1464 matches found
Path traversal vulnerability in Publish Over SSH
Publish Over SSH 1.22 and earlier performs a validation of the file name specifying whether it is present or not. This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files. As of publication of this...
Improper handling of equivalent directory names on Windows
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
Path traversal vulnerability on Windows
The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission Windows controller o...
saml allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. saml implements this extension point for the URL that users are redirected to after login. In saml 2.0.7 and earlier this implementation is too permissive, allowing attackers t...
Improper permission checks allow canceling queue items and aborting builds
Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission. Jenkins 2.300, LTS 2.289.2 requires that users have Item/Read permission for applicable types ...
Missing permission checks allow enumerating credentials IDs in kubernetes-cli
kubernetes-cli 1.10.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission checks in s3 allow obtaining metadata about artifacts
s3 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models. This allows attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled. s3 0.11.7 requires...
Missing permission check in xray-connector allows enumerating credentials IDs
xray-connector 2.4.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
CSRF vulnerability in xray-connector allows capturing credentials
xray-connector 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...
XXE vulnerability in config-file-provider
config-file-provider 3.7.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets...
Missing permission checks in config-file-provider allow enumerating configuration file IDs
config-file-provider 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in config-file-provider 3.7.1 requires the appropriate permissions...
Lack of type validation in agent related REST API
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins 2.287, L...
View name validation bypass
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value. This...
Missing permission checks in aws-credentials allows enumerating credentials IDs
aws-credentials 1.28 and earlier does not perform a permission check in a helper method for HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins if any of the following plugins are installed: Amazon Elastic Container...
Path traversal vulnerability in agent names
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins...
Reflected XSS vulnerability in markup formatter preview
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS...
Arbitrary file read vulnerability in workspace browsers
The file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspac...
Password written to the build log by sqlplus-script-runner
sqlplus-script-runner 2.0.12 and earlier prints the sqlplus command invocation to the build log. This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission. sqlplus-script-runner 2.0.13 no longer prints t...
Stored XSS vulnerability in Static Analysis Utilities
Static Analysis Utilities 1.96 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Login allowed with empty password by active-directory
active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The Windows/ADSI mode does not specifically prohibit use of empty passwords in active-directory 2.19 and earlier. If the Active Directory server allows the unauthenticated bind...
Missing permission check in active-directory allows accessing domain health check page
active-directory 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. active-directory 2.20 requires Overall/Administer permission to access the domain health check diagnosti...
CSRF vulnerability in active-directory
active-directory 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to perform connection tests, connecting to...
Missing permission checks in ansible allow enumerating credentials IDs
ansible 1.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Request logging could be bypassed in audit-trail
audit-trail logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in audit-trail 3.6 and earlier. This only...
CSRF vulnerability in shared-objects
shared-objects 0.44 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to configure shared objects. As of publication of this advisory, there is no fix...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Stored XSS vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. liquibase-runner 1.4.7 no longer suppor...
Passwords stored in plain text by elastest
elastest 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Missing permission check in perfecto
perfecto 1.17 and earlier does not perform a permission check in a method implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. perfecto 1.18 requires Overall/Administer...
Stored XSS vulnerability in android-lint
android-lint 2.6 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step. As of publication of this advisory, there i...
CSRF vulnerability and missing permission checks in mongodb
mongodb 1.3 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. Additionally, these form validation methods do not require POST...
Stored XSS vulnerability in chosen-views-tabbar
chosen-views-tabbar 1.2 and earlier does not escape view names in the dropdown to select views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with the ability to configure views. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission checks in elastest
elastest 1.2.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation method does not require POST...
Path traversal vulnerability in blueocean
blueocean 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GITREADSAVETYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system. blueocean 1.23.3 no longer...
Secret stored in plain text by Parameterized-Remote-Trigger
Parameterized-Remote-Trigger 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to t...
Credentials stored in plain text by tfs
tfs 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. As of...
CSRF vulnerability in database
database 1.6 and earlier does not require POST requests for the database console, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary SQL scripts. database 1.7 removes the database console...
CSRF vulnerability in flaky-test-handler
flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing. As of publicati...
SMTP password transmitted and displayed in plain text by email-ext
email-ext stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration...
Stored XSS vulnerability in yet-another-build-visualizer
yet-another-build-visualizer 1.11 and earlier does not escape tooltip content. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Run/Update permission. yet-another-build-visualizer 1.12 escapes tooltip content...
Stored XSS vulnerability in job build time trend
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the agent name...
Stored XSS vulnerability in single axis builds tooltips in matrix-project
matrix-project 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. matrix-project 1.17 escapes the node names shown in...
Stored XSS vulnerability in sonargraph-integration
sonargraph-integration 3.0.0 and earlier does not escape the file path for the Log file field form validation. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Job/Configure permission. sonargraph-integration 3.0.1 escapes the affected part of th...
Secret stored in plain text by slack-uploader
slack-uploader 1.7 and earlier stores a secret unencrypted in job config.xml files as part of its configuration. This secret can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Password stored in plain text by TestComplete
TestComplete 2.4.1 and earlier stores a password unencrypted in job config.xml files as part of its configuration. This password can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
Passwords transmitted in plain text by StashBranchParameter
StashBranchParameter stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk, it is transmitted in plain text as...
Stored XSS vulnerability in script-security
script-security 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure sandboxed scripts. script-security 1.73 escapes pending a...
Missing permission check in project-inheritance
Jenkins limits access to job configuration XML data config.xml to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. project-inheritance has several job inspection features, including the API URL /job/.../getConfigAsXML for its Inheritance Project job type that...
OS command injection vulnerability in Play Framework
A form validation endpoint in Play Framework executes the play command to validate a given input file. Play Framework 1.0.2 and earlier lets users specify the path to the play command on the Jenkins controller. This results in an OS command injection vulnerability exploitable by users able to sto...
XSS vulnerability in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not escape the error message for the repository URL field form validation. This results in a reflected cross-site scripting XSS vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configur...