1464 matches found
CSRF vulnerabilities and missing permission checks in matlab allow XXE
matlab determines whether a user-specified directory on the Jenkins controller is the location of a MATLAB installation by parsing an XML file in that directory. matlab 2.11.0 and earlier does not perform permission checks in several HTTP endpoints implementing related form validation...
Non-constant time webhook token hash comparison in zanata
zanata 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
Missing permission check in lambdatest-automation allows enumerating credentials IDs
lambdatest-automation 1.20.9 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of LAMBDATEST credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Exposure of token through logs in lambdatest-automation
lambdatest-automation 1.20.10 and earlier logs LAMBDATEST Credentials access token at the INFO level. This can result in accidental exposure of the token through the default system log. lambdatest-automation 1.21.0 no longer logs LAMBDATEST Credentials access token...
Non-constant time webhook token comparison in gogs-webhook
gogs-webhook 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in electricflow
electricflow temporarily copies files from an agent workspace to the controller in preparation for publishing them in the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the temporary directory on the controller whe...
HTTP/2 denial of service vulnerabilities in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.427 and earlier, LTS...
Stored XSS vulnerability
ExpandableDetailsNote allows annotating build log content with additional information that can be revealed when interacted with. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the caption constructor parameter of ExpandableDetailsNote. This results in a stored...
Incorrect permission checks in qualys-cs
qualys-cs 1.6.2.6 and earlier does not correctly perform a permission check in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate credentials IDs of credentials stored in...
Stored XSS vulnerability in tap
tap 2.3 and earlier does not escape TAP file contents. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control TAP file contents. As of publication of this advisory, there is no fix. Learn why we announce this...
Missing permission check in aws-codecommit-trigger allows enumerating credentials IDs
aws-codecommit-trigger 3.0.12 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in frugal-testing
frugal-testing 1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to do the following: Connect to Frugal Testing using attacker-specified username and password. Retrieve test IDs and names from Frugal Testing, if a vali...
Improper masking of credentials in pipeline-maven
pipeline-maven integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom Maven settings, including credentials for authentication. pipeline-maven 1330.v18e473854496 and earlier does not properly mask i.e., replace with asterisks usernames of...
CSRF vulnerability in ivy
ivy 2.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete disabled modules. As of publication of this advisory, there is no fix. Learn why we announce this...
Path traversal allows exploiting XSS vulnerability in jobConfigHistory
jobConfigHistory 1227.v7a79fc4dc01f and earlier does not restrict a name query parameter when rendering a history entry. This allows attackers to have Jenkins render a manipulated configuration history that was not created by the plugin. The history view does not property sanitize or escape the...
Non-constant time token comparison in google-login
google-login 1.7 and earlier does not use a constant-time comparison when checking whether the provided and expected token are equal. This could potentially allow attackers to use statistical methods to obtain a valid token. google-login 1.8 uses a constant-time comparison when validating the tok...
CSRF vulnerability in cloudbees-folder
cloudbees-folder 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy a view inside a folder. cloudbees-folder 6.848.ve3bfd7839a81 requires POST requests for t...
CSRF vulnerability and missing permission checks in fortify allow capturing credentials
fortify 22.1.38 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Unsafe default behavior and information disclosure in gogs-webhook webhook
gogs-webhook provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In gogs-webhook 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of jobs...
Stored XSS vulnerability in flaky-test-handler
flaky-test-handler 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control JUnit report file contents. flaky-test-handler 1.2.3 escapes JUnit test contents...
Exposure of system-scoped credentials in maven-artifact-choicelistprovider
maven-artifact-choicelistprovider 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials the...
Incorrect control flow in gradle breaks credentials masking in the build log
gradle 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception. As a result, credentials may not be masked i.e., replaced with asterisks in the build log in some circumstances. gradle 2.8.1 improves the control flow an...
CSRF protection bypass vulnerability
Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs. In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided value...
Missing permission check in dimensionsscm allows enumerating credentials IDs
dimensionsscm 0.9.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
CSRF vulnerability and missing permission checks in ease-plugin
ease-plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Secrets stored and displayed in plain text by ansible
ansible allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets. ansible 204.v8191fd551ebf and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration...
CSRF vulnerability and missing permission checks in azure-vm-agents
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method...
Stored XSS vulnerability in testng-plugin
testng-plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide a crafted TestNG repor...
XXE vulnerability in vs-code-metrics
vs-code-metrics 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
XXE vulnerability in remote-jobs-view-plugin
remote-jobs-view-plugin 0.0.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows authenticated attackers with Overall/Read permission to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the...
XXE vulnerability in crap4j
crap4j 0.9 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or...
Stored XSS vulnerability in jacoco
jacoco 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. jacoco 3.3.2.1 escapes class and method...
Incorrect permission checks in role-strategy
Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them e.g., Overall/Administer or Item/Configure. role-strategy...
XSS vulnerability in plugin manager
Jenkins 2.270 through 2.393 both inclusive, LTS 2.277.1 through 2.375.3 both inclusive does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This results in a stored cross-sit...
Script Security sandbox bypass vulnerability in email-ext
email-ext allows defining custom email templates using https://plugins.jenkins.io/config-file-provider/Config File Provider plugin as Jelly or Groovy files. When defined inside a https://plugins.jenkins.io/cloudbees-folder/folder, email templates need to be subject to Script Security protection...
Missing permission check in ghprb allows enumerating credentials IDs
ghprb 1.42.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...
Agent-to-controller security bypass vulnerability in Katalon
Katalon 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version,...
Agent-to-controller security bypass vulnerability in compuware-topaz-utilities
compuware-topaz-utilities 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
Agent-to-controller security bypass vulnerability in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
XXE vulnerability in compuware-topaz-for-total-test
compuware-topaz-for-total-test 2.4.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML documen...
XXE vulnerability in compuware-common-configuration
compuware-common-configuration 1.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities fo...
Stored XSS vulnerability in DotCi
DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...
API token stored in plain text by CONS3RT
CONS3RT 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we...
Missing hostname validation in view26
view26 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce this...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins LTS 2.346.3 and earlier,...
Stored XSS vulnerability in jobConfigHistory
jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure job names. jobConfigHistory 1166.vc9f255f45b8a escapes the job name on...
CSRF vulnerability in jobConfigHistory
jobConfigHistory 1155.v28a46acc06a5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older...
Missing permission checks in compuware-ispw-operations
compuware-ispw-operations 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Missing permission check in deployer-framework allows reading deployment logs
deployer-framework 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. deployer-framework 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...
Missing permission checks in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs...