According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the     SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

  - Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to     clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

  - Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically     evaluated and expanded. The standard format for interpolation is ${prefix:name}, where prefix is used     to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the     interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances     included interpolators that could result in arbitrary code execution or contact with remote servers. These     lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns
    - resolve dns records - url - load values from urls, including from remote servers Applications using     the interpolation defaults in the affected versions may be vulnerable to remote code execution or     unintentional contact with remote servers if untrusted configuration values are used. Users are     recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators     by default. (CVE-2022-33980)

  - Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix     interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix     interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the     Jenkins controller file system. (CVE-2022-45381)

  - Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that     were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers able to edit build display names. (CVE-2022-45382)

  - An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows     attackers with Support/DownloadBundle permission to download a previously created support bundle     containing information limited to users with Overall/Administer permission. (CVE-2022-45383)

  - Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the     global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the     Jenkins controller file system. (CVE-2022-45384)

  - A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier     allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified     repository. (CVE-2022-45385)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted     in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read     permission, or access to the Jenkins controller file system. (CVE-2022-45392)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally     disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
    (CVE-2022-45391)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables     SSL/TLS certificate and hostname validation for several features. (CVE-2022-38666)

  - Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external     entity (XXE) attacks. (CVE-2022-45386)

  - Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it     on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. (CVE-2022-45387)

  - Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP     endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins     controller file system. (CVE-2022-45388)

  - A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to     trigger builds of jobs corresponding to an attacker-specified repository. (CVE-2022-45389)

  - A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with     Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. (CVE-2022-45390)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows     attackers to delete build logs. (CVE-2022-45393)

  - A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read     permission to delete build logs. (CVE-2022-45394)

  - Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE)     attacks. (CVE-2022-45395)

  - Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external     entity (XXE) attacks. (CVE-2022-45396)

  - Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to     prevent XML external entity (XXE) attacks. (CVE-2022-45397)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier     allows attackers to delete recorded Jenkins Cluster Statistics. (CVE-2022-45398)

  - A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to     delete recorded Jenkins Cluster Statistics. (CVE-2022-45399)

  - Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2022-45400)

  - Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in     a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
    (CVE-2022-45401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Jenkins plugins Multiple Vulnerabilities (2022-11-15)

critical Nessus Plugin ID 179362

Version 1.3

Version 1.2

Version 1.1

Version 1.0

Version 1.3 Oct 4, 2024, 1:49 AM Plugin metadata Plugin Feed: 202410040149
Version 1.2 Jun 5, 2024, 10:55 AM Required Scan configuration ("Enable cgi scanning" set to "True") Plugin Feed: 202406051055
Version 1.1 Aug 7, 2023, 3:37 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:F/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") CVSSv3 score source (set to "CVE-2022-45400") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" set to "Exploits are available") Plugin Feed: 202308071537
Version 1.0 Aug 4, 2023, 10:12 PM New Plugin Feed: 202308042212