#git

Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These credentials can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it. As of publication of this advisory, there is no fix.

Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file `com.sensedia.configuration.SensediaApiConfiguration.xml` on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it. As of publication of this advisory, there is no fix.

QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml` on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask this key, increasing the potential for attackers to observe and capture it. As of publication of this advisory, there is no fix.

Jenkins Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions. Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices. This allows attackers with Item/Build permission to inject arbitrary values into Git parameters. Git Parameter Plugin 444.vca_b_84d3703c2 validates that the Git parameter value submitted to the build matches one of the offered choices.

### Summary Possibility to craft a request that will crash the Qwik Server in the default configuration. ### Details When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. ### PoC 1. Setup a Qwik Project `pnpm create qwik@latest` 2. Start the Qwik Server using `pnpm run preview` 3. Execute the following curl command to crash the instance ```bash curl --location 'http://localhost:4173/?qfunc=PPXYallGsCE' \ --header 'Content-Type: application/qwik-json' \ --header 'X-Qrl: PPXYallGsCE' \ --data '{"_entry":"2","_objs":["\u0002_#s_PPXYallGsCE",1,["0","1"]]}' ``` Here the `qfunc` query parameter, `X-Qrl` header and payload need to have the same qrl. The Qwik Server will then crash with the message ``` qrl s_PPXYallGsCE failed to load Error: Dynamic require of "_.js" is not supported at file:///home/michele/Code/qwik/server/en...