Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables SSL/TLS certificate and hostname validation for several features.

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities:

  - Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the     SHA-1 hash of the script, making it vulnerable to collision attacks. (CVE-2022-45379)

  - Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to     clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers with Item/Configure permission. (CVE-2022-45380)

  - Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically     evaluated and expanded. The standard format for interpolation is ${prefix:name}, where prefix is used     to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the     interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances     included interpolators that could result in arbitrary code execution or contact with remote servers. These     lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns
    - resolve dns records - url - load values from urls, including from remote servers Applications using     the interpolation defaults in the affected versions may be vulnerable to remote code execution or     unintentional contact with remote servers if untrusted configuration values are used. Users are     recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators     by default. (CVE-2022-33980)

  - Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix     interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix     interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the     Jenkins controller file system. (CVE-2022-45381)

  - Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that     were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability     exploitable by attackers able to edit build display names. (CVE-2022-45382)

  - An incorrect permission check in Jenkins Support Core Plugin 1206.v14049fa_b_d860 and earlier allows     attackers with Support/DownloadBundle permission to download a previously created support bundle     containing information limited to users with Overall/Administer permission. (CVE-2022-45383)

  - Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP manager password unencrypted in the     global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the     Jenkins controller file system. (CVE-2022-45384)

  - A missing permission check in Jenkins CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier     allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified     repository. (CVE-2022-45385)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted     in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read     permission, or access to the Jenkins controller file system. (CVE-2022-45392)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier globally and unconditionally     disables SSL/TLS certificate and hostname validation for the entire Jenkins controller JVM.
    (CVE-2022-45391)

  - Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and earlier unconditionally disables     SSL/TLS certificate and hostname validation for several features. (CVE-2022-38666)

  - Jenkins Violations Plugin 0.7.11 and earlier does not configure its XML parser to prevent XML external     entity (XXE) attacks. (CVE-2022-45386)

  - Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed content of build logs before rendering it     on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability. (CVE-2022-45387)

  - Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP     endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins     controller file system. (CVE-2022-45388)

  - A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to     trigger builds of jobs corresponding to an attacker-specified repository. (CVE-2022-45389)

  - A missing permission check in Jenkins loader.io Plugin 1.0.1 and earlier allows attackers with     Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. (CVE-2022-45390)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Delete log Plugin 1.0 and earlier allows     attackers to delete build logs. (CVE-2022-45393)

  - A missing permission check in Jenkins Delete log Plugin 1.0 and earlier allows attackers with Item/Read     permission to delete build logs. (CVE-2022-45394)

  - Jenkins CCCC Plugin 0.6 and earlier does not configure its XML parser to prevent XML external entity (XXE)     attacks. (CVE-2022-45395)

  - Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XML parser to prevent XML external     entity (XXE) attacks. (CVE-2022-45396)

  - Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does not configure its XML parser to     prevent XML external entity (XXE) attacks. (CVE-2022-45397)

  - A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster Statistics Plugin 0.4.6 and earlier     allows attackers to delete recorded Jenkins Cluster Statistics. (CVE-2022-45398)

  - A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 and earlier allows attackers to     delete recorded Jenkins Cluster Statistics. (CVE-2022-45399)

  - Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser to prevent XML external entity     (XXE) attacks. (CVE-2022-45400)

  - Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in     a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.
    (CVE-2022-45401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.346.x prior to 2.346.40.0.6 or 2.x prior to 2.361.3.4. It is, therefore, affected by multiple vulnerabilities including the following:

  - CVE-2022-38751 on snakeyaml (fixed train 2.346.x.0.z) (BEE-23728)

  - CVE-2022-38749 on snakeyaml (fixed train 2.346.x.0.z) (BEE-23729)

  - Remote code execution vulnerability in Pipeline Utility Steps Plugin (CVE-2022-33980)

  - SSL/TLS certificate validation unconditionally disabled by NS-ND Integration Performance Publisher Plugin     (CVE-2022-38666)

  - Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)

  - Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)

  - Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)

  - Stored XSS vulnerability in Naginator Plugin (CVE-2022-45382)

  - Incorrect permission checks in Support Core Plugin (CVE-2022-45383)

  - Password stored in plain text by Reverse Proxy Auth Plugin (CVE-2022-45384)

  - Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin     (CVE-2022-45385)

  - XXE vulnerability on agents in Violations Plugin (CVE-2022-45386)

  - Stored XSS vulnerability in BART Plugin (CVE-2022-45387)

  - Arbitrary file read vulnerability in Config Rotator Plugin (CVE-2022-45388)

  - Lack of authentication mechanism for webhook in XP-Dev Plugin (CVE-2022-45389)

  - Missing permission check in loader.io Plugin allows enumerating credentials IDs (CVE-2022-45390)

  - SSL/TLS certificate validation globally and unconditionally disabled by NS-ND Integration Performance     Publisher Plugin (CVE-2022-45391)

  - Passwords stored in plain text by NS-ND Integration Performance Publisher Plugin (CVE-2022-45392)

  - CSRF vulnerability and missing permission check in Delete log Plugin (CVE-2022-45393, CVE-2022-45394)

  - XXE vulnerability on agents in CCCC Plugin (CVE-2022-45395)

  - XXE vulnerability on agents in SourceMonitor Plugin (CVE-2022-45396)

  - XXE vulnerability on agents in OSF Builder Suite :: XML Linter Plugin (CVE-2022-45397)

  - CSRF vulnerability and missing permission check in Cluster Statistics Plugin (CVE-2022-45398,     CVE-2022-45399)

  - XXE vulnerability in JAPEX Plugin (CVE-2022-45400)

  - Stored XSS vulnerability in Associated Files Plugin (CVE-2022-45401)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
179362	Jenkins plugins Multiple Vulnerabilities (2022-11-15)	Nessus	CGI abuses	critical
167634	Jenkins Enterprise and Operations Center 2.346.x < 2.346.40.0.6 / 2.361.3.4 Multiple Vulnerabilities (CloudBees Security Advisory 2022-11-15)	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2022-38666

high

Tenable Plugins

critical

critical