Jenkins Multiple Plugin Vulnerabilities Summary (CVE-2023-39151/39152/39153)

Key Vulnerability Summary 1. Stored XSS Vulnerability CVE: CVE-2023-39151 CVSS: High Description: Jenkins versions 2.415 and earlier fail to properly encode URLs when generating build logs, leading to a stored cross-site scripting (XSS) vulnerability. Affected Versions: Jenkins (core), Bazaar Plugin, Chef Identity Plugin, GitLab Authentication Plugin, Gradle Plugin, Qualys Web App Scanning Connector Plugin, ServiceNow DevOps Plugin 2. Gradle Plugin Control Flow Error Leading to Credential Exposure CVE: CVE-2023-39152 CVSS: Medium Description: The Gradle Plugin may improperly mask credentials in certain scenarios when processing build logs. Affected Versions: Gradle Plugin 2.8 and earlier. Fixed Version: Gradle Plugin 2.8.1 3. GitLab Authentication Plugin CSRF Vulnerability CVE: CVE-2023-39153 CVSS: Medium Description: The GitLab Authentication Plugin does not properly implement the state parameter in the OAuth flow, allowing attackers to trick users into logging into attacker-controlled accounts. Affected Versions: GitLab Authentication Plugin 1.17.1 and earlier. Fixed Version: GitLab Authentication Plugin 1.18 4. ServiceNow DevOps Plugin CSRF and Missing Authorization Check Vulnerabilities CVE: CVE-2023-3414, CVE-2023-3442 CVSS: Medium Description: The ServiceNow DevOps Plugin lacks authorization checks in form validation methods and allows attackers to perform CSRF attacks via GET requests. Affected Versions: ServiceNow DevOps Plugin 1.38.0 and earlier. Fixed Version: ServiceNow DevOps Plugin 1.38.1 5. Qualys Web App Scanning Connector Plugin Authorization Check Flaw CVE: CVE-2023-39154 CVSS: Medium Description: The plugin has incorrect authorization checks on multiple HTTP endpoints, allowing attackers to capture credentials stored in Jenkins. Affected Versions: Qualys Web App Scanning Connector Plugin 2.0.10 and earlier. Fixed Version: Qualys Web App Scanning Connector Plugin 2.0.11 6. Chef Identity Plugin Credential Disclosure CVE: CVE-2023-39155 CVSS: Low Description: The Chef Identity Plugin fails to properly mask the user.pem key in the configuration interface. Affected Versions: Chef Identity Plugin 2.0.3 and earlier. Current Status: No fix available. 7. Bazaar Plugin CSRF Vulnerability CVE: CVE-2023-39156 CVSS: Medium Description: The Bazaar Plugin does not require POST for handling requests on a specific HTTP endpoint, resulting in a CSRF vulnerability. Affected Versions: Bazaar Plugin 1.22 and earlier. Current Status: No fix available.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Multiple Plugin Vulnerabilities Summary (CVE-2023-39151/39152/39153)