1440 matches found
Open redirect vulnerability in "Delegate to servlet container" security realm
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. Jenkins...
Deserialization vulnerability
Jenkins uses serialization and deserialization in multiple places, like agent/controller communication the Remoting library and to load and save configuration and build data using XStream. To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that on...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not escape the user-provided description of a generic offline cause that could be set through th...
Plaintext secrets persisted and served by config.xml endpoints
In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, POST config.xml submissions are written to disk as-is once their content can be successfully deserialized, while GET config.xml responses are served directly from those files. As a result, plaintext secrets in a POST config.xml submission...
Missing permission checks allow obtaining limited user profile information
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform permission checks in HTTP endpoints. This allows attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". Jenkins 2.568, LTS 2.555.3 performs...
Missing permission check allows canceling queue items
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint. This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. NOTE: This is due to an incomplete...
Open redirect vulnerability in bitbucket-oauth
bitbucket-oauth 0.17 and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. bitbucket-oauth 0.18 only redirects to relative Jenkin...
Arbitrary file read vulnerability through symbolic links in pipeline-groovy-lib
pipeline-groovy-lib 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries. This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. pipeline-groovy-lib 798.v5cc688825312 prohibi...
RCE vulnerability from unvalidated LDAP referrals in active-directory
active-directory 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadget...
Arbitrary file read vulnerability in email-ext
email-ext 1933.v45cec755423f and earlier includes a feature that allows inlining images as base64 in email content by setting the data-inline attribute. No restrictions are placed on the image URLs that can be inlined. This allows attackers able to control the email content to specify file: URLs...
Path traversal vulnerability in credentials-binding
credentials-binding 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged us...
Missing permission check in job-import-plugin allows enumerating credentials IDs
job-import-plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using anothe...
CSRF vulnerability in jenkins-multijob-plugin allows resuming builds
jenkins-multijob-plugin 662.vd2e0001f6bbd and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to resume failed Multijob builds. jenkins-multijob-plugin 669.v9d96ad9c71b0 requires POST...
CSRF vulnerability in github-pullrequest
github-pullrequest 0.7.3 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trigger a build for a pull request. github-pullrequest 0.7.4 requires POST requests for the affected HTTP...
Missing permission check in jenkinsci-appspider-plugin allows sending requests
jenkinsci-appspider-plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. jenkinsci-appspider-plugin 1.0.18 requires Overall/Administer permission to use t...
RCE vulnerability from unvalidated LDAP referrals in ldap
ldap 807.v7d7de30930cf and earlier follows LDAP referrals from the configured LDAP server. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadgets" are available on th...
Stored XSS vulnerability in buildgraph-view
buildgraph-view 1.8 and earlier does not escape the build URL. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views. As of publication of this advisory, there is no fix. Learn why we announce this...
Unsafe deserialization allows invoking parameterless constructors in matrix-auth
matrix-auth 2.0-beta-1 through 3.2.9 both inclusive invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated. This can be abused by attackers with Item/Configure permission to...
Open redirect vulnerability in azure-ad
azure-ad 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. azure-ad 667.v4c5827ae74a0 only redirects to...
Missing permission check in script-security allows enumerating pending and approved classpaths
script-security 1399.ve6a66547f6e1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths. script-security 1402.v94c9ce464861 requires Overall/Administer permission to...
XSS vulnerability in github
github 1.46.0 and earlier improperly processes the current job URL as part of JavaScript implementing validation of the feature "GitHub hook trigger for GITScm polling". This results in a stored cross-site scripting XSS vulnerability exploitable by non-anonymous attackers with Overall/Read...
Missing permission check in github-branch-source allows performing a connection test
github-branch-source 1967.vdead580c1aba and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials. github-branch-source...
Path traversal vulnerability in credentials-binding
credentials-binding 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials. This allows attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem. If Jenkins is configured to allow a low-privileged user to...
XSS vulnerability in legacy wrapper file in htmlpublisher
htmlpublisher 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 427.1 escapes job name and URL when generating the legacy wrapper file...
API keys stored and displayed in plain text by loadninja
loadninja 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
DNS rebinding vulnerability in WebSocket CLI origin validation
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Link following vulnerability allows arbitrary file creation
Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives. This allows crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape the user-provided description of the "Mark temporarily offline" offline cause. This...
Build information disclosure vulnerability through Run Parameter
Jenkins 2.550 and earlier, LTS 2.541.1 and earlier accepts Run Parameter values that refer to builds the user submitting the build does not have access to. This allows attackers with Item/Build and Item/Configure permission to obtain information about the existence of jobs, the existence of build...
Exposure of system-scoped Vault credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...
Stored XSS vulnerability in coverage
coverage uses coverage results IDs to create the links to coverage results on the Jenkins UI. coverage 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI. This allows...
OS command injection vulnerability on agents in git-client
git-client generates temporary script files to provide credentials e.g., SSHASKPASS. In git-client 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the...
Missing permission check in BlazeMeterJenkinsPlugin allows enumerating credentials IDs
BlazeMeterJenkinsPlugin 4.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Path traversal vulnerability in pipeline-reporter-by-redpen
pipeline-reporter-by-redpen 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira. Additionally, pipeline-reporter-by-redpen does not support distributed builds, causing artifact uploads to occur from the Jenkins...
Denial of service vulnerability in HTTP-based CLI
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not properly close HTTP-based CLI connections when the connection stream becomes corrupted. This allows unauthenticated attackers to cause a denial of service by creating HTTP-based CLI connection requests, resulting in request-handling...
CSRF vulnerability on the login form
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...
Build authorization token stored and displayed in plain text
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Missing permission check on password fields
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views. This allows attackers with View/Read permission to view encrypted password values in views. NOTE: The regular view configuration form requires...
CSRF vulnerability and missing permission check in publish-to-bitbucket
publish-to-bitbucket 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Replay vulnerability in saml
saml 4.583.vc68232f7018a and earlier does not implement a replay cache. This allows attackers able to obtain information about the SAML authentication flow between a user's web browser and Jenkins to replay those requests, authenticating to Jenkins as that user. saml 4.583.585.v22ccc1139f55...
Missing permission checks in mcp-server
mcp-server 0.84.v50ca24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following: Attackers with Item/Read permission can obtain information about the configured SCM in a job despite lacking Item/Extended Read permission getJobScm. Attackers with...
Java protection mechanism disabled in eggplant-runner
eggplant-runner 0.0.1.301.v963cffe8ddb8 and earlier sets the Java system property jdk.http.auth.tunneling.disabledSchemes to an empty value as part of applying a proxy configuration. This disables https://www.oracle.com/java/technologies/javase/8u111-relnotes.htmla protection mechanism of the Jav...
XXE vulnerability in jdepend
jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...
CSRF vulnerability in extensible-choice-parameter
extensible-choice-parameter 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute sandboxed Groovy code. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission check in themis
themis 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. A...
CSRF vulnerability and missing permission check in windocks-start-container
windocks-start-container 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery CSRF...
Missing permission check in publish-to-bitbucket allows enumerating credentials IDs
publish-to-bitbucket 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials...
CSRF vulnerability and missing permission checks in nexus-task-runner
nexus-task-runner 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this endpoint does not require POST requests,...
API tokens stored in plain text by byteguard-build-actions
byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Shell command injection vulnerability in Azure CLI
Azure CLI 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this...