Lucene search
+L
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

upload-pgyer stores credentials in plain text

upload-pgyer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

youtrack-plugin stored credentials in plain text

youtrack-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.youtrack.YouTrackProjectProperty.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. youtrack-plugin now stores credential...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

crittercism-dsym stores API key in plain text

crittercism-dsym stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

diawi-upload stores credentials in plain text

diawi-upload stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in netsparker-cloud-scan allowed SSRF

A missing permission check in a form validation method in netsparker-cloud-scan allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified API token. Additionally, the form validation method did not require POST requests,...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

ircbot stores credentials in plain text

ircbot stores credentials unencrypted in its global configuration file hudson.plugins.ircbot.IrcPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01411EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

aws-beanstalk-publisher-plugin stores credentials in plain text

aws-beanstalk-publisher-plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsbeanstalkpublisher.AWSEBPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

vmware-vrealize-automation-plugin stores credentials in plain text

vmware-vrealize-automation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

CSRF vulnerability and missing permission check in labmanager

A missing permission check in a form validation method in labmanager allows users with Overall/Read permission to initiate a Lab Manager connection test to an attacker-specified server with attacker-specified credentials and settings. Additionally, the form validation method does not require POST...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•9 views

fabric-beta-publisher stores credentials in plain text

fabric-beta-publisher stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/25 12:0 a.m.•9 views

Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin

Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/06 12:0 a.m.•9 views

Script security sandbox bypass in Email Extension Plugin

Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin's job-specific configuration t...

9.9CVSS8.9AI score0.02439EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•9 views

ElectricFlow Plugin globally and unconditionally disabled SSL/TLS certificate validation

ElectricFlow Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. ElectricFlow Plugin 1.1.5 and newer no longer do that...

6.5CVSS5.3AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•9 views

Arxan MAM Publisher Plugin stored password in plain text

Arxan MAM Publisher Plugin stored the username and password connection credentials in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked...

4.3CVSS5.4AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/02/19 12:0 a.m.•9 views

SSRF vulnerability due to missing permission check in JMS Messaging Plugin

A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CS...

4.3CVSS5AI score0.00674EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/10/29 12:0 a.m.•9 views

Sandbox Bypass in Script Security and Pipeline Groovy Plugins

The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to...

8.8CVSS6.7AI score0.01639EPSS
Exploits0Affected Software2
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/08/15 12:0 a.m.•9 views

Ephemeral user record was created on some invalid authentication attempts

When attempting to authenticate using API token, an ephemeral user record was created to validate the token in case an external security realm was used, and the user record in Jenkins not previously saved, as legacy API tokens could exist without a persisted user record. This behavior could be...

7.5CVSS6.5AI score0.01673EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/08/15 12:0 a.m.•9 views

Unauthorized users could access agent logs

Users with Overall/Read permission were able to access the URL serving agent logs on the UI due to a lack of permission checks. Access to the affected URL is now limited to users with the correct Agent/Connect permission...

4.3CVSS5.4AI score0.01254EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

Stored Cross-Site Scripting Vulnerability in Shelve Project Plugin

Shelve Project Plugin did not escape the names of shelved projects on the UI, potentially resulting in a stored XSS vulnerability. Shelve Project Plugin 2.0 and newer now escapes the names of shelved projects shown on the UI...

5.4CVSS5.5AI score0.00719EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

TraceTronic ECU-TEST Plugin globally and unconditionally disables SSL/TLS certificate validation

TraceTronic ECU-TEST Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. TraceTronic ECU-TEST Plugin 2.4 and newer no longer does that. It now has an option that allows disabling SSL/TLS certificate validation for specific connections by this plug...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/30 12:0 a.m.•9 views

Inedo BuildMaster Plugin globally and unconditionally disabled SSL/TLS certificate validation

Inedo ProGet Plugin unconditionally disabled SSL/TLS certificate validation for the entire Jenkins controller JVM. The plugin now has an option, disabled by default, to disable SSL/TLS certificate validation that only applies to its own connections...

7.4CVSS7.3AI score0.00856EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/07/18 12:0 a.m.•9 views

Arbitrary file read vulnerability

An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins controller file system that the Jenkins controller process has access to. Input validation in Stapler has...

7.5CVSS6.4AI score0.86641EPSS
Exploits7Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•9 views

HTTP session fixation vulnerability in SAML Plugin

SAML Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. SAML Plugin now invalidates the previous session during login and creates a new one...

6.5CVSS6.1AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in Openstack Cloud Plugin allowed capturing credentials

Openstack Cloud Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...

8.8CVSS8.1AI score0.01037EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/25 12:0 a.m.•9 views

Arbitrary file write vulnerability in Fortify CloudScan Plugin

Fortify CloudScan Plugin did not validate file names in rulepack ZIP archives it extracts, resulting in an arbitrary file write vulnerability. Fortify CloudScan Plugin 1.5.2 and newer rejects relative paths escaping the ZIP extraction base directory...

6.5CVSS6.6AI score0.00852EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in AbsInt Astrée Plugin allowed launching programs on the Jenkins controller

AbsInt Astrée Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to run a user-specified program on the Jenkins controller. Additionally, this form validation method did not require POST requests, resulting in ...

8.8CVSS8AI score0.02021EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/06/04 12:0 a.m.•9 views

CSRF vulnerability and missing permission checks in Black Duck Detect Plugin allowed server-side request forgery, capturing credentials

Black Duck Detect Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored...

6.5CVSS6.5AI score0.00988EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/05/09 12:0 a.m.•9 views

Persisted cross-site scripting vulnerability in Groovy Postbuild Plugin

Groovy Postbuild Plugin did not properly escape badge content from user input, resulting in a stored cross-site scripting vulnerability. Groovy Postbuild Plugin 2.4 now properly escapes badge content from user input...

5.4CVSS5.3AI score0.00719EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/05/09 12:0 a.m.•9 views

Users were able to register user names containing control characters

The built-in Jenkins user database optionally allows user registration. This feature did not properly sanitize user names, allowing registration of user names containing control characters. This could be used to confuse administrators appearing to be a different user while preventing deletion of...

4.3CVSS5.6AI score0.01045EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/16 12:0 a.m.•9 views

Session fixation vulnerability in Google Login Plugin

Google Login Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. Google Login Plugin now invalidates the previous session during login, and creates a new on...

6.5CVSS6AI score0.0159EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/16 12:0 a.m.•9 views

Stored XSS vulnerability in S3 Publisher Plugin

S3 Publisher Plugin did not properly escape file names shown on the Jenkins UI. This resulted in a cross-site scripting vulnerability exploitable by users able to control the names of uploaded files. S3 Publisher Plugin now escapes file names shown on the Jenkins UI properly...

5.4CVSS5.3AI score0.00673EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/04/11 12:0 a.m.•9 views

CLI leaked existence of views and agents with attacker-specified names to users without Overall/Read permission

The Jenkins CLI sent different error responses for commands with view and agent arguments depending on the existence of the specified views or agents to unauthorized users. This allowed attackers to determine whether views or agents with specified names exist. The Jenkins CLI now returns the same...

5.3CVSS5.4AI score0.01403EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/03/26 12:0 a.m.•9 views

Mailer Plugin allowed unauthorized users to send test emails

A missing permission check in Mailer Plugin allowed users with Overall/Read access to Jenkins to have it connect to a user-specified mail server with user-specified credentials to send a test email to a user-specified email address. The email subject and body could not be changed. This could resu...

8CVSS7.5AI score0.06773EPSS
Exploits5Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/14 12:0 a.m.•9 views

Improperly secured form validation for proxy configuration allowed Server-Side Request Forgery

The form validation for the proxy configuration form did not check the permission of the user accessing it, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL, optionally with a specified proxy configuration. If that request's HTTP respon...

6.4CVSS6.4AI score0.01678EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•9 views

SECURITY-660

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/02/05 12:0 a.m.•9 views

SECURITY-699

Bulletin has no description...

8.8CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2018/01/22 12:0 a.m.•9 views

SECURITY-658

Bulletin has no description...

7.6CVSS4.9AI score
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2017/11/08 12:0 a.m.•9 views

Persisted XSS vulnerability in autocompletion suggestions

Autocompletion suggestions for text fields were not escaped, resulting in a persisted cross-site scripting vulnerability if the source for the suggestions allowed specifying text that includes HTML metacharacters like less-than and greater-than characters. Known previously unsafe sources for thes...

4.8CVSS5.3AI score0.01128EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Script security bypass vulnerability in script-security

script-security 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations such as @CompileStatic and @TypeChecked that carry an extensions member, which causes Groovy to load and execute a script from the classpath at compile time, before the sandbox is applied. This ma...

8.5CVSS5.9AI score0.00594EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Encrypted values of secrets in job and agent configurations not redacted by jobConfigHistory

jobConfigHistory 1356.ve360da6c523a and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations through its "View as XML" / "RAW" feature and its configuration diff views. This allows attackers with Item/Extended Read permission but not...

4.3CVSS5.9AI score0.0013EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Missing permission check in mcp-server allows reading Pipeline replay scripts

mcp-server 0.177.v629fdb2557fe and earlier does not perform a permission check in the getReplayScripts MCP tool that returns the replay script of a Pipeline build. This allows attackers with Item/Read permission to obtain the Pipeline script of jobs. mcp-server 0.178.vffe5ae770f3b requires...

4.3CVSS5.9AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Passwords stored in plain text by fitnesse

fitnesse 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, the...

4.3CVSS5.9AI score0.00178EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/24 12:0 a.m.•8 views

Builds executed on the Jenkins controller by zapper can lead to RCE

zapper 1.0.7 and earlier does not support distributed builds, causing the file operations and build process of its "Automatically build ZAP" feature to be performed on the Jenkins controller rather than on the agent the build is assigned to. This allows attackers with Item/Configure permission to...

8.8CVSS6.1AI score0.0042EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2026/06/10 12:0 a.m.•8 views

Open redirect vulnerability

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...

7.4CVSS5.2AI score0.00364EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

Missing permission check on password fields

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views. This allows attackers with View/Read permission to view encrypted password values in views. NOTE: The regular view configuration form requires...

4.3CVSS7.5AI score0.00216EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

Exposure of system-scoped Vault credentials in hashicorp-vault-plugin

hashicorp-vault-plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and potentially...

4.3CVSS5.2AI score0.00202EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/12/10 12:0 a.m.•8 views

CSRF vulnerability on the login form

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not require a cross-site request forgery CSRF token crumb for the URL handling interactive login HTTP requests, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to trick users into logging in ...

3.5CVSS7.5AI score0.0016EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•8 views

XXE vulnerability in jdepend

jdepend 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure input files for the "Report JDepend" step to have Jenkins parse a crafted file that uses extern...

7.1CVSS5.4AI score0.0032EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/10/29 12:0 a.m.•8 views

API tokens stored in plain text by byteguard-build-actions

byteguard-build-actions 1.0 and earlier stores API tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

4.3CVSS5.3AI score0.00158EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2025/07/09 12:0 a.m.•8 views

API Auth keys stored and displayed in plain text by vaddy-plugin

vaddy-plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

6.5CVSS5.6AI score0.00218EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464