ghsa

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Jenkins NeuVector Vulnerability Scanner Plugin 1.20 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

Jenkins Katalon Plugin 1.0.32 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Katalon Plugin 1.0.33 properly performs permission checks when accessing the affected HTTP endpoints.

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Katalon Plugin 1.0.34 requires POST requests for the affected HTTP endpoints.

Jenkins REPO Plugin 1.15.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. REPO Plugin 1.16.0 disables external entity resolution for its XML parser.

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of `input` steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify `input` step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins. Pipeline: Stage View Plugin 2.27 correctly encodes the ID of input steps when using it to generate URLs to proceed or abort Pipeline builds.

Jenkins Mercurial Plugin 1251.va_b_121f184902 and earlier provides information about which jobs were triggered or scheduled for polling through its webhook endpoint, including jobs the user has no permission to access. Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.

### Impact _What kind of vulnerability is it? Who is impacted?_ All users of the `run-terraform` reusable workflow from the kartverket/github-workflows repo are affected. A malicious actor could potentially send a PR with a malicious payload leading to execution of arbitrary JavaScript code in the context of the workflow. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Upgrade to at least 2.7.5 to resolve the issue. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Until you are able to upgrade, make sure to review any PRs from exernal users for malicious payloads before allowing them to trigger a build. ### For more information If you have any questions or comments about this advisory: * Open an issue in [kartverket/github-workflows](https://github.com/kartverket/github-workflows)