Stored XSS vulnerability in Jenkins Static Analysis Utilities Plugin

Jenkins Static Analysis Utilities Plugin 1.96 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

GHSA-7VP5-XF5Q-FXJQ Stored XSS vulnerability in Radiator View Plugin

Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

Stored XSS vulnerability in Jenkins console links

Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the href attribute of links to downstream jobs displayed in the build console page. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Job/Configure permission. Jenkins 2.245, LTS 2.235.2...

XSS vulnerability in Jenkins Subversion Partial Release Manager Plugin

Subversion Partial Release Manager Plugin 1.0.1 and earlier does not escape the error message for the repository URL field form validation. This results in a reflected cross-site scripting XSS vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users...

GHSA-HW26-FW67-QXM9 Jenkins Git Parameter Plugin vulnerable to Stored cross-site scripting (XSS)

Jenkins Git Parameter Plugin 0.9.11 and earlier does not escape the parameter name shown on the UI, resulting in a stored cross-site scripting vulnerability exploitable by users with Job/Configure permission...

jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system...

CVE-2020-2271

Jenkins Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

CVE-2020-2256

Jenkins Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

CVE-2020-2197

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not require users to have Job/ExtendedRead permission to access Inheritance Project job configurations in XML format...

CVE-2019-10365

Jenkins Google Kubernetes Engine Plugin 0.6.2 and earlier created a temporary file containing a temporary access token in the project workspace, where it could be accessed by users with Job/Read permission...

CVE-2019-1003031

A sandbox bypass vulnerability exists in Jenkins Matrix Project Plugin 1.13 and earlier in pom.xml, src/main/java/hudson/matrix/FilterScript.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM...

PT-2019-11326 · Jenkins · Jenkins Email Extension Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Email Extension Plugin versions 2.64 and earlier Description: A sandbox bypass issue exists that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. The issue is related to files such as...

CVE-2014-3663

CVE-2014-3663 affects Jenkins before 1.583 and LTS before 1.565.3. Remote authenticated users with the Job/CONFIGURE permission can bypass restrictions to create or destroy arbitrary jobs via unspecified vectors. The vulnerability is documented in the NVD entry for CVE-2014-3663 and reflected in ...