1464 matches found
CSRF vulnerability and missing permission checks in ec2-fleet
ec2-fleet 4.2.3.539.v8fedff2a81c3 and earlier does not perform permission checks in several HTTP endpoints used to validate cloud configurations. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through...
SSL/TLS certificate validation unconditionally disabled by bitbucket-push-and-pull-request
bitbucket-push-and-pull-request 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the connections it makes to Bitbucket Server using Bearer token authentication. Because the Bearer token is transmitted in these requests, this allows attackers able to...
XXE vulnerability on agents in semantic-versioning-plugin
semantic-versioning-plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the version file for the 'Determine Semantic Version' build step to have agent processes parse a crafted file that uses...
Agent-to-controller security bypass in semantic-versioning-plugin
semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and returns version information. The XML parser is not configured to prevent XML external entity XXE attacks, which is only a problem if XML documents are parsed on the Jenkins controller...
CSRF vulnerability and missing permission checks in mabl-integration allow capturing credentials
mabl-integration 0.0.46 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Agent-to-controller security bypass in semantic-versioning-plugin
semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity XXE attacks. semantic-versioning-plugin 1.14 and earlier does not restrict execution of the controller/agent message to agents, and...
Incorrect permission checks in qualys-pc allow capturing credentials
qualys-pc 1.0.5 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to connect to an attacker-specified URL using attacker-specified credential...
CSRF vulnerability and missing permission check in build-failure-analyzer allow SSRF
build-failure-analyzer 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoin...
Shell command injection vulnerability in Azure CLI
Azure CLI 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this...
Agent-to-controller security bypass in conjur-credentials allows decrypting secrets
conjur-credentials 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret. This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. As of publicati...
File system information disclosure vulnerability in git-client
git-client 6.3.2 and earlier, except 6.1.4 and 6.2.1, allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library. This protocol authenticates against Amazon S3 based on contents of the file whose path is provided as the authority part of the URL...
Secret file credentials stored unencrypted in rare cases by plain-credentials
When creating secret file credentials plain-credentials 182.v468b97b9dcb8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be...
Stored XSS vulnerability in dependency-check-jenkins-plugin
dependency-check-jenkins-plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control workspace contents or CVE metadata...
Credentials stored in plain text by whitesource
whitesource 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission in the...
API keys stored and displayed in plain text by codedx
codedx 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
CSRF vulnerability in build-failure-analyzer allows deleting Failure Causes
build-failure-analyzer 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete Failure Causes. build-failure-analyzer 2.4.2 requires POST requests for the affected HTTP...
CSRF vulnerability in gitlab-oauth
gitlab-oauth 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. gitlab-oauth 1.18 implements a state...
CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials
GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Path traversal allows exploiting XXE vulnerability in jobConfigHistory
jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file...
CSRF vulnerability and missing permission checks in Dimensions Plugin
Users with Overall/Read permission were able to access Dimensions Plugin's form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability...
CSRF protection for any URL could be bypassed
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...
bitbucket-oauth stored credentials in plain text
bitbucket-oauth stored a credential unencrypted in the global config.xml configuration file on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system. bitbucket-oauth now stores this credential encrypted...
Codebeamer Test Results Trend Updater Plugin stored password in plain text
Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. The plugin now...
Session fixation vulnerability in wso2id-oauth
wso2id-oauth 1.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
Dimensions Plugin stored credentials in plain text
Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk and no longer...
Encrypted values of credentials revealed to users with Extended Read permission in credentials
credentials 1380.va435002fa924 and earlier, except 1371.1373.v4ebfab7161e9, does not redact encrypted values of credentials using the SecretBytes type e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin when accessing item config.xml via REST API or CLI. This...
Content-Security-Policy protection for user content disabled by redhat-dependency-analytics
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. redhat-dependency-analytics 0.7.1 and earlier globally disables the...
Session fixation vulnerability in bitbucket-oauth
bitbucket-oauth 0.12 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. bitbucket-oauth 0.13 invalidates the existing session on login...
m2release stored credentials in plain text
m2release stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. m2release now stores credentials encrypte...
Stored XSS vulnerability in Metadata Plugin
A stored cross-site scripting XSS vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages. As of publication of this advisory, there is no fix...
SECURITY-698
Bulletin has no description...
gogs-webhook stored credentials in plain text
gogs-webhook stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. gogs-webhook now stores credentials encrypted...
Missing permission check allows accessing other users' "My Views"
Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...
CSRF vulnerability and missing permission check in pipeline-maven allow capturing credentials
pipeline-maven 3.8.2 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially...
Path traversal vulnerability in filesystem-list-parameter-plugin
filesystem-list-parameter-plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. filesystem-list-parameter-plugin 0.0.15 ensures that...
CSRF vulnerability and missing permission check in test-results-aggregator
test-results-aggregator 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP...
XXE vulnerability in m2release
m2release retrieves XML from Nexus repository manager APIs. m2release 0.16.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be...
API keys stored and displayed in plain text by loadninja
loadninja 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
API keys stored and displayed in plain text by qmetry-test-management
qmetry-test-management 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Exposure of system-scoped credentials in delphix
delphix 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to...
Stored XSS vulnerability in workflow-support
workflow-support provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it...
Privilege escalation vulnerability in bundled Spring Security library
Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persists temporarily elevated privileges in some circumstances in a user's session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4. Jenkins 2.266 through 2.279 inclusive includes releases of Spring Securi...
Credentials stored in plain text by debian-package-builder
debian-package-builder 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...
CSRF vulnerability
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets e.g., Build Queue and Build Executor Status widgets, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability...
CSRF vulnerability and missing permission checks in service-fabric
service-fabric 1.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Multiple sandbox bypass vulnerabilities in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Exposure of system-scoped credentials in warnings-ng
warnings-ng 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled t...
mattermost stored webhook endpoint token in plain text
Mattermost allows the definition of incoming from the perspective of the service webhook URLs. These contain what is effectively a secret token as part of the URL. mattermost stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and j...
CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials
Maven Artifact ChoiceListProvider Nexus Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained throu...
CSRF vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with...