Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <A6EAA39C-0730-480F-AB65-23AECBEDF9E8@beckweb.net>
Date: Wed, 19 Mar 2025 14:08:16 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins plugins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* EDDSA API Plugin 0.3.0.1-16.vcb_4a_98a_3531c
* Zoho QEngine Plugin 1.0.31.v4a_b_1db_6d6a_f2

Additionally, we announce unresolved security issues in the following
plugins:

* AnchorChain Plugin

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2025-03-19/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-3404 / CVE-2020-36843
EDDSA API Plugin makes the EdDSA-Java library (`ed25519-java`) available to
other plugins.

EDDSA API Plugin 0.3.0-13.v7cb_69ed68f00 and earlier bundles version 0.3.0
of EdDSA-Java, which exhibits signature malleability and does not satisfy
the SUF-CMA (Strong Existential Unforgeability under Chosen Message
Attacks) property. This allows attackers to create new valid signatures
different from previous signatures for a known message.


SECURITY-3529 / CVE-2025-30196
AnchorChain Plugin 1.0 does not limit URL schemes for links it creates
based on workspace content, allowing the `javascript:` scheme.

This results in a stored cross-site scripting (XSS) vulnerability
exploitable by attackers able to control the input file for the Anchor
Chain post-build step.

As of publication of this advisory, there is no fix.


SECURITY-3511 / CVE-2025-30197
Zoho QEngine Plugin stores the QEngine API Key in job `config.xml` files on
the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Zoho QEngine Plugin
1.0.29.vfa_cc23396502 and earlier the job configuration form does not mask
the QEngine API Key form field, increasing the potential for attackers to
observe and capture it.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.