1464 matches found
Path traversal vulnerability in external-workspace-manager
external-workspace-manager 1.3.2 and earlier does not reject .. path segments when validating the custom workspace path provided to the exwsAllocate Pipeline step, allowing the resulting workspace path to escape the configured disk mount point. This allows attackers with Item/Configure permission...
XXE vulnerability in assembla
assembla 1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks when parsing responses from the configured Assembla server. This allows attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or...
Passwords stored in plain text by fitnesse
fitnesse 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...
CSRF vulnerability and missing permission check in zdevops
zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...
OS command injection vulnerability on agents in git-client
git-client 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into the SSH wrapper script generated by the "Manually provided keys" Git Host Key Verification strategy on Unix agents. This allows attackers able to control the name of a build's working...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows running user-provided scripts safely by intercepting and checking potentially unsafe operations. script-security 1402.v94c9ce464861 and earlier does not intercept the implicit type cast applied to each element of the iterated collection in a...
CSRF vulnerability and unrestricted instantiation of types in workflow-cps
workflow-cps 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, instantiating any type with a constructor annotated with @DataBoundConstructor in response to a request. This allows attackers to have workflow-cps instantiate...
Script security bypass vulnerability in script-security
script-security 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations such as @CompileStatic and @TypeChecked that carry an extensions member, which causes Groovy to load and execute a script from the classpath at compile time, before the sandbox is applied. This ma...
Missing permission check in git-parameter allows listing SCM branch and tag names
git-parameter 462.vdcf3df2ed2ca and earlier does not perform a permission check in an HTTP endpoint that populates the list of values for Git parameters by querying the SCM configured on a job, using the SCM credentials configured in Jenkins. This allows attackers with Item/Read permission to...
Encrypted values of secrets in job and agent configurations not redacted by jobConfigHistory
jobConfigHistory 1356.ve360da6c523a and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "RAW" feature and its configuration diff views. This allows attackers with Item/Extended Read permission but not...
Missing permission check allows enumerating GitHub Enterprise server URLs in github-branch-source
github-branch-source 1967.1969.v205fd594c821 and earlier does not perform a permission check in an HTTP endpoint that lists the GitHub API endpoints configured in the global plugin configuration. This allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers...
Missing permission check in mcp-server allows reading Pipeline replay scripts
mcp-server 0.177.v629fdb2557fe and earlier does not perform a permission check in the getReplayScripts MCP tool that returns the replay script of a Pipeline build. This allows attackers with Item/Read permission to obtain the Pipeline script of jobs. mcp-server 0.178.vffe5ae770f3b requires...
LDAP injection vulnerability in active-directory
In active-directory 2.41.1 and earlier, the Windows native ADSI authentication path does not escape the user name before building the LDAP search filter. This allows unauthenticated attackers to inject LDAP wildcard characters into the user name, enabling them to enumerate directory user and grou...
SSL/TLS certificate validation unconditionally disabled by bitbucket-push-and-pull-request
bitbucket-push-and-pull-request 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the connections it makes to Bitbucket Server using Bearer token authentication. Because the Bearer token is transmitted in these requests, this allows attackers able to...
CSRF vulnerability in PrioritySorter
PrioritySorter 936.v2c01c6b84449 and earlier does not require POST requests in an HTTP endpoint that saves the global job priority configuration. This allows attackers to overwrite the global job priority configuration. PrioritySorter 936.937.v5581d0b2ccba requires POST requests for the affected...
Incorrect permission check in gitee allows enumerating credentials IDs
gitee 1288.v18bdebc9069b and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credentials IDs of credentials stored in Jenkins. Those ca...
Missing permission checks and CSRF vulnerability in gitee
gitee 1288.v18bdebc9069b and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained...
CSRF vulnerability and missing permission checks in ec2-fleet
ec2-fleet 4.2.3.539.v8fedff2a81c3 and earlier does not perform permission checks in several HTTP endpoints used to validate cloud configurations. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through...
CSRF vulnerability and missing permission check in contrast-continuous-application-security
contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...
Builds executed on the Jenkins controller by zapper can lead to RCE
zapper 1.0.7 and earlier does not support distributed builds, causing the file operations and build process of its "Automatically build ZAP" feature to be performed on the Jenkins controller rather than on the agent the build is assigned to. This allows attackers with Item/Configure permission to...
CSRF vulnerability and missing permission check in assembla
assembla 1.4 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to an Assembla server. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. Additionally, this HTTP...
Missing permission checks in contrast-continuous-application-security allow enumerating Contrast metadata
contrast-continuous-application-security 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata. This allows attackers with Overall/Read permission to enumerate the names of configured Contrast...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...
Deserialization vulnerability
Jenkins uses serialization and deserialization in multiple places, like agent/controller communication the Remoting library and to load and save configuration and build data using XStream. To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that on...
Open redirect vulnerability
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...
Open redirect vulnerability
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...
Missing permission check allows canceling queue items
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint. This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. NOTE: This is due to an incomplete...
Missing permission checks allow obtaining limited user profile information
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform permission checks in HTTP endpoints. This allows attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". Jenkins 2.568, LTS 2.555.3 performs...
Open redirect vulnerability in "Delegate to servlet container" security realm
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. Jenkins...
Plaintext secrets persisted and served by config.xml endpoints
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...
Arbitrary file read vulnerability through symbolic links in pipeline-groovy-lib
pipeline-groovy-lib 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries. This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. pipeline-groovy-lib 798.v5cc688825312 prohibi...
CSRF vulnerability in github-pullrequest
github-pullrequest 0.7.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger a build for a pull request. github-pullrequest 0.7.4 requires POST requests for the affected HTTP...
RCE vulnerability from unvalidated LDAP referrals in active-directory
active-directory 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadget...
Missing permission check in jenkinsci-appspider-plugin allows sending requests
jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...
CSRF vulnerability in jenkins-multijob-plugin allows resuming builds
jenkins-multijob-plugin 662.vd2e0001f6bbd and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to resume failed Multijob builds. jenkins-multijob-plugin 669.v9d96ad9c71b0 requires POST...
Stored XSS vulnerability in buildgraph-view
buildgraph-view 1.8 and earlier does not escape the build URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views. As of publication of this advisory, there is no fix. Learn why we announce this...
Arbitrary file read vulnerability in email-ext
email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...
RCE vulnerability from unvalidated LDAP referrals in ldap
ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...
Path traversal vulnerability in credentials-binding
credentials-binding 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged us...
Open redirect vulnerability in bitbucket-oauth
bitbucket-oauth 0.17 and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. bitbucket-oauth 0.18 only redirects to relative Jenkin...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...
Missing permission check in script-security allows enumerating pending and approved classpaths
script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...
Unsafe deserialization allows invoking parameterless constructors in matrix-auth
matrix-auth 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to...
Missing permission check in github-branch-source allows performing a connection test
github-branch-source 1967.vdead580c1aba and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. github-branch-source...
Path traversal vulnerability in credentials-binding
credentials-binding 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to...
Open redirect vulnerability in azure-ad
azure-ad 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. azure-ad 667.v4c5827ae74a0 only redirects to...
XSS vulnerability in github
github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...
XSS vulnerability in legacy wrapper file in htmlpublisher
htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...
DNS rebinding vulnerability in WebSocket CLI origin validation
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Link following vulnerability allows arbitrary file creation
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...