Jenkins Security Advisory 2025-07-09: Multiple Plugin Vulnerabilities (Credential Leakage, XSS)

Key Information Vulnerability Description Jenkins Security Advisory 2025-07-09 - Describes multiple security vulnerabilities present in various plugins, including: - Improper credential masking in the Credentials Binding Plugin - File path information disclosure in the HTML Publisher Plugin - Lack of input validation for parameter values in the Git Parameter Plugin - Storage and display of plaintext tokens or keys in the Aqua Security Scanner Plugin, Statistics Gathering Plugin, etc. - Stored XSS vulnerability in the Appium Eyes Plugin - Storage and display of plaintext API keys in the QMetry Test Management Plugin, Testigma Test Plan Runner Plugin, etc. - Storage and display of plaintext keys or tokens in the IFTTT Build Notifier Plugin, IBM Cloud DevOps Plugin, etc. Severity Critical: Jenkins CLI Plugin, GitHub API Plugin, etc. High: AWS CodeDeploy Plugin, Azure Key Vault Plugin, etc. Medium: Docker Plugin, Git Plugin, etc. Low: Maven Integration Plugin, Pipeline Plugin, etc. Affected Versions Lists specific plugin versions affected, such as: - Jenkins CLI Plugin: versions 2.63.1 and earlier - GitHub API Plugin: versions 1.114 and earlier - AWS CodeDeploy Plugin: versions 1.14 and earlier - etc. Mitigation Measures Provides remediation recommendations and updated versions for each vulnerability, for example: - Upgrade to Jenkins CLI Plugin version 2.64 or later - Upgrade to GitHub API Plugin version 1.115 or later - Upgrade to AWS CodeDeploy Plugin version 1.15 or later - etc. Acknowledgments Thanks to the security researchers and teams who discovered and reported these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory 2025-07-09: Multiple Plugin Vulnerabilities (Credential Leakage, XSS)