关键信息 漏洞描述 Jenkins Security Advisory 2025-07-09 - 描述了多个插件中存在的安全漏洞,包括: - 凭证在Credentials Binding Plugin中未正确掩码 - HTML Publisher Plugin中的文件路径信息泄露 - Git Parameter Plugin中缺少参数值的输入验证 - Aqua Security Scanner Plugin、Statistics Gathering Plugin、ReedyAPI Functional Testing Plugin、Applitools Eyes Plugin、Qmetry Test Management Plugin、Testigma Test Plan run Plugin、IFTTT Build Notifier Plugin、IBM Cloud DevOps Plugin、Spice Loadtest Plugin、Dead Man's Snitch Plugin、Maddy Plugin、Novoza OneCloud Plugin、Kryptonite Plugin、Sensedia Api Platform Plugin、Warrior Framework Plugin、Xoon Plugin和Userlist Ufacial Plugin中存储和显示的令牌或密钥未进行掩码处理。 严重性 Critical: Jenkins Pipeline Steps API Plugin, Credentials Binding Plugin, HTML Publisher Plugin, Git Parameter Plugin, Aqua Security Scanner Plugin, Statistics Gathering Plugin, ReedyAPI Functional Testing Plugin, Applitools Eyes Plugin, Qmetry Test Management Plugin, Testigma Test Plan run Plugin, IFTTT Build Notifier Plugin, IBM Cloud DevOps Plugin, Spice Loadtest Plugin, Dead Man's Snitch Plugin, Maddy Plugin, Novoza OneCloud Plugin, Kryptonite Plugin, Sensedia Api Platform Plugin, Warrior Framework Plugin, Xoon Plugin, Userlist Ufacial Plugin High: Jenkins Pipeline Steps API Plugin, Credentials Binding Plugin, HTML Publisher Plugin, Git Parameter Plugin, Aqua Security Scanner Plugin, Statistics Gathering Plugin, ReedyAPI Functional Testing Plugin, Applitools Eyes Plugin, Qmetry Test Management Plugin, Testigma Test Plan run Plugin, IFTTT Build Notifier Plugin, IBM Cloud DevOps Plugin, Spice Loadtest Plugin, Dead Man's Snitch Plugin, Maddy Plugin, Novoza OneCloud Plugin, Kryptonite Plugin, Sensedia Api Platform Plugin, Warrior Framework Plugin, Xoon Plugin, Userlist Ufacial Plugin Medium: Jenkins Pipeline Steps API Plugin, Credentials Binding Plugin, HTML Publisher Plugin, Git Parameter Plugin, Aqua Security Scanner Plugin, Statistics Gathering Plugin, ReedyAPI Functional Testing Plugin, Applitools Eyes Plugin, Qmetry Test Management Plugin, Testigma Test Plan run Plugin, IFTTT Build Notifier Plugin, IBM Cloud DevOps Plugin, Spice Loadtest Plugin, Dead Man's Snitch Plugin, Maddy Plugin, Novoza OneCloud Plugin, Kryptonite Plugin, Sensedia Api Platform Plugin, Warrior Framework Plugin, Xoon Plugin, Userlist Ufacial Plugin Low: Jenkins Pipeline Steps API Plugin, Credentials Binding Plugin, HTML Publisher Plugin, Git Parameter Plugin, Aqua Security Scanner Plugin, Statistics Gathering Plugin, ReedyAPI Functional Testing Plugin, Applitools Eyes Plugin, Qmetry Test Management Plugin, Testigma Test Plan run Plugin, IFTTT Build Notifier Plugin, IBM Cloud DevOps Plugin, Spice Loadtest Plugin, Dead Man's Snitch Plugin, Maddy Plugin, Novoza OneCloud Plugin, Kryptonite Plugin, Sensedia Api Platform Plugin, Warrior Framework Plugin, Xoon Plugin, Userlist Ufacial Plugin 影响版本 列出了受影响的具体插件版本,如: - Jenkins Pipeline Steps API Plugin: 1.8 to 1.10 - Credentials Binding Plugin: 1.13 to 1.16 - HTML Publisher Plugin: 1.19 to 1.22 - Git Parameter Plugin: 0.9.13 to 0.9.16 - Aqua Security Scanner Plugin: 1.0.0 to 1.0.3 - Statistics Gathering Plugin: 0.14 to 0.17 - ReedyAPI Functional Testing Plugin: 1.0.0 to 1.0.3 - Applitools Eyes Plugin: 3.10.0 to 3.13.0 - Qmetry Test Management Plugin: 3.1.0 to 3.1.3 - Testigma Test Plan run Plugin: 1.0.0 to 1.0.3 - IFTTT Build Notifier Plugin: 1.0.0 to 1.0.3 - IBM Cloud DevOps Plugin: 1.0.0 to 1.0.3 - Spice Loadtest Plugin: 1.0.0 to 1.0.3 - Dead Man's Snitch Plugin: 1.0.0 to 1.0.3 - Maddy Plugin: 1.0.0 to 1.0.3 - Novoza OneCloud Plugin: 1.0.0 to 1.0.3 - Kryptonite Plugin: 1.0.0 to 1.0.3 - Sensedia Api Platform Plugin: 1.0.0 to 1.0.3 - Warrior Framework Plugin: 1.0.0 to 1.0.3 - Xoon Plugin: 1.0.0 to 1.0.3 - Userlist Ufacial Plugin: 1.0.0 to 1.0.3 固定措施 提供了针对每个漏洞的修复建议和更新版本。 ``` 这些信息可以帮助用户了解哪些插件存在安全风险,以及如何通过更新到最新版本来解决这些问题。