Publish Advisories

GHSA-23vj-j6jc-w892
GHSA-3jw2-5hjg-hc2c
GHSA-6mgr-3374-4p3c
GHSA-23vj-j6jc-w892
GHSA-3jw2-5hjg-hc2c
GHSA-6mgr-3374-4p3c

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-23vj-j6jc-w892/GHSA-23vj-j6jc-w892.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-23vj-j6jc-w892",
+  "modified": "2025-10-29T21:52:21Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64146"
+  ],
+  "summary": "Jenkins Curseforge Publisher Plugin stores API Keys unencrypted in job config.xml files",
+  "details": "Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration.\n\nThese keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.\n\nAdditionally, the job configuration form does not mask these keys, increasing the potential for attackers to observe and capture them.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:curseforge-publisher"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64146"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/curseforge-publisher-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3562"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-311"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T21:52:21Z",
+    "nvd_published_at": "2025-10-29T14:15:59Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-3jw2-5hjg-hc2c/GHSA-3jw2-5hjg-hc2c.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jw2-5hjg-hc2c",
+  "modified": "2025-10-29T21:49:59Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64133"
+  ],
+  "summary": "Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery",
+  "details": "Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nThis vulnerability allows attackers to execute sandboxed Groovy code.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "jp.ikedam.jenkins.plugins:extensible-choice-parameter"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "239.v5f5c278708cf"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64133"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/extensible-choice-parameter-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3583"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T21:49:59Z",
+    "nvd_published_at": "2025-10-29T14:15:57Z"
+  }
+}

advisories/github-reviewed/2025/10/GHSA-6mgr-3374-4p3c/GHSA-6mgr-3374-4p3c.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6mgr-3374-4p3c",
+  "modified": "2025-10-29T21:51:50Z",
+  "published": "2025-10-29T15:31:56Z",
+  "aliases": [
+    "CVE-2025-64138"
+  ],
+  "summary": "Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery",
+  "details": "Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.\n\nAdditionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nAs of publication of this advisory, there is no fix.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.jenkins-ci.plugins:windocks-start-container"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64138"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jenkinsci/windocks-start-container-plugin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.jenkins.io/security/advisory/2025-10-29/#SECURITY-3531"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T21:51:50Z",
+    "nvd_published_at": "2025-10-29T14:15:58Z"
+  }
+}