Lucene search
K
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.87 views

CSRF vulnerability and missing permission checks in ec2-fleet

ec2-fleet 4.2.3.539.v8fedff2a81c3 and earlier does not perform permission checks in several HTTP endpoints used to validate cloud configurations. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through...

5.4CVSS5.8AI score0.00161EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.86 views

SSL/TLS certificate validation unconditionally disabled by bitbucket-push-and-pull-request

bitbucket-push-and-pull-request 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for the connections it makes to Bitbucket Server using Bearer token authentication. Because the Bearer token is transmitted in these requests, this allows attackers able to...

4.8CVSS5.9AI score0.00108EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/01/24 12:0 a.m.84 views

XXE vulnerability on agents in semantic-versioning-plugin

semantic-versioning-plugin 1.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the version file for the 'Determine Semantic Version' build step to have agent processes parse a crafted file that uses...

9.8CVSS8.6AI score0.0128EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2022/03/15 12:0 a.m.81 views

Agent-to-controller security bypass in semantic-versioning-plugin

semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and returns version information. The XML parser is not configured to prevent XML external entity XXE attacks, which is only a problem if XML documents are parsed on the Jenkins controller...

7.1CVSS6.8AI score0.01314EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/07/12 12:0 a.m.66 views

CSRF vulnerability and missing permission checks in mabl-integration allow capturing credentials

mabl-integration 0.0.46 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...

7.1CVSS6.4AI score0.00555EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/01/24 12:0 a.m.65 views

Agent-to-controller security bypass in semantic-versioning-plugin

semantic-versioning-plugin defines a controller/agent message that processes a given file as XML and its XML parser is not configured to prevent XML external entity XXE attacks. semantic-versioning-plugin 1.14 and earlier does not restrict execution of the controller/agent message to agents, and...

9.8CVSS8.5AI score0.01314EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/01/24 12:0 a.m.56 views

Incorrect permission checks in qualys-pc allow capturing credentials

qualys-pc 1.0.5 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to connect to an attacker-specified URL using attacker-specified credential...

4.2CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/09/20 12:0 a.m.43 views

CSRF vulnerability and missing permission check in build-failure-analyzer allow SSRF

build-failure-analyzer 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP endpoin...

8.8CVSS6.8AI score0.00504EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2025/10/29 12:0 a.m.37 views

Shell command injection vulnerability in Azure CLI

Azure CLI 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/Configure permission to execute arbitrary shell commands on the Jenkins controller. As of publication of this advisory, there is no fix. Learn why we announce this...

8.8CVSS5.7AI score0.00556EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2022/01/12 12:0 a.m.37 views

Agent-to-controller security bypass in conjur-credentials allows decrypting secrets

conjur-credentials 1.0.9 and earlier implements functionality that allows agent processes to obtain the plain text of any attacker-provided encrypted secret. This allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method. As of publicati...

7.5CVSS7.2AI score0.00828EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2025/09/03 12:0 a.m.34 views

File system information disclosure vulnerability in git-client

git-client 6.3.2 and earlier, except 6.1.4 and 6.2.1, allows specifying the experimental amazon-s3 protocol for use with the bundled JGit library. This protocol authenticates against Amazon S3 based on contents of the file whose path is provided as the authority part of the URL...

4.3CVSS5.3AI score0.00288EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/06/26 12:0 a.m.32 views

Secret file credentials stored unencrypted in rare cases by plain-credentials

When creating secret file credentials plain-credentials 182.v468b97b9dcb8 and earlier attempts to decrypt the content of the file to check if it constitutes a valid encrypted secret. In rare cases the file content matches the expected format of an encrypted secret, and the file content will be...

4.3CVSS5.6AI score0.00419EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/03/06 12:0 a.m.32 views

Stored XSS vulnerability in dependency-check-jenkins-plugin

dependency-check-jenkins-plugin 5.4.5 and earlier does not escape vulnerability metadata from Dependency-Check reports on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control workspace contents or CVE metadata...

8.8CVSS5.4AI score0.00693EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2020/07/02 12:0 a.m.31 views

Credentials stored in plain text by whitesource

whitesource 19.1.1 and earlier stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission in the...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/05/16 12:0 a.m.30 views

API keys stored and displayed in plain text by codedx

codedx 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5AI score0.00633EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/09/20 12:0 a.m.27 views

CSRF vulnerability in build-failure-analyzer allows deleting Failure Causes

build-failure-analyzer 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete Failure Causes. build-failure-analyzer 2.4.2 requires POST requests for the affected HTTP...

4.3CVSS4.9AI score0.00339EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/07/26 12:0 a.m.27 views

CSRF vulnerability in gitlab-oauth

gitlab-oauth 1.17.1 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. gitlab-oauth 1.18 implements a state...

5.4CVSS5.7AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/06/04 12:0 a.m.27 views

CSRF vulnerability and missing permission checks in GitHub Pull Request Builder Plugin allowed server-side request forgery, capturing credentials

GitHub Pull Request Builder Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...

6.5CVSS5.9AI score0.00988EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/09/06 12:0 a.m.22 views

Path traversal allows exploiting XXE vulnerability in jobConfigHistory

jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict timestamp query parameters in multiple endpoints. This allows attackers with Job Config History/DeleteEntry permission to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file...

8.8CVSS7.1AI score0.0075EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/09/25 12:0 a.m.22 views

CSRF vulnerability and missing permission checks in Dimensions Plugin

Users with Overall/Read permission were able to access Dimensions Plugin's form validation URL, having it connect to an attacker-specified Dimensions system with attacker-specified credentials. Additionally, this form validation URL did not require POST requests, resulting in a CSRF vulnerability...

4.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2020/03/25 12:0 a.m.21 views

CSRF protection for any URL could be bypassed

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlie...

8.8CVSS7.8AI score0.01993EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/10/23 12:0 a.m.21 views

bitbucket-oauth stored credentials in plain text

bitbucket-oauth stored a credential unencrypted in the global config.xml configuration file on the Jenkins controller. This credential could be viewed by users with access to the Jenkins controller file system. bitbucket-oauth now stores this credential encrypted...

7.8CVSS7.3AI score0.00333EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/03/25 12:0 a.m.21 views

Codebeamer Test Results Trend Updater Plugin stored password in plain text

Codebeamer Test Results Trend Updater Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. The plugin now...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/05/16 12:0 a.m.20 views

Session fixation vulnerability in wso2id-oauth

wso2id-oauth 1.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...

8.8CVSS5.6AI score0.00431EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/09/25 12:0 a.m.20 views

Dimensions Plugin stored credentials in plain text

Dimensions Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk and no longer...

4.3CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/10/02 12:0 a.m.19 views

Encrypted values of credentials revealed to users with Extended Read permission in credentials

credentials 1380.va435002fa924 and earlier, except 1371.1373.v4ebfab7161e9, does not redact encrypted values of credentials using the SecretBytes type e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin when accessing item config.xml via REST API or CLI. This...

7.5CVSS5.2AI score0.00583EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/01/24 12:0 a.m.19 views

Content-Security-Policy protection for user content disabled by redhat-dependency-analytics

Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. redhat-dependency-analytics 0.7.1 and earlier globally disables the...

8CVSS5.3AI score0.00564EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/01/24 12:0 a.m.19 views

Session fixation vulnerability in bitbucket-oauth

bitbucket-oauth 0.12 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. bitbucket-oauth 0.13 invalidates the existing session on login...

9.8CVSS8.3AI score0.01062EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/07/31 12:0 a.m.19 views

m2release stored credentials in plain text

m2release stored credentials unencrypted in its global configuration file org.jvnet.hudson.plugins.m2release.M2ReleaseBuildWrapper.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. m2release now stores credentials encrypte...

5.5CVSS4.9AI score0.00471EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/09/25 12:0 a.m.19 views

Stored XSS vulnerability in Metadata Plugin

A stored cross-site scripting XSS vulnerability in Metadata Plugin allows users with permission to change metadata definitions to insert arbitrary HTML/Javascript into Jenkins pages. As of publication of this advisory, there is no fix...

4.8CVSS5.1AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/02/05 12:0 a.m.19 views

SECURITY-698

Bulletin has no description...

3.1CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/07/11 12:0 a.m.18 views

gogs-webhook stored credentials in plain text

gogs-webhook stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. gogs-webhook now stores credentials encrypted...

8.8CVSS5.6AI score0.01668EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/08/07 12:0 a.m.17 views

Missing permission check allows accessing other users' "My Views"

Jenkins 2.470 and earlier, LTS 2.452.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access other users' "My Views". Attackers with global View/Configure and View/Delete permissions are also able to change other users' "...

6.3CVSS6.7AI score0.04263EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2020/08/12 12:0 a.m.17 views

CSRF vulnerability and missing permission check in pipeline-maven allow capturing credentials

pipeline-maven 3.8.2 and earlier does not perform a permission check in a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified JDBC URL using attacker-specified credentials IDs obtained through another method, potentially...

7.1CVSS6.5AI score0.01056EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/11/27 12:0 a.m.16 views

Path traversal vulnerability in filesystem-list-parameter-plugin

filesystem-list-parameter-plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. filesystem-list-parameter-plugin 0.0.15 ensures that...

4.3CVSS5.3AI score0.00812EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/07/12 12:0 a.m.16 views

CSRF vulnerability and missing permission check in test-results-aggregator

test-results-aggregator 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this HTTP...

6.5CVSS6.3AI score0.00513EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/12/17 12:0 a.m.16 views

XXE vulnerability in m2release

m2release retrieves XML from Nexus repository manager APIs. m2release 0.16.1 and earlier does not configure the XML parser to prevent XML external entity XXE attacks. While Jenkins users without Overall/Administer permission are not allowed to configure a custom Nexus URL, this could still be...

8.8CVSS7.5AI score0.00969EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2026/03/18 12:0 a.m.15 views

API keys stored and displayed in plain text by loadninja

loadninja 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5.3AI score0.00217EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2025/07/09 12:0 a.m.15 views

API keys stored and displayed in plain text by qmetry-test-management

qmetry-test-management 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

6.5CVSS5.6AI score0.00226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/08/16 12:0 a.m.15 views

Exposure of system-scoped credentials in delphix

delphix 3.0.2 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Overall/Read permission to access and capture credentials they are not entitled to...

6.5CVSS6.4AI score0.00765EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2022/10/19 12:0 a.m.15 views

Stored XSS vulnerability in workflow-support

workflow-support provides a feature to add hyperlinks, that send POST requests when clicked, to build logs. These links are used by Pipeline: Input Step Plugin to allow users to proceed or abort the build, or by Pipeline: Job Plugin to allow users to forcibly terminate the build after aborting it...

8CVSS5.5AI score0.00655EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2021/02/19 12:0 a.m.15 views

Privilege escalation vulnerability in bundled Spring Security library

Spring Security 5.4.3 and earlier has a vulnerability that unintentionally persists temporarily elevated privileges in some circumstances in a user's session. This issue, CVE-2021-22112, is resolved in Spring Security 5.4.4. Jenkins 2.266 through 2.279 inclusive includes releases of Spring Securi...

9CVSS7.5AI score0.03197EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2020/02/12 12:0 a.m.15 views

Credentials stored in plain text by debian-package-builder

debian-package-builder 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system. As of...

4.3CVSS5.1AI score0.00691EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2025/03/05 12:0 a.m.14 views

CSRF vulnerability

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets e.g., Build Queue and Build Executor Status widgets, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability...

5.4CVSS5.5AI score0.0041EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2025/01/22 12:0 a.m.14 views

CSRF vulnerability and missing permission checks in service-fabric

service-fabric 1.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...

4.3CVSS5.1AI score0.00288EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2024/05/02 12:0 a.m.14 views

Multiple sandbox bypass vulnerabilities in script-security

script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...

9.8CVSS7.7AI score0.48081EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/10/25 12:0 a.m.14 views

Exposure of system-scoped credentials in warnings-ng

warnings-ng 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled t...

6.5CVSS6.1AI score0.00606EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2019/10/23 12:0 a.m.14 views

mattermost stored webhook endpoint token in plain text

Mattermost allows the definition of incoming from the perspective of the service webhook URLs. These contain what is effectively a secret token as part of the URL. mattermost stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and j...

6.5CVSS6.5AI score0.00927EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2018/07/30 12:0 a.m.14 views

CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials

Maven Artifact ChoiceListProvider Nexus Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained throu...

5.4CVSS5.7AI score0.00681EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
added 2023/03/21 12:0 a.m.13 views

CSRF vulnerability in convert-to-pipeline results in RCE

convert-to-pipeline 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with...

8.8CVSS6.5AI score0.0064EPSS
Exploits1Affected Software1
Total number of security vulnerabilities1464