1464 matches found
upload-pgyer stores credentials in plain text
upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
youtrack-plugin stored credentials in plain text
youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...
crittercism-dsym stores API key in plain text
crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
diawi-upload stores credentials in plain text
diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF
A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...
ircbot stores credentials in plain text
ircbot stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
aws-beanstalk-publisher-plugin stores credentials in plain text
aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
vmware-vrealize-automation-plugin stores credentials in plain text
vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in labmanager
A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...
fabric-beta-publisher stores credentials in plain text
fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin
Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used...
Script security sandbox bypass in Email Extension Plugin
Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin's job-specific configuration t...
ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation
ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...
Arxan MAM Publisher Plugin stored password in plain text
Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...
SSRF vulnerability due to missing permission check in JMS Messaging Plugin
A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CS...
Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...
Ephemeral user record was created on some invalid authentication attempts
When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...
Unauthorized users could access agent logs
Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...
Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin
Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...
TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation
TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...
Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation
Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...
Arbitrary file read vulnerability
An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...
HTTP session fixation vulnerability in SAML Plugin
SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...
CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials
Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
Arbitrary file write vulnerability in Fortify CloudScan Plugin
Fortify CloudScan Plugin did not validate file names in rulepack ZIP archives it extracts, resulting in an arbitrary file write vulnerability. Fortify CloudScan Plugin 1.5.2 and newer rejects relative paths escaping the ZIP extraction base directory...
CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller
AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...
CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials
Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...
Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin
Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability. Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input...
Users were able to register user names containing control characters
The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters. This could be used to confuse administrators appearing to be a different user while preventing deletion of...
Session fixation vulnerability in Google Login Plugin
Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...
Stored XSS vulnerability in S3 Publisher Plugin
S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...
CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission
The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...
Mailer Plugin allowed unauthorized users to send test emails
A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...
Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery
The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...
SECURITY-660
Bulletin has no description...
SECURITY-699
Bulletin has no description...
SECURITY-658
Bulletin has no description...
Persisted XSS vulnerability in autocompletion suggestions
Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for thes...
Script security bypass vulnerability in script-security
script-security 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations such as @CompileStatic and @TypeChecked that carry an extensions member, which causes Groovy to load and execute a script from the classpath at compile time, before the sandbox is applied. This ma...
Encrypted values of secrets in job and agent configurations not redacted by jobConfigHistory
jobConfigHistory 1356.ve360da6c523a and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "RAW" feature and its configuration diff views. This allows attackers with Item/Extended Read permission but not...
Missing permission check in mcp-server allows reading Pipeline replay scripts
mcp-server 0.177.v629fdb2557fe and earlier does not perform a permission check in the getReplayScripts MCP tool that returns the replay script of a Pipeline build. This allows attackers with Item/Read permission to obtain the Pipeline script of jobs. mcp-server 0.178.vffe5ae770f3b requires...
Passwords stored in plain text by fitnesse
fitnesse 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...
Builds executed on the Jenkins controller by zapper can lead to RCE
zapper 1.0.7 and earlier does not support distributed builds, causing the file operations and build process of its "Automatically build ZAP" feature to be performed on the Jenkins controller rather than on the agent the build is assigned to. This allows attackers with Item/Configure permission to...
Open redirect vulnerability
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...
Missing permission check on password fields
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views. This allows attackers with View/Read permission to view encrypted password values in views. NOTE: The regular view configuration form requires...
Exposure of system-scoped Vault credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...
CSRF vulnerability on the login form
Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...
XXE vulnerability in jdepend
jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...
API tokens stored in plain text by byteguard-build-actions
byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
API Auth keys stored and displayed in plain text by vaddy-plugin
vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...