ghsa

Jenkins Pipeline Utility Steps Plugin provides the `untar` and `unzip` Pipeline steps to extract archives into job workspaces. Pipeline Utility Steps Plugin 2.15.2 and earlier does not validate or limit file paths of files contained within these archives. This allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content. Pipeline Utility Steps Plugin 2.15.3 rejects extraction of files in `tar` and `zip` archives that would be placed outside the expected destination directory.

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.

Jenkins Sidebar Link Plugin allows specifying files in the `userContent/` directory for use as link icons. Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. Sidebar Link Plugin 2.2.2 ensures that only files located within the expected `userContent/` directory can be accessed.

Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters. This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.

Jenkins Ansible Plugin allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets. Ansible Plugin 204.v8191fd551eb_f and earlier stores these extra variables unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These extra variables can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them. Ansible Plugin 205.v4cb_c48657c21 masks extra variables displayed on the configuration form, and stores them encrypted once job configurations are saved again.

Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login.

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to reset profiler statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.

Jenkins AppSpider Plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. AppSpider Plugin 1.0.16 requires POST requests and Overall/Administer permission for the affected form validation method.

Jenkins NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration. While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them. NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.