governments to spy on and track members of civil society — including journalists, political opposition figures, and a non-government organization (NGO) worker — in locations across Europe, North America, the Middle East, and Southeast Asia.

Microsoft worked with several partners on the investigation of the links between QuaDream and DEV-0196, including Citizen Lab of the University of Toronto's Munk School, which identified at least five targets of DEV-0196 across the aforementioned geographies. It also identified operator locations for QuaDream systems in Bulgaria, Czechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Citizen Lab has released its own separate report about the findings.

The behavior of DEV-0196 is consistent with that of "private sector offensive actors (PSOAs)" or "cyber mercenaries," according to Microsoft Threat Intelligence, which sell hacking tools or services through a variety of business models — including access as a service — to the highest bidder. They don't directly target individuals or run cyber espionage operations themselves.

**KingsPawn: A Custom Spyware**

Microsoft and its partners analyzed samples of the multi-component KingsPawn, which specifically targets iOS 14. However, it's possible that some of the code also could be used on Android devices, the researchers said. It's also likely that the threat group has already updated the malware to target versions of iOS newer than 14, as the latest version of Apple's operating system software is already up to iOS 16, the researchers said.

KingsPawn is comprised of two agents — a monitor agent in the form of a native Mach-O file written in Objective-C, and the main malware agent, a native Mach-O file written in GoLang, a language favored by threat actors for its portability, among other features, the researchers said.

The monitor agent is responsible for reducing the forensic footprint of the malware to prevent detection and hinder investigations, as well as manage the various processes and threads spawned on behalf of the malware to avoid artifacts created from unexpected process crashes.

Within the main agent of KingsPawn is the real gravy of the spyware where all of the capabilities to track victims and steal data lies, the researchers said.

Capabilities of the main agent include: obtaining device, Wi-Fi, cellular info, searching for and retrieving files, using the camera in the background, locating where the device is, monitoring phone calls, accessing the iOS keychain for passwords, and generating an iCloud one-time password that's time sensitive to retrieve stored data.

"The agent also creates a secure channel for XPC messaging by creating a nested app extension called _fud.appex_," the researchers wrote. "XPC messaging allows the agent to query various system binaries for sensitive device information, such as location details."

**Detection & Protection From Mobile Spyware**

Microsoft has developed unique network detections that could be used to fingerprint DEV-019's infrastructure on the Internet based on the group's heavy use of domain registrars and inexpensive cloud hosting providers that accept cryptocurrency as payment, the researchers said.

"They tended to only use a single domain per IP address and domains were very rarely reused across multiple IP addresses," they wrote in the post. "Many of the observed domains were deployed using free Let's Encrypt SSL certificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments."

The blog post includes network-based indicators that the researchers gleaned from their investigation to help potential victims identify if they've been compromised, including domains strongly associated with some countries that Citizen Lab has identified as locations of victims, countries where QuaDream platforms were operating, or both.

While acknowledging that preventing exploitation of mobile devices by threat actors who are exploiting zero-click vulnerabilities is difficult, there are ways to minimize the risk of mobile devices being compromised, the researchers said.

Following basic cyber hygiene and best practices to keep device software updated through automatic updates, the use of anti-malware software, and maintaining vigilance not to click on malicious links or suspicious messages can also help potential victims avoid compromise.

Researchers also suggested that if someone using an iOS device believes they may be a target of spyware, they can enable Lockdown Mode to enact advanced iOS security, thus reducing the attack surface for threat actors.

Microsoft: NSO Group-Like 'QuaDream' Actor Selling Mobile Spyware to Governments

Jenkins Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries.

Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default.

**Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation**

Moderate severity GitHub Reviewed Published Apr 12, 2023 to the GitHub Advisory Database • Updated Apr 12, 2023

GHSA-38jc-2rwx-qgxr: Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation

Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

**Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation**

Moderate severity GitHub Reviewed Published Apr 12, 2023 to the GitHub Advisory Database • Updated Apr 12, 2023

GHSA-r3mm-v4x7-2phm: Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation

A missing permission check in Jenkins Report Portal Plugin 0.5 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Assembla merge request builder Plugin
*   Azure Key Vault Plugin
*   Consul KV Builder Plugin
*   Fogbugz Plugin
*   Image Tag Parameter Plugin
*   Kubernetes Plugin
*   Lucene-Search Plugin
*   NeuVector Vulnerability Scanner Plugin
*   Quay.io trigger Plugin
*   Report Portal Plugin
*   Thycotic DevOps Secrets Vault Plugin
*   Thycotic Secret Server Plugin
*   TurboScript Plugin
*   WSO2 Oauth Plugin

**Descriptions****Improper masking of credentials in multiple plugins**

**SECURITY-3075 / CVE-2023-30513 (Kubernetes), CVE-2023-30514 (Azure Key Vault), CVE-2023-30515 (Thycotic DevOps Secrets Vault)**  
**Severity (CVSS):** Medium  
**Affected plugins: kubernetes , azure-keyvault , thycotic-devops-secrets-vault**  
**Description:**

Multiple plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

*   The credentials are printed in build steps executing on an agent (typically inside a node block).
    
*   Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.
    

The following plugins are affected by this vulnerability:

*   Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)
    
*   Azure Key Vault 187.va\_cd5fecd198a\_ and earlier (SECURITY-3051 / CVE-2023-30514)
    
*   Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)
    

The following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:

*   Kubernetes 3910.ve59cec5e33ea\_ (SECURITY-3079 / CVE-2023-30513)
    
*   Azure Key Vault 188.vf46b\_7fa\_846a\_1 (SECURITY-3051 / CVE-2023-30514)
    

As of publication of this advisory, there is no fix available for the following plugin:

*   Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)
    

An improvement in Credentials Binding 523.525.vb\_72269281873 implements a workaround that applies build log masking even in affected plugins. This workaround is temporary and potentially incomplete, so it is still recommended that affected plugins be updated to resolve this issue.

**Disabled SSL/TLS certificate validation for existing configurations in Image Tag Parameter Plugin**

**SECURITY-2840 / CVE-2023-30516**  
**Severity (CVSS):** Medium  
**Affected plugin: image-tag-parameter**  
**Description:**

Image Tag Parameter Plugin 2.0 improperly introduces an option to opt out of SSL/TLS certificate validation when connecting to Docker registries.

Job configurations using Image Tag Parameters that were created before 2.0 will have SSL/TLS certificate validation disabled by default.

**SSL/TLS certificate validation unconditionally disabled by NeuVector Vulnerability Scanner Plugin**

**SECURITY-2841 / CVE-2023-30517**  
**Severity (CVSS):** Medium  
**Affected plugin: neuvector-vulnerability-scanner**  
**Description:**

NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

**Missing permission check in Thycotic Secret Server Plugin allows enumerating credentials IDs**

**SECURITY-2837 / CVE-2023-30518**  
**Severity (CVSS):** Medium  
**Affected plugin: thycotic-secret-server**  
**Description:**

Thycotic Secret Server Plugin 1.0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Lack of authentication mechanism in Quay.io trigger Plugin webhook**

**SECURITY-2849 / CVE-2023-30519**  
**Severity (CVSS):** Medium  
**Affected plugin: quayio-trigger**  
**Description:**

Quay.io trigger Plugin provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In Quay.io trigger Plugin 0.1 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

**Stored XSS vulnerability in Quay.io trigger Plugin**

**SECURITY-2850 / CVE-2023-30520**  
**Severity (CVSS):** High  
**Affected plugin: quayio-trigger**  
**Description:**

Quay.io trigger Plugin 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads.

**Lack of authentication mechanism in Assembla merge request builder Plugin webhook**

**SECURITY-2872 / CVE-2023-30521**  
**Severity (CVSS):** Medium  
**Affected plugin: assembla-merge-request-builder**  
**Description:**

Assembla merge request builder Plugin provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In Assembla merge request builder Plugin 1.1.13 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

**Lack of authentication mechanism in Fogbugz Plugin webhook**

**SECURITY-2873 / CVE-2023-30522**  
**Severity (CVSS):** Medium  
**Affected plugin: fogbugz**  
**Description:**

Fogbugz Plugin provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs.

In Fogbugz Plugin 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter.

**Tokens stored and displayed in plain text by Report Portal Plugin**

**SECURITY-2945 / CVE-2023-30523 (storage), CVE-2023-30524 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: reportportal**  
**Description:**

Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission check in Report Portal Plugin**

**SECURITY-2950 / CVE-2023-30525 (CSRF), CVE-2023-30526 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: reportportal**  
**Description:**

Report Portal Plugin 0.5 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Client secret stored and displayed in plain text by WSO2 Oauth Plugin**

**SECURITY-2992 / CVE-2023-30527 (storage), CVE-2023-30528 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: wso2id-oauth**  
**Description:**

WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability in Lucene-Search Plugin**

**SECURITY-3013 / CVE-2023-30529**  
**Severity (CVSS):** Medium  
**Affected plugin: lucene-search**  
**Description:**

Lucene-Search Plugin 387.v938a\_ecb\_f7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to reindex the database.

**Token stored and displayed in plain text by Consul KV Builder Plugin**

**SECURITY-2944 / CVE-2023-30530 (storage), CVE-2023-30531 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: consul-kv-builder**  
**Description:**

Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

**Lack of authentication mechanism in TurboScript Plugin webhook**

**SECURITY-2851 / CVE-2023-30532**  
**Severity (CVSS):** Medium  
**Affected plugin: spoonscript**  
**Description:**

TurboScript Plugin provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.

In TurboScript Plugin 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

**Severity**

*   SECURITY-2837: Medium
*   SECURITY-2840: Medium
*   SECURITY-2841: Medium
*   SECURITY-2849: Medium
*   SECURITY-2850: High
*   SECURITY-2851: Medium
*   SECURITY-2872: Medium
*   SECURITY-2873: Medium
*   SECURITY-2944: Medium
*   SECURITY-2945: Medium
*   SECURITY-2950: Medium
*   SECURITY-2992: Low
*   SECURITY-3013: Medium
*   SECURITY-3075: Medium

**Affected Versions**

*   **Assembla merge request builder Plugin** up to and including 1.1.13
*   **Azure Key Vault Plugin** up to and including 187.va\_cd5fecd198a\_
*   **Consul KV Builder Plugin** up to and including 2.0.13
*   **Fogbugz Plugin** up to and including 2.2.17
*   **Image Tag Parameter Plugin** up to and including 2.0
*   **Kubernetes Plugin** up to and including 3909.v1f2c633e8590
*   **Lucene-Search Plugin** up to and including 387.v938a\_ecb\_f7fe9
*   **NeuVector Vulnerability Scanner Plugin** up to and including 1.22
*   **Quay.io trigger Plugin** up to and including 0.1
*   **Report Portal Plugin** up to and including 0.5
*   **Thycotic DevOps Secrets Vault Plugin** up to and including 1.0.0
*   **Thycotic Secret Server Plugin** up to and including 1.0.2
*   **TurboScript Plugin** up to and including 1.3
*   **WSO2 Oauth Plugin** up to and including 1.0

**Fix**

*   **Azure Key Vault Plugin** should be updated to version 188.vf46b\_7fa\_846a\_1
*   **Kubernetes Plugin** should be updated to version 3910.ve59cec5e33ea\_

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Assembla merge request builder Plugin
*   Consul KV Builder Plugin
*   Fogbugz Plugin
*   Image Tag Parameter Plugin
*   Lucene-Search Plugin
*   NeuVector Vulnerability Scanner Plugin
*   Quay.io trigger Plugin
*   Report Portal Plugin
*   Thycotic DevOps Secrets Vault Plugin
*   Thycotic Secret Server Plugin
*   TurboScript Plugin
*   WSO2 Oauth Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **CC Bomber, Kitri BoB** for SECURITY-2944, SECURITY-2945
*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2837, SECURITY-2840, SECURITY-3013
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2849, SECURITY-2850, SECURITY-2851, SECURITY-2992
*   **Kevin Guerroudj, CloudBees, Inc. and Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2873
*   **Pavel Nakonechnyi, Netcetera AG** for SECURITY-2841
*   **Tim Jacomb** for SECURITY-3075
*   **Yaroslav Afenkin, CloudBees, Inc.** for SECURITY-2950
*   **Yaroslav Afenkin, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2872

CVE-2023-30526: Jenkins Security Advisory 2023-04-12

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

CVE-2023-30531: Jenkins Security Advisory 2023-04-12

A missing permission check in Jenkins TurboScript Plugin 1.3 and earlier allows attackers with Item/Read permission to trigger builds of jobs corresponding to the attacker-specified repository.

CVE-2023-30532: Jenkins Security Advisory 2023-04-12

Jenkins Report Portal Plugin 0.5 and earlier does not mask ReportPortal access tokens displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-30524: Jenkins Security Advisory 2023-04-12

Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, allowing attackers to reindex the database.

CVE-2023-30529: Jenkins Security Advisory 2023-04-12

A missing permission check in Jenkins Thycotic Secret Server Plugin 1.0.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Tag

#ssl