Jenkins Security Advisory 2018-07-30: Multiple Plugin Vulnerabilities (SSH Key Leak, CSRF, XSS, SSRF)

This webpage screenshot provides the following key information about the vulnerability: Advisory ID: Jenkins Security Advisory 2018-07-30 Vulnerable Plugins: Multiple Jenkins plugins are affected, including: - AccuRev Plugin - Agiletestware Pangolin Connector for TestRail Plugin - Anchor Container Image Scanner Plugin - ...and others Vulnerability Types: - SSH key leakage risk (SSH Agent Plugin) - CSRF vulnerabilities and missing permission checks (Resource Disposer Plugin, Publish Over CIFS Plugin, Confluence Publisher Plugin, Kubernetes Plugin, SaltStack Plugin, AccuRev Plugin, Maven Artifact ChoiceListProvider (Nexus) Plugin) - Tinfoil Security plugin stores API keys in plaintext in global configuration files - TraceTronic ECU-TEST plugin globally and unconditionally disables SSL/TLS certificate verification - TraceTronic ECU-TEST plugin allows server-side request forgery - SaltStack plugin contains stored XSS vulnerability - AccuRev plugin stores API keys in plaintext - Agile software development testing - Maven Artifact ChoiceList Provider (Nexus) plugin does not allow credential capture Affected Versions: Different plugin versions may be affected by their respective vulnerabilities. Fix: Specific remediation guidance is provided for each plugin, including updating to specified versions. Credit: Lists the researchers who discovered and reported these vulnerabilities. In summary, this advisory provides Jenkins plugin users with a detailed guide, clearly identifying the specific plugins affected, the types of vulnerabilities involved, the affected version ranges, remediation steps, and the names of researchers who discovered the vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Advisory 2018-07-30: Multiple Plugin Vulnerabilities (SSH Key Leak, CSRF, XSS, SSRF)