1464 matches found
API token stored in plain text by CONS3RT
CONS3RT 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix. Learn why we...
XXE vulnerability in compuware-common-configuration
compuware-common-configuration 1.0.14 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to change the contents of the Topaz Workbench CLI home directory on agents to have Jenkins parse a crafted file that uses external entities fo...
Stored XSS vulnerability in DotCi
DotCi 2.40.00 and earlier does not escape the GitHub user name parameter provided to commit notifications when displaying them in a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted commit notifications to the /githook/...
Stored XSS vulnerability in jobConfigHistory
jobConfigHistory 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure job names. jobConfigHistory 1166.vc9f255f45b8a escapes the job name on...
CSRF vulnerability in jobConfigHistory
jobConfigHistory 1155.v28a46acc06a5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older...
Missing permission checks in compuware-ispw-operations
compuware-ispw-operations 1.0.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate hosts and ports of Compuware configurations and credentials IDs of credentials stored in Jenkins. Those credentials IDs can be...
Missing permission check in deployer-framework allows reading deployment logs
deployer-framework 85.v1d1888e8c021 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to read deployment logs. deployer-framework 86.v7ba4a55bf3ec requires Deploy Now/Deploy permission to read deployment logs...
Passwords stored in plain text by hpe-network-virtualization
hpe-network-virtualization 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file...
Stored XSS vulnerability in build-metrics
build-metrics 1.3 does not escape the build description on one of its views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Build/Update permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in validating-email-parameter
validating-email-parameter 1.10 and earlier does not escape the name and description of its parameter type. Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and...
Secrets stored in plain text by rocketchatnotifier
rocketchatnotifier 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller as part of its configuration. These secrets can be viewed by users with access to the Jenkins controller file system. As o...
Password stored in plain text by ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file...
XSS vulnerability in testng-plugin
testng-plugin has options in its post-build step configuration to not escape test descriptions and exception messages. If those options are unchecked, testng-plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results. This results in a cross-site scripting XSS...
Stored XSS vulnerability in rich-text-publisher-plugin
rich-text-publisher-plugin 1.4 and earlier does not escape the HTML message set by its post-build step. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in plot
plot 2.1.10 and earlier does not escape plot descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in rrod
rrod 1.1.0 and earlier does not require POST requests for HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to accept pending requests, thereby renaming or deleting jobs. As of publication of this advisory, there is no fix. Learn why ...
CSRF vulnerability and missing permission checks in beaker-builder
beaker-builder 1.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a...
Path traversal vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths ...
CSRF vulnerability and missing permission check in vmware-vrealize-orchestrator
vmware-vrealize-orchestrator 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a...
CSRF vulnerability in script-security
script-security 1158.v7c1b73a69a08 and earlier does not require POST requests for a form validation endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver. This form...
User-scoped credentials exposed to other users by blueocean-pipeline-scm-api
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...
CSRF vulnerability and missing permission checks in blueocean
blueocean 1.25.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to send requests to an attacker-specified URL. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in workflow-cps
workflow-cps allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In workflow-cps 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and...
Multiple SCM plugins can check out from the controller file system
SCMs support a number of different URL schemes, including local file system paths e.g. using file: URLs. Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unles...
Multiple vulnerabilities in Windows Remote Command library in windows-slaves
windows-slaves 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it. This library has a buffer overflow vulnerability that may allow users able to...
CSRF vulnerability and missing permission checks in ssh allow capturing credentials
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Application Detector Plugin 1.0.8 and earlier SECURITY-2732 / CVE-2022-30960 Autocomplete Parameter Plugin 1.1 and earlier SECURITY-2729 / CVE-2022-30961 Global Variable String Parameter Plugin 1.2 and...
Stored XSS vulnerability in Autocomplete Parameter
Autocomplete Parameter 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
Missing permission check in ssh allows enumerating credentials IDs
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As of...
Missing permission check in gitlab-plugin allows enumerating credentials IDs
gitlab-plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
XXE vulnerability in Storable Configs
Storable Configs 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Credentials Plugin 1111.v35a307992395 and earlier SECURITY-2690 / CVE-2022-29036 CVS Plugin 2.19 and earlier SECURITY-2700 / CVE-2022-29037 Extended Choice Parameter Plugin 346.vd87693c5a86c and earlier...
Untrusted users can modify some Pipeline libraries in workflow-cps-global-lib
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definitio...
Private key stored in plain text by google-compute-engine
google-compute-engine 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system...
CSRF vulnerability in subversion
subversion 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to connect to an attacker-specified URL. subversion 2.15.4 requires POST requests for the affected...
SSL/TLS certificate validation globally disabled by proxmox
proxmox 0.6.0 and earlier disables SSL/TLS certificate validation for the entire Jenkins controller JVM when configured to ignore SSL/TLS issues. proxmox 0.7.0 no longer disables SSL/TLS certificate validation for the entire Jenkins controller JVM...
CSRF vulnerability and missing permission check in JiraTestResultReporter
JiraTestResultReporter 165.v817928553942 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation...
Missing permission checks in atlassian-bitbucket-server-integration
atlassian-bitbucket-server-integration 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to create, view, and delete BitBucket Server consumers. atlassian-bitbucket-server-integration 3.2.0 requires Overall/System Re...
Passwords stored in plain text by instant-messaging
instant-messaging provides a framework for plugins integrating Jenkins with instant messaging services. instant-messaging 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging on the Jenkins controller. These passwords...
CSRF vulnerability and missing permission check in rocketchatnotifier
rocketchatnotifier 1.4.10 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method...
Stored XSS vulnerability in ownership
ownership 0.13.0 and earlier does not escape the names of secondary owners. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission check in ownership
ownership 0.13.0 and earlier does not perform a permission check in several HTTP endpoints. This allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. Additionally, this endpoint does not require POST requests, resulting in a cross-site request...
Arbitrary file read vulnerability in selected-tests-executor
selected-tests-executor 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller using the Choosing Tests parameter. As of publication of this advisory, there is no fix. Learn why we announce this...
Arbitrary file read vulnerability in ci-with-toad-edge
ci-with-toad-edge 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. ci-with-toad-edge 2.4 only allows copying files from the node the build is...
XXE vulnerability in covcomplplot
covcomplplot 1.1.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Public Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a crafted file that uses external entities f...
XXE vulnerability in Pipeline: Phoenix AutoTest
Pipeline: Phoenix AutoTest 1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of...
Stored XSS vulnerability in selected-tests-executor
selected-tests-executor 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix...
Path traversal vulnerability on Windows in ci-with-toad-edge
ci-with-toad-edge 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core DirectoryBrowserSupport to serve reports. The fork did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS 2.303.2. This...
Stored XSS vulnerability in sitemonitor
sitemonitor 0.6 and earlier does not escape URLs of sites to monitor in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Arbitrary file read vulnerability in Pipeline: Phoenix AutoTest
Pipeline: Phoenix AutoTest 1.3 and earlier implements a Pipeline step ftp to upload files to an FTP server without limiting the source directory. This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server...