332 matches found
PT-2022-22363 · Jenkins · Jenkins Xpath Configuration Viewer Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier Description: A missing permission check in the Jenkins XPath Configuration Viewer Plugin allows attackers with Overall/Read permission to access the XPath Configuration View...
PT-2022-22346 · Jenkins · Jenkins Recipe Plugin +1
Name of the Vulnerable Software and Affected Versions: Jenkins Recipe Plugin versions 1.2 and earlier Description: The issue is related to missing permission checks in the Jenkins Recipe Plugin, allowing attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL a...
CVE-2022-34199
Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
GHSA-GFHJ-524Q-GCRM Stored XSS vulnerability in Jenkins console links
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2...
GHSA-HJ32-9MCW-5CWH Missing permission check in Jenkins Project Inheritance Plugin
Jenkins limits access to job configuration XML data config.xml to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. Project Inheritance Plugin has several job inspection features, including the API URL /job/…/getConfigAsXML for its Inheritance Project job typ...
Credentials stored in plain text by Jenkins Copr Plugin
Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. Copr Plugin 0.6.1 stores these credentials encrypted. This chang...
GHSA-G8PG-QRVM-WGH2 Improper Neutralization of Input During Web Page Generation in Jenkins
Jenkins 2.227 and earlier, LTS 2.204.5 and earlier does not properly escape node labels that are shown in the form validation for label expressions on job configuration pages, resulting in a stored XSS vulnerability exploitable by users able to define node labels...
GHSA-8MJP-8C2X-3G7W Jenkins QMetry for JIRA Plugin stored credentials in plain text
Jenkins QMetry for JIRA - Test Management Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller as part of its post-build step configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system...
GHSA-JRMF-XHR6-3428 Jenkins SourceGear Vault plugin transmits credentials in plain text
Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. As of the publication of the advisory, there are no patches and the plugin is unmaintained...
Jenkins SourceGear Vault plugin transmits credentials in plain text
Jenkins SourceGear Vault Plugin transmits configured credentials in plain text as part of job configuration forms, potentially resulting in their exposure. As of the publication of the advisory, there are no patches and the plugin is unmaintained...
GHSA-65RJ-CGRP-G65W Jenkins IBM AppScan Plugin showed plain text password in job configuration form fields
Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. This plugin has bee deprecated...
Jenkins IBM AppScan Plugin showed plain text password in job configuration form fields
Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier transmitted configured passwords in plain text as part of job configuration forms, potentially resulting in their exposure. This plugin has bee deprecated...
GHSA-5HHG-Q22C-6G39 Jenkins Port Allocator Plugin stores credentials in plain text
Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
GHSA-MM9C-4CV4-7RFV Jenkins allows for Privilege Escalation by Remote Authenticated Users
The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors...
Cross-Site Request Forgery in Jenkins Git Plugin
Git Plugin connects to a user-specified Git repository as part of form validation. An attacker with no direct access to Jenkins but able to guess at a username/password credentials ID could trick a developer with job configuration permissions into following a link with a maliciously crafted Jenki...
GHSA-X3RC-CXV7-6XP6 Cross-site Scripting in Jenkins Core
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624...
Cross-site Scripting in Jenkins Core
Jenkins through 2.93 allows remote authenticated administrators to conduct XSS attacks via a crafted tool name in a job configuration form, as demonstrated by the JDK tool in Jenkins core and the Ant tool in the Ant plugin, aka SECURITY-624...
GHSA-7VVJ-QQVJ-H8MC Jenkins Exposes Sensitive Information from Job Configuration
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration...
Jenkins Exposes Sensitive Information from Job Configuration
Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration...
GHSA-3Q6P-R6RR-266X Jenkins Deploy to container Plugin stored plain text passwords in job configuration
The Deploy to container Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access, or users with Extended Read access to the jobs it is used in, to retrieve those passwords. The Deploy to container Plugin now integrates with...