11 matches found
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Overview org.jenkins-ci.plugins:matrix-auth is a The Jenkins Plugins Parent POM Project Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the inheritanceStrategy deserialization path in...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the job configuration form, where API keys are not masked. An attacker can obtain sensitive credentials by viewing the exposed API keys during job configuration. Remediation Upgrade...
RHEL 8 : Red Hat Product OCP Tools 4.13 OpenShift Jenkins (RHSA-2025:10119)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:10119 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by...
Access Control Bypass
Overview io.jenkins.plugins:oidc-provider is an OpenID Connect Provider Plugin for Jenkins. Affected versions of this package are vulnerable to Access Control Bypass via the generation of build ID Tokens using potentially overridden values of environment variables. An attacker can impersonate a...
Cross-site Request Forgery (CSRF)
Overview io.jenkins.plugins:simple-queue is a plugin that enables to change queue order by simple up & down arrow buttons. UI Queue Sorter. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the HTTP endpoints. An attacker can manipulate the build queue order ...
RHEL 8 : Red Hat Product OCP Tools 4.13 Openshift Jenkins (RHSA-2024:8887)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:8887 advisory. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cro...
jenkins -- multiple vulnerabilities
Jenkins Security Advisory: Description High SECURITY-3037 / CVE-2023-27898 XSS vulnerability in plugin manager Medium SECURITY-3030 / CVE-2023-24998 upstream issue, CVE-2023-27900 MultipartFormDataParser, CVE-2023-27901 StaplerRequest DoS vulnerability in bundled Apache Commons FileUpload library...
GHSA-5PMP-7WC9-V7VW Cross-site Scripting in Jenkins JDK Parameter Plugin
Jenkins JDK Parameter Plugin 1.0 and earlier does not escape the name and description of JDK parameters on views displaying parameters. This results in stored cross-site scripting XSS vulnerabilities exploitable by attackers with Item/Configure permission. Exploitation of this vulnerability...
Jenkins Script Security 1.49 / Declarative 1.3.4 / Groovy 2.60 Remote Code Execution
!/usr/bin/env python Exploit Title : jenkins-preauth-rce-exploit.py Date : 02/23/2019 Authors : wetw0rk & 0xtavian Vendor Homepage : https://jenkins.oi Software Link : https://jenkins.io/download/ Tested on : jenkins=v2.73 Plugins: Script Security=v1.49, Pipeline: Declarative=v1.3.4, Pipeline:...
Jenkins 低权限用户 API 服务调用 可致远程命令执行
漏洞演示 将 Jenkins 跑起来后,在低权限用户下构造 XML 文档: hashCode open /Applications/Calculator.app false 0 0 0 start 1 发送 Payload 至接口 http://...:8080/jenkins/createItem?name=knownsec: 成功后服务端会运行 计算器 程序。 漏洞影响 影响版本: 1.650 (1.650版本已修复该问题) 从zoomeye.org上搜索设备指纹“Jenkins” 从搜索的结果来看,约存在20000个潜在受到影响的目标。 相关链接...
Jenkins CLI RMI Java Deserialization Vulnerability
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability. This module requires Metasploit: https://metasploit.com/download Current source:...