Publish Advisories

GHSA-h83r-7f9f-mqjj
GHSA-jfg6-4gx3-3v7w
GHSA-jwm4-955w-4hj3
GHSA-mj6v-4wr4-gj57
GHSA-x2pv-fph3-phfx
GHSA-h83r-7f9f-mqjj
GHSA-jfg6-4gx3-3v7w
GHSA-jwm4-955w-4hj3
GHSA-mj6v-4wr4-gj57
GHSA-x2pv-fph3-phfx

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-h83r-7f9f-mqjj/GHSA-h83r-7f9f-mqjj.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h83r-7f9f-mqjj",
+  "modified": "2025-10-29T22:05:42Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64142"
+  ],
+  "summary": "Jenkins Nexus Task Runner Plugin is missing a permission check",
+  "details": "Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:nexus-task-runner"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.9.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64142"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3550"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T22:05:42Z",
+    "nvd_published_at": "2025-10-29T14:15:58Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-jfg6-4gx3-3v7w/GHSA-jfg6-4gx3-3v7w.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jfg6-4gx3-3v7w",
+  "modified": "2025-10-29T22:04:08Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64134"
+  ],
+  "summary": "Jenkins JDepend Plugin vulnerable to XML external entity attacks",
+  "details": "Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity (XXE) attacks.\n\nThis allows attackers able to configure input files for the \"Report JDepend\" step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:jdepend"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64134"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/jdepend-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-2936"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T22:04:08Z",
+    "nvd_published_at": "2025-10-29T14:15:57Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-jwm4-955w-4hj3/GHSA-jwm4-955w-4hj3.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jwm4-955w-4hj3",
+  "modified": "2025-10-29T22:05:03Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64137"
+  ],
+  "summary": "Jenkins Themis Plugin is missing a permission check",
+  "details": "Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:themis"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.4.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64137"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/themis-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3517"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T22:05:03Z",
+    "nvd_published_at": "2025-10-29T14:15:58Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-mj6v-4wr4-gj57/GHSA-mj6v-4wr4-gj57.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mj6v-4wr4-gj57",
+  "modified": "2025-10-29T22:04:34Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64139"
+  ],
+  "summary": "Jenkins Start Windocks Containers Plugin is missing a permission check",
+  "details": "Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:windocks-start-container"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64139"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/windocks-start-container-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3531"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T22:04:34Z",
+    "nvd_published_at": "2025-10-29T14:15:58Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-x2pv-fph3-phfx/GHSA-x2pv-fph3-phfx.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x2pv-fph3-phfx",
+  "modified": "2025-10-29T22:05:30Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64141"
+  ],
+  "summary": "Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery",
+  "details": "Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:nexus-task-runner"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.9.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3550"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T22:05:30Z",
+    "nvd_published_at": "2025-10-29T14:15:58Z"
+  }
+}