1464 matches found
Exposure of system-scoped credentials in maven-artifact-choicelistprovider
maven-artifact-choicelistprovider 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials the...
Incorrect control flow in gradle breaks credentials masking in the build log
gradle 2.8 improperly invokes APIs available only on the controller from an agent when setting up build log annotations, causing an exception. As a result, credentials may not be masked i.e., replaced with asterisks in the build log in some circumstances. gradle 2.8.1 improves the control flow an...
Missing permission check in miniorange-saml-sp
miniorange-saml-sp 2.3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to download a string representation of the current security realm Java ObjecttoString, which potentially includes sensitive information...
Password transmitted in plain text by active-directory
active-directory allows testing a new, unsaved configuration by performing a connection test the button labeled "Test Domain". active-directory 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows...
CSRF vulnerability and missing permission checks in elasticbox allow capturing credentials
elasticbox 5.0.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CSRF protection bypass vulnerability
Jenkins provides context menus for various UI elements, like links to jobs and builds, or breadcrumbs. In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided value...
Missing permission check in dimensionsscm allows enumerating credentials IDs
dimensionsscm 0.9.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
CSRF vulnerability and missing permission checks in ease-plugin
ease-plugin 2.6 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Secrets stored and displayed in plain text by ansible
ansible allows the specification of extra variables that can be passed to Ansible. These extra variables are commonly used to pass secrets. ansible 204.v8191fd551ebf and earlier stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration...
Stored XSS vulnerability in testng-plugin
testng-plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide a crafted TestNG repor...
CSRF vulnerability and missing permission checks in azure-vm-agents
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method...
XXE vulnerability in crap4j
crap4j 0.9 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control Crap Report file contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or...
XXE vulnerability in vs-code-metrics
vs-code-metrics 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control VS Code Metrics File contents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
Stored XSS vulnerability in jacoco
jacoco 3.3.2 and earlier does not escape class and method names shown on the UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action. jacoco 3.3.2.1 escapes class and method...
XSS vulnerability in plugin manager
Jenkins 2.270 through 2.393 both inclusive, LTS 2.277.1 through 2.375.3 both inclusive does not escape the Jenkins version a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This results in a stored cross-sit...
Temporary plugin file created with insecure permissions
Jenkins creates a temporary file when a plugin is uploaded from an administrator's computer. Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
Path traversal vulnerability in visualexpert
visualexpert 1.3 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory,...
CSRF vulnerability and missing permission check in testquality-updater
testquality-updater 1.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method do...
Session fixation vulnerability in azure-ad
azure-ad 303.va91ef20ee49f and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. azure-ad 306.va7083923fd50 invalidates the existing session on login...
Missing permission check in ghprb allows enumerating credentials IDs
ghprb 1.42.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...
XXE vulnerability on agents in mstest
mstest 1.0.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the contents of the report file for the 'Publish MSTest test result report' post-build step to have agent processes parse a crafted file that uses external...
XXE vulnerability on agents in violations
violations 0.7.11 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers to to control XML input files for the 'Report Violations' post-build step to have agent processes parse a crafted file that uses external entities for extraction of...
Incorrect permission checks in support-core
support-core defines the permission Support/DownloadBundle that allows users without Overall/Administer permission to create and download support bundles containing a limited set of diagnostic information. support-core 1206.v14049fabd860 and earlier does not correctly perform permission checks in...
Stored XSS vulnerability in naginator
naginator 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to edit build display names. naginator 1.18.2 escapes display names of source...
Arbitrary file read vulnerability in Config Rotator
Config Rotator 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows unauthenticated attackers to read arbitrary files with .xml extension on the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we announce...
Agent-to-controller security bypass vulnerability in Katalon
Katalon 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version,...
Agent-to-controller security bypass vulnerability in compuware-topaz-utilities
compuware-topaz-utilities 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
Agent-to-controller security bypass vulnerability in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
XXE vulnerability in compuware-topaz-for-total-test
compuware-topaz-for-total-test 2.4.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML documen...
XXE vulnerability in compuware-common-configuration
compuware-common-configuration 1.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities fo...
Missing hostname validation in view26
view26 1.0.7 and earlier does not perform hostname validation when connecting to the configured View26 server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. As of publication of this advisory, there is no fix. Learn why we announce this...
Lack of authentication mechanism in DotCi webhook
DotCi provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository. In DotCi 2.40.00 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the...
Stored XSS vulnerability in DotCi
DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...
API token stored in plain text by CONS3RT
CONS3RT 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins LTS 2.346.3 and earlier,...
Stored XSS vulnerability in jobConfigHistory
jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure job names. jobConfigHistory 1166.vc9f255f45b8a escapes the job name on...
CSRF vulnerability in jobConfigHistory
jobConfigHistory 1155.v28a46acc06a5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older...
Agent-to-controller security bypass in compuware-ispw-operations
compuware-ispw-operations defines a controller/agent message that retrieves Java system properties. compuware-ispw-operations 1.0.8 and earlier does not restrict execution of the controller/agent message to agents. This allows attackers able to control agent processes to retrieve Java system...
Missing permission checks in openstack-heat allow listing the Jenkins controller file system
openstack-heat 1.5 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. A sequence of requests can be used to...
Missing permission check in deployer-framework allows reading deployment logs
deployer-framework 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. deployer-framework 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...
Missing permission checks in compuware-ispw-operations
compuware-ispw-operations 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
CSRF vulnerability and missing permission check in google-cloud-backup
google-cloud-backup 0.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to request a manual backup. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability...
Missing permission checks in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs...
CSRF vulnerability and missing permission check in coverity allow capturing credentials
coverity 1.11.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Stored XSS vulnerability in gitlab-plugin
gitlab-plugin 1.5.34 and earlier does not escape multiple user-provided values shown as part of the build cause of webhook-triggered builds. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. gitlab-plugin 1.5.35 does not show...
Stored XSS vulnerability in plot
plot 2.1.10 and earlier does not escape plot descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission checks in xpath-config-viewer
xpath-config-viewer 1.1.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to create and delete XPath expressions. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery...
CSRF vulnerability and missing permission checks in failedJobDeactivator allow disabling jobs
failedJobDeactivator 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints. This allows attackers with Overall/Read permission to disable jobs. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
CSRF vulnerability and missing permission checks in beaker-builder
beaker-builder 1.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a...
Multiple SCM plugins can check out from the controller file system
SCMs support a number of different URL schemes, including local file system paths e.g. using file: URLs. Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unles...