jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile

A flaw was found in Jenkins Pipeline: Declarative Plugin pipeline-model-definition. This vulnerability allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved via insufficient script approval checks...

jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile

A flaw was found in Jenkins Pipeline: Declarative Plugin pipeline-model-definition. This vulnerability allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved via insufficient script approval checks...

CVE-2024-52551

Jenkins Pipeline: Declarative Plugin 2.2214.vbb34b2ea9b83 and earlier does not check whether the main Jenkinsfile script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer...

kubernetes security update

kubernetes 1.22.16-1 - Added Oracle specific build files for Kubernetes - Add preBuildOL8Commands to Jenkinsfile kubernetes 1.23.14-1 - Added Oracle specific build files for Kubernetes kubernetes 1.24.8-1 - Added Oracle specific build files for Kubernetes olcne 1.5.8-4 - Fix 1.21 kubernetes versi...

kubernetes security update

kubernetes 1.22.16-1 - Added Oracle specific build files for Kubernetes - Add preBuildOL8Commands to Jenkinsfile kubernetes 1.23.14-1 - Added Oracle specific build files for Kubernetes kubernetes 1.24.8-1 - Added Oracle specific build files for Kubernetes olcne 1.5.8-4 - Fix 1.21 kubernetes versi...

GHSA-JGPM-2862-Q5M8 Jenkins Script Security Plugin sandbox bypass vulnerability

The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab 2019-01-08 fix for SECURITY-1266 could be circumvented through use of various Groovy language features: - Use of AnnotationCollector - Import aliasing -...

Jenkins Script Security Plugin sandbox bypass vulnerability

The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab 2019-01-08 fix for SECURITY-1266 could be circumvented through use of various Groovy language features: - Use of AnnotationCollector - Import aliasing -...

Jenkins Pipeline Declarative Plugin sandbox bypass vulnerability

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...

Jenkins Groovy Plugin sandbox bypass vulnerability

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...

Untrusted users can modify some Pipeline libraries in Jenkins Pipeline: Deprecated Groovy Libraries Plugin

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definitio...

workflow-cps: Pipeline-related plugins follow symbolic links or do not limit path names

A flaw was found in Jenkins. The Pipeline: Groovy Plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file typically Jenkinsfile for Pipelines. This flaw allows attackers who can configure Pipelines to read arbitrary files on...

CVE-2022-25176

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file typically Jenkinsfile for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on t...

CVE-2022-25176

CVE-2022-25176 is an in-scope vulnerability affecting Jenkins Pipeline-related plugins (notably Pipeline: Groovy Plugin and related modules) where reading the script file (Jenkinsfile) can follow symbolic links outside the configured SCM checkout, enabling an attacker with Pipeline configuration ...

Jenkinsfile Detected

Jenkins is a popular open source automation software used to help building, testing and deploying software. Jenkins Pipeline is a collection of plugins allowing developers to implement and integrate continuous delivery CD into Jenkins, by defining a Jenkinsfile file and adding it to their source...

Authorization

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when...