Jenkins Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   Compuware Common Configuration Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in Compuware Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Compuware Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in build-publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in build-publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Path traversal vulnerability in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   Jenkins weekly up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **build-publisher Plugin** up to and including 1.22
*   **Compuware Common Configuration Plugin** up to and including 1.0.14
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   Jenkins weekly should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **Compuware Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41240: Jenkins Security Advisory 2022-09-21

Jenkins Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints, allowing attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

CVE-2022-41233: Jenkins Security Advisory 2022-09-21

A missing permission check in Jenkins Apprenda Plugin 2.2.0 and earlier allows users with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   Build-Publisher Plugin
*   Compuware Common Configuration Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in Compuware Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

Compuware Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Compuware Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in Build-Publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in Build-Publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

Build-Publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Path traversal vulnerability in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   Jenkins weekly up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **Build-Publisher Plugin** up to and including 1.22
*   **Compuware Common Configuration Plugin** up to and including 1.0.14
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   Jenkins weekly should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **Compuware Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   Build-Publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41251: Jenkins Security Advisory 2022-09-21

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

CVE-2022-41230: Jenkins Security Advisory 2022-09-21

Jenkins Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint, allowing users with Overall/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Jenkins (core)
*   Anchore Container Image Scanner Plugin
*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   BMC AMI Common Configuration Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

**Descriptions****XSS vulnerability**

**SECURITY-2886 / CVE-2022-41224**  
**Severity (CVSS):** High  
**Description:**

Jenkins 2.367 through 2.369 (both inclusive) does not escape tooltips of the l:helpIcon UI component used for some help icons on the Jenkins web UI.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control tooltips for this component.

As of publication, the Jenkins security team is unaware of any exploitable help icon/tooltip in Jenkins core or plugins published by the Jenkins project. The vast majority of help icons use the l:help component instead of l:helpIcon. The few known instances of l:helpIcon do not have user-controllable tooltip contents.

Jenkins 2.370 escapes tooltips of the l:helpIcon UI component.

**Stored XSS vulnerability in Anchore Container Image Scanner Plugin**

**SECURITY-2821 / CVE-2022-41225**  
**Severity (CVSS):** High  
**Affected plugin: anchore-container-scanner**  
**Description:**

Anchore Container Image Scanner Plugin 1.0.24 and earlier does not escape content provided by the Anchore engine API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control API responses by Anchore engine.

Anchore Container Image Scanner Plugin 1.0.25 escapes content provided by the Anchore engine API.

**XXE vulnerability in BMC AMI Common Configuration Plugin**

**SECURITY-2832 / CVE-2022-41226**  
**Severity (CVSS):** High  
**Affected plugin: compuware-common-configuration**  
**Description:**

BMC AMI Common Configuration Plugin 1.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

BMC AMI Common Configuration Plugin 1.0.15 disables external entity resolution for its XML parser.

**CSRF vulnerability and missing permission check in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2737 / CVE-2022-41227 (CSRF), CVE-2022-41228 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

NS-ND Integration Performance Publisher Plugin 4.8.0.130 requires POST requests and Overall/Administer permission for the affected form validation method.

**Stored XSS vulnerability in NS-ND Integration Performance Publisher Plugin**

**SECURITY-2858 / CVE-2022-41229**  
**Severity (CVSS):** High  
**Affected plugin: cavisson-ns-nd-integration**  
**Description:**

NS-ND Integration Performance Publisher Plugin 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

**Missing permission check in build-publisher Plugin**

**SECURITY-1994 / CVE-2022-41230**  
**Severity (CVSS):** Medium  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

**Path traversal and CSRF vulnerability in build-publisher Plugin**

**SECURITY-2139 / CVE-2022-41231 (path traversal), CVE-2022-41232 (CSRF)**  
**Severity (CVSS):** High  
**Affected plugin: build-publisher**  
**Description:**

build-publisher Plugin 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability that allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file.

**Missing permission checks in Rundeck Plugin**

**SECURITY-2170 / CVE-2022-41233**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints.

This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled.

**Missing webhook endpoint authorization in Rundeck Plugin**

**SECURITY-2169 / CVE-2022-41234**  
**Severity (CVSS):** Medium  
**Affected plugin: rundeck**  
**Description:**

Rundeck Plugin 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint.

This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck.

**Agent-to-controller security bypass in WildFly Deployer Plugin allows reading arbitrary files**

**SECURITY-2645 / CVE-2022-41235**  
**Severity (CVSS):** Medium  
**Affected plugin: wildfly-deployer**  
**Description:**

WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the LTS upgrade guide.

**CSRF vulnerability in Security Inspector Plugin**

**SECURITY-2051 / CVE-2022-41236**  
**Severity (CVSS):** Medium  
**Affected plugin: security-inspector**  
**Description:**

Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the …​/report URL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the _Single user, multiple jobs_ report. Other report types are still affected.

**RCE vulnerability in DotCi Plugin**

**SECURITY-1737 / CVE-2022-41237**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.

This results in a remote code execution (RCE) vulnerability exploitable by attackers able to modify .ci.yml files in SCM.

**Lack of authentication mechanism in DotCi Plugin webhook**

**SECURITY-2867 / CVE-2022-41238**  
**Severity (CVSS):** Medium  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository.

In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

**Stored XSS vulnerability in DotCi Plugin**

**SECURITY-2884 / CVE-2022-41239**  
**Severity (CVSS):** High  
**Affected plugin: DotCi**  
**Description:**

DotCi Plugin 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/ endpoint (see also SECURITY-2867).

This vulnerability is only exploitable in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier. See the LTS upgrade guide.

**Stored XSS vulnerability in Walti Plugin**

**SECURITY-1870 / CVE-2022-41240**  
**Severity (CVSS):** High  
**Affected plugin: walti**  
**Description:**

Walti Plugin 1.0.1 and earlier does not escape the information provided by the Walti API.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide malicious API responses from Walti.

**XXE vulnerability in RQM Plugin**

**SECURITY-2805 / CVE-2022-41241**  
**Severity (CVSS):** Medium  
**Affected plugin: rqm-plugin**  
**Description:**

RQM Plugin 2.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

This allows attackers able to provide crafted API responses from Rational Quality Manager to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

**Missing permission check in extreme-feedback Plugin**

**SECURITY-2001 / CVE-2022-41242**  
**Severity (CVSS):** Medium  
**Affected plugin: extreme-feedback**  
**Description:**

extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

**Missing hostname validation in SmallTest Plugin**

**SECURITY-2068 / CVE-2022-41243**  
**Severity (CVSS):** Medium  
**Affected plugin: smalltest**  
**Description:**

SmallTest Plugin 1.0.4 and earlier does not perform hostname validation when connecting to the configured SmallTest server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**Missing hostname validation in View26 Test-Reporting Plugin**

**SECURITY-2069 / CVE-2022-41244**  
**Severity (CVSS):** Medium  
**Affected plugin: view26**  
**Description:**

View26 Test-Reporting Plugin 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

**CSRF vulnerability and missing permission check in Worksoft Execution Manager Plugin allow capturing credentials**

**SECURITY-2237 / CVE-2022-41245 (CSRF), CVE-2022-41246 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: ws-execution-manager**  
**Description:**

Worksoft Execution Manager Plugin 10.0.3.503 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API key stored in plain text by BigPanda Notifier Plugin**

**SECURITY-2243 / CVE-2022-41247 (storage), CVE-2022-41248 (masking)**  
**Severity (CVSS):** Low  
**Affected plugin: bigpanda-jenkins**  
**Description:**

BigPanda Notifier Plugin 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration.

This API key can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the API key, increasing the potential for attackers to observe and capture it.

**CSRF vulnerability and missing permission check in SCM HttpClient Plugin allow capturing credentials**

**SECURITY-2708 / CVE-2022-41249 (CSRF), CVE-2022-41250 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: scm-httpclient**  
**Description:**

SCM HttpClient Plugin 1.5 and earlier does not perform permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Missing permission check in Apprenda Plugin allows enumerating credentials IDs**

**SECURITY-2710 / CVE-2022-41251**  
**Severity (CVSS):** Medium  
**Affected plugin: apprenda**  
**Description:**

Apprenda Plugin 2.2.0 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**Missing permission checks in CONS3RT Plugin allow enumerating credentials IDs**

**SECURITY-2752 / CVE-2022-41252**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability.

**CSRF vulnerability and missing permission checks in CONS3RT Plugin allow capturing credentials**

**SECURITY-2751 / CVE-2022-41253 (CSRF), CVE-2022-41254 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**API token stored in plain text by CONS3RT Plugin**

**SECURITY-2759 / CVE-2022-41255**  
**Severity (CVSS):** Low  
**Affected plugin: cons3rt**  
**Description:**

CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

This API token can be viewed by users with access to the Jenkins controller file system.

**Severity**

*   SECURITY-1737: High
*   SECURITY-1870: High
*   SECURITY-1994: Medium
*   SECURITY-2001: Medium
*   SECURITY-2051: Medium
*   SECURITY-2068: Medium
*   SECURITY-2069: Medium
*   SECURITY-2139: High
*   SECURITY-2169: Medium
*   SECURITY-2170: Medium
*   SECURITY-2237: Medium
*   SECURITY-2243: Low
*   SECURITY-2645: Medium
*   SECURITY-2708: Medium
*   SECURITY-2710: Medium
*   SECURITY-2737: Medium
*   SECURITY-2751: Medium
*   SECURITY-2752: Medium
*   SECURITY-2759: Low
*   SECURITY-2805: Medium
*   SECURITY-2821: High
*   SECURITY-2832: High
*   SECURITY-2858: High
*   SECURITY-2867: Medium
*   SECURITY-2884: High
*   SECURITY-2886: High

**Affected Versions**

*   **Jenkins weekly** up to and including 2.369
*   **Anchore Container Image Scanner Plugin** up to and including 1.0.24
*   **Apprenda Plugin** up to and including 2.2.0
*   **BigPanda Notifier Plugin** up to and including 1.4.0
*   **BMC AMI Common Configuration Plugin** up to and including 1.0.14
*   **build-publisher Plugin** up to and including 1.22
*   **CONS3RT Plugin** up to and including 1.0.0
*   **DotCi Plugin** up to and including 2.40.00
*   **extreme-feedback Plugin** up to and including 1.7
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.129
*   **NS-ND Integration Performance Publisher Plugin** up to and including 4.8.0.134
*   **RQM Plugin** up to and including 2.8
*   **Rundeck Plugin** up to and including 3.6.11
*   **SCM HttpClient Plugin** up to and including 1.5
*   **Security Inspector Plugin** up to and including 117.v6eecc36919c2
*   **SmallTest Plugin** up to and including 1.0.4
*   **View26 Test-Reporting Plugin** up to and including 1.0.7
*   **Walti Plugin** up to and including 1.0.1
*   **WildFly Deployer Plugin** up to and including 1.0.2
*   **Worksoft Execution Manager Plugin** up to and including 10.0.3.503

**Fix**

*   **Jenkins weekly** should be updated to version 2.370
*   **Anchore Container Image Scanner Plugin** should be updated to version 1.0.25
*   **BMC AMI Common Configuration Plugin** should be updated to version 1.0.15
*   **NS-ND Integration Performance Publisher Plugin** should be updated to version 4.8.0.130

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Apprenda Plugin
*   BigPanda Notifier Plugin
*   build-publisher Plugin
*   CONS3RT Plugin
*   DotCi Plugin
*   extreme-feedback Plugin
*   NS-ND Integration Performance Publisher Plugin
*   RQM Plugin
*   Rundeck Plugin
*   SCM HttpClient Plugin
*   Security Inspector Plugin
*   SmallTest Plugin
*   View26 Test-Reporting Plugin
*   Walti Plugin
*   WildFly Deployer Plugin
*   Worksoft Execution Manager Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-2169, SECURITY-2170, SECURITY-2645, SECURITY-2821, SECURITY-2884
*   **Jeff Thompson, CloudBees, Inc.** for SECURITY-2051
*   **Jesse Glick, CloudBees, Inc.** for SECURITY-2886
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2237, SECURITY-2737, SECURITY-2805, SECURITY-2858, SECURITY-2867
*   **Long Nguyen, Viettel Cyber Security** for SECURITY-2068, SECURITY-2069
*   **Marc Heyries** for SECURITY-2243
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1994, SECURITY-2001
*   **Valdes Che Zogou, CloudBees, Inc.** for SECURITY-2708, SECURITY-2710, SECURITY-2751, SECURITY-2752, SECURITY-2832
*   **Valdes Che Zogou, CloudBees, Inc. and Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2759
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1870, SECURITY-2139

CVE-2022-41234: Jenkins Security Advisory 2022-09-21

Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.

@@ -471,7 +471,7 @@ Craft.BaseElementSelectInput = Garnish.Base.extend(

createNewElement: function (elementInfo) {

var $element \= elementInfo.$element.clone();

var removeText \= Craft.t('app', 'Remove {label}', {

label: elementInfo.label,

label: Craft.escapeHtml(elementInfo.label),

});

// Make a couple tweaks

Craft.setElementSize(

CVE-2022-37246: Fixed an XSS vulnerability · craftcms/cms@1d5fdba

Red Hat Security Advisory 2022-6585-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include a double free vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: ruby security, bug fix, and enhancement update  
Advisory ID:       RHSA-2022:6585-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6585  
Issue date:        2022-09-20  
CVE Names:         CVE-2022-28738 CVE-2022-28739  
====================================================================  
1. Summary:

An update for ruby is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - noarch  
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Ruby is an extensible, interpreted, object-oriented, scripting language. It  
has features to process text files and to perform system management tasks.

The following packages have been upgraded to a later upstream version: ruby  
(3.0.4). (BZ#2109428)

Security Fix(es):

* Ruby: Double free in Regexp compilation (CVE-2022-28738)

* Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation  
2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion  
2109428 - ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-9] [rhel-9.0.0.z]

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:  
ruby-3.0.4-160.el9_0.src.rpm

aarch64:  
ruby-3.0.4-160.el9_0.aarch64.rpm  
ruby-debuginfo-3.0.4-160.el9_0.aarch64.rpm  
ruby-debugsource-3.0.4-160.el9_0.aarch64.rpm  
ruby-devel-3.0.4-160.el9_0.aarch64.rpm  
ruby-libs-3.0.4-160.el9_0.aarch64.rpm  
ruby-libs-debuginfo-3.0.4-160.el9_0.aarch64.rpm  
rubygem-bigdecimal-3.0.0-160.el9_0.aarch64.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.aarch64.rpm  
rubygem-io-console-0.5.7-160.el9_0.aarch64.rpm  
rubygem-io-console-debuginfo-0.5.7-160.el9_0.aarch64.rpm  
rubygem-json-2.5.1-160.el9_0.aarch64.rpm  
rubygem-json-debuginfo-2.5.1-160.el9_0.aarch64.rpm  
rubygem-psych-3.3.2-160.el9_0.aarch64.rpm  
rubygem-psych-debuginfo-3.3.2-160.el9_0.aarch64.rpm

noarch:  
ruby-default-gems-3.0.4-160.el9_0.noarch.rpm  
rubygem-bundler-2.2.33-160.el9_0.noarch.rpm  
rubygem-irb-1.3.5-160.el9_0.noarch.rpm  
rubygem-minitest-5.14.2-160.el9_0.noarch.rpm  
rubygem-power_assert-1.2.0-160.el9_0.noarch.rpm  
rubygem-rake-13.0.3-160.el9_0.noarch.rpm  
rubygem-rbs-1.4.0-160.el9_0.noarch.rpm  
rubygem-rdoc-6.3.3-160.el9_0.noarch.rpm  
rubygem-rexml-3.2.5-160.el9_0.noarch.rpm  
rubygem-rss-0.2.9-160.el9_0.noarch.rpm  
rubygem-test-unit-3.3.7-160.el9_0.noarch.rpm  
rubygem-typeprof-0.15.2-160.el9_0.noarch.rpm  
rubygems-3.2.33-160.el9_0.noarch.rpm  
rubygems-devel-3.2.33-160.el9_0.noarch.rpm

ppc64le:  
ruby-3.0.4-160.el9_0.ppc64le.rpm  
ruby-debuginfo-3.0.4-160.el9_0.ppc64le.rpm  
ruby-debugsource-3.0.4-160.el9_0.ppc64le.rpm  
ruby-devel-3.0.4-160.el9_0.ppc64le.rpm  
ruby-libs-3.0.4-160.el9_0.ppc64le.rpm  
ruby-libs-debuginfo-3.0.4-160.el9_0.ppc64le.rpm  
rubygem-bigdecimal-3.0.0-160.el9_0.ppc64le.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.ppc64le.rpm  
rubygem-io-console-0.5.7-160.el9_0.ppc64le.rpm  
rubygem-io-console-debuginfo-0.5.7-160.el9_0.ppc64le.rpm  
rubygem-json-2.5.1-160.el9_0.ppc64le.rpm  
rubygem-json-debuginfo-2.5.1-160.el9_0.ppc64le.rpm  
rubygem-psych-3.3.2-160.el9_0.ppc64le.rpm  
rubygem-psych-debuginfo-3.3.2-160.el9_0.ppc64le.rpm

s390x:  
ruby-3.0.4-160.el9_0.s390x.rpm  
ruby-debuginfo-3.0.4-160.el9_0.s390x.rpm  
ruby-debugsource-3.0.4-160.el9_0.s390x.rpm  
ruby-devel-3.0.4-160.el9_0.s390x.rpm  
ruby-libs-3.0.4-160.el9_0.s390x.rpm  
ruby-libs-debuginfo-3.0.4-160.el9_0.s390x.rpm  
rubygem-bigdecimal-3.0.0-160.el9_0.s390x.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.s390x.rpm  
rubygem-io-console-0.5.7-160.el9_0.s390x.rpm  
rubygem-io-console-debuginfo-0.5.7-160.el9_0.s390x.rpm  
rubygem-json-2.5.1-160.el9_0.s390x.rpm  
rubygem-json-debuginfo-2.5.1-160.el9_0.s390x.rpm  
rubygem-psych-3.3.2-160.el9_0.s390x.rpm  
rubygem-psych-debuginfo-3.3.2-160.el9_0.s390x.rpm

x86_64:  
ruby-3.0.4-160.el9_0.i686.rpm  
ruby-3.0.4-160.el9_0.x86_64.rpm  
ruby-debuginfo-3.0.4-160.el9_0.i686.rpm  
ruby-debuginfo-3.0.4-160.el9_0.x86_64.rpm  
ruby-debugsource-3.0.4-160.el9_0.i686.rpm  
ruby-debugsource-3.0.4-160.el9_0.x86_64.rpm  
ruby-devel-3.0.4-160.el9_0.i686.rpm  
ruby-devel-3.0.4-160.el9_0.x86_64.rpm  
ruby-libs-3.0.4-160.el9_0.i686.rpm  
ruby-libs-3.0.4-160.el9_0.x86_64.rpm  
ruby-libs-debuginfo-3.0.4-160.el9_0.i686.rpm  
ruby-libs-debuginfo-3.0.4-160.el9_0.x86_64.rpm  
rubygem-bigdecimal-3.0.0-160.el9_0.x86_64.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.i686.rpm  
rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.x86_64.rpm  
rubygem-io-console-0.5.7-160.el9_0.x86_64.rpm  
rubygem-io-console-debuginfo-0.5.7-160.el9_0.i686.rpm  
rubygem-io-console-debuginfo-0.5.7-160.el9_0.x86_64.rpm  
rubygem-json-2.5.1-160.el9_0.x86_64.rpm  
rubygem-json-debuginfo-2.5.1-160.el9_0.i686.rpm  
rubygem-json-debuginfo-2.5.1-160.el9_0.x86_64.rpm  
rubygem-psych-3.3.2-160.el9_0.x86_64.rpm  
rubygem-psych-debuginfo-3.3.2-160.el9_0.i686.rpm  
rubygem-psych-debuginfo-3.3.2-160.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

noarch:  
ruby-doc-3.0.4-160.el9_0.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-28738  
https://access.redhat.com/security/cve/CVE-2022-28739  
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYypfvtzjgjWX9erEAQjaXQ/+LfzraWPwLDEBfxU87XekVmDQn/KHLw0Q  
TPgRpDtvfVkmSDDCEvYvvMOYSW3MdNmNJOwPhQyJT3cBrq0zHUog0ejoJO5jV3B1  
rOStJ/EfwskmCVaPehhJvGfrKVr2l6Uo8SH0zrLMKBtqd42/GrO2eiDs/xxhVq5U  
wvgecfUQY8lfpJ25ELa/081aAe4Cg4NN7WShf7DFJ2tw+f/IguCWi+CHZoavv3AQ  
T7So/dbIjFJmliaPcTkvW02m+JHxNGduXJfelMXB72eyJR7/jEK7OvfE89a18yZ8  
P38biUIPZFNaLW1SN62GnA8Qby6g9C/1x+pXssEQ6fo1qJPk/bW6qYfPWWM4Op5N  
VsTFDx7EAZRCQFnyczTcaUE7g9s4ZovK4qMqTZq9BhP25m9yisvV1jizNpSU6vMi  
h37/Mi0gcOOcjbtj8Nlbtx+QsHFJvOgTjDIiwPVllMpxygWjSRRnR+LBoTHCPlP2  
ZG5q8MGwZAIfzKSP9Fjg58rJoiWnzyJWFLEym38lfrrjch21CtgaKm28wrKQ18PC  
7GQ/A/rARWMfAKnFYEO4zF07kidgTwyVJI5RJv8b9x4vLo7/G80CVDXIYjEDP4FR  
7fNpEfc9/owximR5WpTds3GfzTDSKzNonHX/oNhIaJLkQ27RTSPXORzxtAsz2a6j  
jbIYxx9rQto=komJ  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6585-01

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

**Description**

URL: https://demo.pimcore.fun/admin/

In Setting select User/Roles and select User. After created user, move to Workspace tab and inject payload XSS at Documents, Assets and Data Objects. XSS payload will be trigger.

Besides, Workspace in Roles Also having the same situation. Can you create Role and move to Workspace tab and inject payload to Documents, Assets, Data Objectes.

**Proof of Concept**

    // 
    payload =  "><img src=x onerror=alert(2)>
    

Image PoC: !\[PoC\_Image\] (https://drive.google.com/file/d/1oUR2JXF8jQ1YMpuKNNqKe8TAJaCuZwL8/view?usp=sharing "poc")

**Impact**

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

CVE-2022-3255: Reflected XSS In User/Roles Function in pimcore

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `WidgetsManagement` module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.

**YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module**

Moderate severity GitHub Reviewed Published Sep 21, 2022 • Updated Sep 21, 2022

GHSA-2qf8-h7pr-x2r8: YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the `SlaPolicy` module. A patch is available at commit e55886781509fe39951fc7528347696474a17884.

**YetiForce CRM vulnerable to stored Cross-site Scripting via SlaPolicy module**

Moderate severity GitHub Reviewed Published Sep 21, 2022 • Updated Sep 21, 2022

Tag

#xss