Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs

Liquibase Runner Plugin 1.4.7 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

GHSA-C445-XM3F-HMFH Incorrect permission check in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its...

Incorrect permission check in Health Advisor by CloudBees Plugin

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to view an administrative configuration page. Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its...

GHSA-M7PR-M4CX-6M22 Reflected XSS vulnerability in Jenkins Queue cleanup Plugin

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability XSS. Queue cleanup Plugin 1.4 correctly escapes the query parameter...

Reflected XSS vulnerability in Jenkins Queue cleanup Plugin

A form validation HTTP endpoint in Queue cleanup Plugin 1.3 and earlier does not escape a query parameter displayed in an error message. This results in a reflected cross-site scripting vulnerability XSS. Queue cleanup Plugin 1.4 correctly escapes the query parameter...

GHSA-XC7Q-P3F4-Q389 Jenkins Project Inheritance Plugin vulnerable to Cross-Site Request Forgery

Project Inheritance Plugin allows the creation of projects based on templates defined in the plugin configuration. A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did n...

Jenkins Project Inheritance Plugin vulnerable to Cross-Site Request Forgery

Project Inheritance Plugin allows the creation of projects based on templates defined in the plugin configuration. A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did n...

GHSA-CJR8-5RW4-WH65 Jenkins Splunk Plugin Sandbox Bypass

Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...

Jenkins Splunk Plugin Sandbox Bypass

Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...

GHSA-5PHJ-QV74-PV4W Missing permission check in Jenkins GitLab Plugin

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate...

Missing permission check in Jenkins GitLab Plugin

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. An enumeration of credentials IDs in GitLab Plugin 1.5.32 requires the appropriate...

CVE-2022-30955

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

Information disclosure

Jenkins GitLab Plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

Code injection

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server...

CVE-2022-30954

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server...

CVE-2022-30954

CVE-2022-30954 affects Jenkins Blue Ocean Plugin up to version 1.25.3 and earlier, with a weakness in several HTTP endpoints that fails permission checks. This allows attackers with Overall/Read permission to connect to an attacker-controlled HTTP server. Connected advisories (e.g., RHSA-2023 ent...

PT-2022-20410 · Jenkins · Jenkins Git Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins GitLab Plugin versions 1.5.31 and earlier Description: The issue allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins due to a missing permission check in an HTTP endpoint...

GHSA-MMRV-3CQG-HPF9 Sandbox Bypass via CSRF in Jenkins Warnings Plugin

A cross-site request forgery vulnerability exists in Jenkins Warnings Plugin 5.0.0 and earlier in src/main/java/hudson/plugins/warnings/GroovyParser.java that allows attackers to execute arbitrary code via a form validation HTTP endpoint...

GHSA-WHF8-3H58-2W9F Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...

Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...