1464 matches found
CSRF vulnerability in cloudbees-bitbucket-branch-source allows capturing credentials
cloudbees-bitbucket-branch-source 737.vdf9dc06105be and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified...
Password stored in plain text by Publish Over SSH
Publish Over SSH 1.22 and earlier stores password unencrypted in its global configuration file jenkins.plugins.publishoverssh.BapSshPublisherPlugin.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. A...
CSRF vulnerability in batch task
batch task 1.19 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers with Overall/Read access to retrieve logs, build or delete a batch task. As of publication of this advisory,...
Stored XSS vulnerability in Publish Over SSH
Publish Over SSH 1.22 and earlier does not escape the SSH server name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission checks in Publish Over SSH
Publish Over SSH 1.22 and earlier does not perform permission checks in methods implementing connection tests. This allows attackers with Overall/Read access to connect to an attacker-specified SSH server using attacker-specified credentials. Additionally, these connection tests methods do not...
Improper credentials masking in hashicorp-vault-plugin
Pipelines display commands executed in their Pipeline step descriptions and their output in build logs. To mask sensitive output, Pipeline: Groovy Plugin 2.84 and earlier specified an allowlist of known non-sensitive variables and masked everything else. This caused problems, so Pipeline: Groovy...
Path traversal vulnerability in Publish Over SSH
Publish Over SSH 1.22 and earlier performs a validation of the file name specifying whether it is present or not. This results in a path traversal vulnerability allowing attackers with Item/Configure permission to discover the name of the Jenkins controller files. As of publication of this...
Improper handling of equivalent directory names on Windows
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
Path traversal vulnerability on Windows
The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows. This results in a path traversal vulnerability allowing attackers with Overall/Read permission Windows controller o...
saml allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. saml implements this extension point for the URL that users are redirected to after login. In saml 2.0.7 and earlier this implementation is too permissive, allowing attackers t...
Missing permission checks allow enumerating credentials IDs in kubernetes-cli
kubernetes-cli 1.10.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Missing permission checks in s3 allow obtaining metadata about artifacts
s3 0.11.6 and earlier does not perform Run/Artifacts permission checks in various HTTP endpoints and API models. This allows attackers with Item/Read permission to obtain information about artifacts uploaded to S3, if the optional Run/Artifacts permission is enabled. s3 0.11.7 requires...
Missing permission check in xray-connector allows enumerating credentials IDs
xray-connector 2.4.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
CSRF vulnerability in xray-connector allows capturing credentials
xray-connector 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...
XXE vulnerability in config-file-provider
config-file-provider 3.7.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with the ability to define Maven configuration files to have Jenkins parse a crafted configuration file that uses external entities for extraction of secrets...
Missing permission checks in config-file-provider allow enumerating configuration file IDs
config-file-provider 3.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate configuration file IDs. An enumeration of configuration file IDs in config-file-provider 3.7.1 requires the appropriate permissions...
Lack of type validation in agent related REST API
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. Jenkins 2.287, L...
View name validation bypass
Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value. This...
Path traversal vulnerability in agent names
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml files. If the global config.xml file is replaced, Jenkins will start up with unsafe legacy defaults after a restart. Jenkins...
Reflected XSS vulnerability in markup formatter preview
Jenkins allows administrators to choose the markup formatter to use for descriptions of jobs, builds, views, etc. displayed in Jenkins. When editing such a description, users can choose to have Jenkins render a formatted preview of the description they entered. Jenkins 2.274 and earlier, LTS...
Arbitrary file read vulnerability in workspace browsers
The file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.274 and earlier, LTS 2.263.1 and earlier. This allows attackers with Job/Workspace permission and the ability to control workspac...
Login allowed with empty password by active-directory
active-directory implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The Windows/ADSI mode does not specifically prohibit use of empty passwords in active-directory 2.19 and earlier. If the Active Directory server allows the unauthenticated bind...
Missing permission check in active-directory allows accessing domain health check page
active-directory 2.19 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to access the domain health check diagnostic page. active-directory 2.20 requires Overall/Administer permission to access the domain health check diagnosti...
CSRF vulnerability in active-directory
active-directory 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery CSRF vulnerabilities. This vulnerability allows attackers to perform connection tests, connecting to...
Stored XSS vulnerability in Static Analysis Utilities
Static Analysis Utilities 1.96 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Password written to the build log by sqlplus-script-runner
sqlplus-script-runner 2.0.12 and earlier prints the sqlplus command invocation to the build log. This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission. sqlplus-script-runner 2.0.13 no longer prints t...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. This issue is caused by an incomplete fix for...
Request logging could be bypassed in audit-trail
audit-trail logs requests whose URL path matches an admin-configured regular expression. A discrepancy between the behavior of the plugin and the Stapler web framework in parsing URL paths allows attackers to craft URLs that would bypass request logging in audit-trail 3.6 and earlier. This only...
Sandbox bypass vulnerability in script-security
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowe...
Stored XSS vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. liquibase-runner 1.4.7 no longer suppor...
CSRF vulnerability and missing permission checks in mongodb
mongodb 1.3 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller. Additionally, these form validation methods do not require POST...
Stored XSS vulnerability in android-lint
android-lint 2.6 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step. As of publication of this advisory, there i...
Path traversal vulnerability in blueocean
blueocean 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GITREADSAVETYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system. blueocean 1.23.3 no longer...
Missing permission check in perfecto
perfecto 1.17 and earlier does not perform a permission check in a method implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. perfecto 1.18 requires Overall/Administer...
Passwords stored in plain text by elastest
elastest 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission checks in database
database 1.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to Jenkins to connect to an attacker-specified database server using attacker-specified username and password. Additionally, this form validation...
Credentials stored in plain text by tfs
tfs 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. As of...
Secret stored in plain text by Parameterized-Remote-Trigger
Parameterized-Remote-Trigger 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to t...
SMTP password transmitted and displayed in plain text by email-ext
email-ext stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration...
Stored XSS vulnerability in yet-another-build-visualizer
yet-another-build-visualizer 1.11 and earlier does not escape tooltip content. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Run/Update permission. yet-another-build-visualizer 1.12 escapes tooltip content...
CSRF vulnerability in flaky-test-handler
flaky-test-handler 1.0.4 and earlier does not require POST requests for the "Deflake this build" feature, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild a project at a previous git revision where the tests were failing. As of publicati...
Stored XSS vulnerability in single axis builds tooltips in matrix-project
matrix-project 1.16 and earlier does not escape node names shown in tooltips on the overview page of builds with a single axis. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. matrix-project 1.17 escapes the node names shown in...
Stored XSS vulnerability in job build time trend
Jenkins 2.244 and earlier, LTS 2.235.1 and earlier does not escape the agent name on build time trend pages. This results in a stored cross-site scripting XSS vulnerability exploitable by users with Agent/Configure permission. Jenkins 2.245, LTS 2.235.2 escapes the agent name...
CSRF vulnerability and missing permission checks in fortify-on-demand-uploader
fortify-on-demand-uploader 5.0.1 and earlier does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to the globally configured Fortify on Demand endpoint using attacker-specified credentials IDs obtained throug...
Stored XSS vulnerability in sonargraph-integration
sonargraph-integration 3.0.0 and earlier does not escape the file path for the Log file field form validation. This results in a stored cross-site scripting XSS vulnerability that can be exploited by users with Job/Configure permission. sonargraph-integration 3.0.1 escapes the affected part of th...
Passwords transmitted in plain text by StashBranchParameter
StashBranchParameter stores Stash API passwords in its global configuration file org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk, it is transmitted in plain text as...
Secret stored in plain text by slack-uploader
slack-uploader 1.7 and earlier stores a secret unencrypted in job config.xml files as part of its configuration. This secret can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...
XSS vulnerability in svn-partial-release-mgr
svn-partial-release-mgr 1.0.1 and earlier does not escape the error message for the repository URL field form validation. This results in a reflected cross-site scripting XSS vulnerability that can also be exploited similar to a stored cross-site scripting vulnerability by users with Job/Configur...
Missing permission check in project-inheritance
Jenkins limits access to job configuration XML data config.xml to users with Job/ExtendedRead permission, typically implied by Job/Configure permission. project-inheritance has several job inspection features, including the API URL /job/.../getConfigAsXML for its Inheritance Project job type that...
Stored XSS vulnerability in script-security
script-security 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure sandboxed scripts. script-security 1.73 escapes pending a...