1464 matches found
Sandbox bypass vulnerability in script-security
Sandbox protection in script-security could be circumvented through default parameter expressions in constructors. This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. These expressions are now subject to sandbox...
XSS vulnerability in combobox form control
Jenkins interpreted items added to f:combobox form controls as HTML. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the contents of f:combobox form controls. Jenkins no longer interprets items added to a combobox as HTML. NOTE ====== This might be a...
Stored XSS vulnerability in expandable textbox form control
Jenkins form controls include an expandable textbox that can transform from a single-line text box to a multi-line text area. The implementation of this transformation interpreted the text content of the form field as HTML. This resulted in a cross-site scripting vulnerability exploitable by...
Stored XSS vulnerability in SCM tag action tooltip
Jenkins did not escape the tag name on the tooltip for tag actions shown in the build history. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the SCM tag name for these actions. Jenkins now escapes the SCM tag action...
inedo-buildmaster showed plain text password in configuration form
inedo-buildmaster stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
datatheorem-mobile-app-security stored credentials in plain text
datatheorem-mobile-app-security stored a proxy password unencrypted in job config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. datatheorem-mobile-app-security now stores the proxy passwo...
Script sandbox bypass vulnerability in Kubernetes Pipeline - Kubernetes Steps Plugin
Kubernetes Pipeline - Kubernetes Steps Plugin defines a custom list of pre-approved signatures for all scripts protected by the Script Security sandbox. This custom list of pre-approved signatures allows the use of methods that can be used to bypass Script Security sandbox protection. This result...
aqua-security-scanner showed plain text password in configuration form
aqua-security-scanner stores a password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
System command execution vulnerability in git-client
git-client accepts user-specified values as argument to an invocation of git ls-remote to validate the existence of a Git repository at the specified URL. This was implemented in a way that allowed attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins...
Sandbox Bypass in splunk-devops
splunk-devops has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming...
CSRF vulnerability and missing permission check in jclouds-jenkins allowed capturing credentials
jclouds-jenkins did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
Reflected XSS vulnerability in jenkinswalldisplay
jenkinswalldisplay does not properly escape the customTheme query parameter, resulting in a reflected cross-site scripting vulnerability. As of publication of this advisory, there is no fix...
eggplant-plugin stores credentials in plain text
eggplant-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
configuration-as-code allowed users without Overall/Administer permission to access documentation
configuration-as-code provides a generated schema and reference documentation for the configuration options supported on the current Jenkins instance. These URLs did not perform additional permission checks, resulting in their content being available to users with Overall/Read access. This includ...
configuration-as-code did not mask proxy credentials
configuration-as-code provides a custom configurator for the Jenkins proxy configuration. This feature did not mask the password for logging or encrypt it in the export. configuration-as-code 1.20 and newer mask the Jenkins proxy password when logged and only store it encrypted in the export...
CSRF protection tokens did not expire
By default, CSRF tokens in Jenkins only checked user authentication and IP address. This allowed attackers able to obtain a CSRF token for another user to implement CSRF attacks as long as the victim's IP address remained unchanged. CSRF tokens will now also check the web session ID to confirm th...
Users with Overall/Read access could enumerate credential IDs in docker-plugin
docker-plugin provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of ...
CSRF vulnerability and missing permission check in jx-resources
jx-resources did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service...
XSS vulnerability in build metadata contributed by electricflow
The plugin adds metadata displayed on build pages during its operations. Any user content was not escaped, resulting in a cross-site scripting vulnerability allowing users with Job/Configure permission, or attackers controlling API responses received from ElectricFlow to render arbitrary HTML and...
CSRF vulnerability in artifactory
artifactory implements a number of API endpoints allowing users to trigger various actions related to releasing and promotion. These endpoints do not require POST requests, resulting in a cross-site request forgery vulnerability. As of publication of this advisory, no release containing a fix is...
influxdb stored credentials in plain text
influxdb stored target passwords unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. influxdb now stores its passwords encrypted...
Missing permission check allowed obtaining limited information about system configuration in pam-auth
A missing permission check in pam-auth allowed users with Overall/Read permission to invoke a form validation method to obtain limited information about the file /etc/shadow on systems with that file present, as well as the system user the Jenkins process is running as. Depending on configuration...
Certificate file read vulnerability in credentials
Credentials Plugin allowed the creation of Certificate credentials from a PKCS12 file on the Jenkins controller. Users with permission to create or update credentials could use the associated form validation to confirm the existence of files with an attacker-specified path. Additionally, they cou...
Sandbox bypass in ontrack
ontrack supports sandboxed Groovy expressions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin’s job-specific configuration to bypass the sandbox protection and...
CSRF vulnerability and missing permission checks in gitlab-plugin allowed capturing credentials
gitlab-plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
CSRF vulnerability and missing permission check in deployit-plugin
A missing permission check in a form validation method in deployit-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting...
azure-publishersettings-credentials stored credentials in plain text
azure-publishersettings-credentials stored the service management certificate unencrypted in credentials.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-publishersettings-credentials has been deprecated...
jenkins-jira-issue-updater stores credentials in plain text
jenkins-jira-issue-updater stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
Bitbucket Approve Plugin stores credentials in plain text
Bitbucket Approve Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.bitbucketapprove.BitbucketApprover.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
snsnotify stores credentials in plain text
snsnotify stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.snsnotify.AmazonSNSNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
aws-device-farm stores credentials in plain text
aws-device-farm stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.awsdevicefarm.AWSDeviceFarmRecorder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Aqua Security Scanner Plugin stores credentials in plain text
Aqua Security Scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.aquadockerscannerbuildstep.AquaDockerScannerBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
veracode-scanner Plugin stores credentials in plain text
veracode-scanner Plugin stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.veracodescanner.VeracodeNotifier.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
wildfly-deployer stores credentials in plain text
wildfly-deployer stores deployment credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
koji stores credentials in plain text
koji stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.koji.KojiBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in ftppublisher allow connecting to arbitrary FTP servers
A missing permission check in a form validation method in ftppublisher allows users with Overall/Read permission to initiate a connection test to an attacker-specified FTP server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resultin...
deployhub stores credentials in plain text
deployhub stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
kmap-jenkins stores credentials in plain text
kmap-jenkins stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
sra-deploy stores credentials in plain text
sra-deploy stores credentials unencrypted in its global configuration file com.urbancode.ds.jenkins.plugins.serenarapublisher.UrbanDeployPublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
sametime stores credentials in plain text
sametime stores credentials unencrypted in its global configuration file hudson.plugins.sametime.im.transport.SametimePublisher.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Unprivileged users with Overall/Read access were able to enumerate credential IDs in Arxan MAM Publisher Plugin
Arxan MAM Publisher Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used...
CSRF vulnerability and missing permission checks in Slack Notification Plugin allowed capturing credentials
Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stor...
Script security sandbox bypass in Email Extension Plugin
Email Extension Plugin supports sandboxed Groovy expressions for multiple features. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the plugin's job-specific configuration t...
SSRF vulnerability due to missing permission check in JMS Messaging Plugin
A missing permission check in a form validation method in JMS Messaging Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CS...
SSRF vulnerability due to missing permission check in Acunetix Plugin
A missing permission check in a form validation method in Acunetix Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP GET request to an attacker-specified URL, adding a /me suffix, returning whether the connection could be established and whether the...
XSS vulnerability in Warnings Next Generation Plugin
Warnings Next Generation Plugin did not properly escape HTML content in warnings displayed on the Jenkins UI, resulting in a cross-site scripting vulnerability exploitable by users able to control warnings parser input. Warnings Next Generation Plugin now removes unsafe HTML content from warnings...
Blue Ocean did not require CSRF tokens
Blue Ocean did not require CSRF tokens "crumbs" for POST requests with the Content-Type: application/json. Blue Ocean now requires that valid CSRF tokens are present in POST requests...
Improper certificate validation with StartTLS in Active Directory Plugin
Active Directory Plugin performs TLS upgrade StartTLS after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks. This only affected TLS upgrades. The LDAPS mode,...
Workspace browser allowed accessing files outside the workspace
The file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ followed symbolic links to locations outside the directory being browsed. While builds typically have access to the file system outside the workspace allocated by Jenkins, this should not extend to beyond the...
Reflected XSS vulnerability in Job Config History Plugin
Job Config History Plugin did not escape some query parameters shown on its pages, resulting in a reflected cross-site scripting XSS vulnerability. Job Config History Plugin now globally applies variable escaping to its pages...