Lucene search
+L
JenkinsMost viewed

1464 matches found

jenkins
jenkins
added 2018/02/26 12:0 a.m.8 views

Improper access control in Gerrit Trigger Plugin allowed unauthorized users to read some server configuration information

Missing permission checks in Gerrit Trigger Plugin allowed users with Overall/Read permission to access a form that showed the configuration of Gerrit servers in Jenkins. The key file password was only shown in its encrypted form, if configured. Other options were plainly visible. The missing...

4.3CVSS4.8AI score0.00676EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2018/02/26 12:0 a.m.8 views

Improper access control allowed users without ManageOwnership permission to change job ownership metadata in Job and Node ownership Plugin

Job and Node ownership Plugin did not prevent the ownership metadata being overwritten when a job or node configuration was updated from the CLI or using the remote API POST config.xml. This allowed users with Job/Configure permission but without ManageOwnership/Jobs permission to change job...

6.5CVSS6.5AI score0.007EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2018/02/26 12:0 a.m.8 views

Reflected cross-site-scripting vulnerability in report URL of CppNCSS Plugin

CppNCSS Plugin did not properly escape the report name and graph name, resulting in a reflected cross-site scripting vulnerability. Report name and graph name are now properly escaped...

6.1CVSS5.8AI score0.00843EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2018/02/26 12:0 a.m.8 views

Disclosure of user names and node names to unauthorized users through post-commit hook URL in Mercurial Plugin

The class handling unauthenticated Mercurial post-commit hook notification requests at the /mercurial/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...

5.3CVSS5.6AI score0.0098EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2018/02/14 12:0 a.m.8 views

Improper input validation allows unintended access to plugin resource files on case-insensitive file systems

Jenkins did not take into account case-insensitive file systems when preventing access to plugin resource files that should not be accessible. This allowed users with Overall/Read permission to download plugin resource files in META-INF and WEB-INF directories, such as the plugins' JAR files, whi...

5.3CVSS5.9AI score0.0197EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2017/11/08 12:0 a.m.8 views

Unsafe use of user names as directory names

Jenkins stores metadata related to people, which encompasses actual user accounts, as well as users appearing in SCM, in directories corresponding to the user ID on disk. These directories used the user ID for their name without additional escaping. This potentially resulted in a number of...

7.3CVSS7.3AI score0.015EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

CSRF vulnerability and unrestricted instantiation of types in workflow-cps

workflow-cps 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, instantiating any type with a constructor annotated with @DataBoundConstructor in response to a request. This allows attackers to have workflow-cps instantiate...

4.3CVSS5.8AI score0.00275EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

XXE vulnerability in assembla

assembla 1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks when parsing responses from the configured Assembla server. This allows attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or...

7.1CVSS5.9AI score0.00224EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

CSRF vulnerability and missing permission check in contrast-continuous-application-security

contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...

5.4CVSS5.8AI score0.00167EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

Missing permission checks and CSRF vulnerability in gitee

gitee 1288.v18bdebc9069b and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained...

5.4CVSS5.8AI score0.00145EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

Missing permission checks in contrast-continuous-application-security allow enumerating Contrast metadata

contrast-continuous-application-security 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata. This allows attackers with Overall/Read permission to enumerate the names of configured Contrast...

4.3CVSS5.8AI score0.00167EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/24 12:0 a.m.7 views

CSRF vulnerability and missing permission check in assembla

assembla 1.4 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to an Assembla server. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password. Additionally, this HTTP...

5.4CVSS5.8AI score0.00161EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2026/06/10 12:0 a.m.7 views

Open redirect vulnerability

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...

7.4CVSS5.2AI score0.00364EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/12/10 12:0 a.m.7 views

Missing permission check on password fields

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier does not perform a permission check to determine whether a password field should be redacted in views. This allows attackers with View/Read permission to view encrypted password values in views. NOTE: The regular view configuration form requires...

4.3CVSS7.5AI score0.00216EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/10/29 12:0 a.m.7 views

Authorization Token stored in plain text by openshift-pipeline

openshift-pipeline 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These token can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...

4.3CVSS5.2AI score0.00179EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/09/17 12:0 a.m.7 views

Missing permission check in authenticated users' profile menu

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu...

4.3CVSS7.3AI score0.00448EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/09/03 12:0 a.m.7 views

Missing permission check in opentelemetry allows capturing credentials

opentelemetry 3.1543.v8446b92bcd64 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturi...

4.2CVSS5.2AI score0.00223EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

File path information disclosure in htmlpublisher

htmlpublisher 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. htmlpublisher 427 displays only the parent directory name of files...

6.3CVSS6.4AI score0.00413EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Tokens stored in plain text by aqua-security-scanner

aqua-security-scanner 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...

4.3CVSS5AI score0.00191EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Keys stored in plain text by ifttt-build-notifier

ifttt-build-notifier 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication ...

6.5CVSS6.4AI score0.00281EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Tokens stored in plain text by ibm-cloud-devops

ibm-cloud-devops 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...

6.5CVSS6.4AI score0.00208EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Missing input validation for parameter values in git-parameter

git-parameter implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions. git-parameter 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices. This allows...

8.2CVSS8.1AI score0.00618EPSS
Exploits1Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

API keys displayed without masking by testsigma

testsigma stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration. While these API keys are stored encrypted on disk, in testsigma 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to...

4.3CVSS5.1AI score0.00222EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Token stored and displayed in plain text by xooa

xooa 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, th...

6.5CVSS5.9AI score0.00252EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Token stored in plain text by user1st-utester

user1st-utester 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file syste...

6.5CVSS6.4AI score0.00196EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Credentials stored and displayed in plain text by soapui-pro-functional-testing

soapui-pro-functional-testing 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These credentials can be viewed by users with Item/Extended Read permission or access to the...

6.5CVSS5.6AI score0.00347EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Stored XSS vulnerability in applitools-eyes

applitools-eyes 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. applitools-eyes 1.16.6 rejects Applitools URLs that contain HTML metacharacters...

8CVSS5.3AI score0.00243EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

API keys stored and displayed in plain text by applitools-eyes

applitools-eyes 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...

6.5CVSS6AI score0.00252EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Tokens stored and displayed in plain text by ApicaLoadtest

ApicaLoadtest 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

6.5CVSS5.6AI score0.00314EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Tokens stored and displayed in plain text by deadmanssnitch

deadmanssnitch 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...

6.5CVSS6AI score0.00262EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/07/09 12:0 a.m.7 views

Keys stored and displayed in plain text by nouvola-divecloud

nouvola-divecloud 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller fil...

6.5CVSS6.4AI score0.00175EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/05/14 12:0 a.m.7 views

CSRF vulnerability and missing permission checks in vmanager-plugin

vmanager-plugin 4.0.1-286.v9e25a740ba48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form...

4.3CVSS5.1AI score0.00292EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/05/14 12:0 a.m.7 views

Insufficient validation of claims in oidc-provider

In oidc-provider, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOBURL environment variable for the sub Subject claim. In oidc-provider 96.vee8ed882ec4d and earlier the generation of build ID Tokens...

9.1CVSS8.7AI score0.00609EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/05/14 12:0 a.m.7 views

Stored XSS vulnerability in cloudbees-jenkins-advisor

cloudbees-jenkins-advisor 374.v194bd4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. cloudbees-jenkins-advisor...

8.8CVSS4.9AI score0.00495EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/05/14 12:0 a.m.7 views

SSL/TLS certificate validation unconditionally disabled by dingding-notifications

dingding-notifications 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this...

5.9CVSS5.2AI score0.00199EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/05/14 12:0 a.m.7 views

Authentication bypass vulnerability in WSO2 Oauth

In WSO2 Oauth 1.0 and earlier authentication claims are accepted without validation by the "WSO2 Oauth" security realm. This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Sessions...

9.8CVSS8.7AI score0.00616EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/04/10 12:0 a.m.7 views

Host key reuse in SSH build agent Docker images

The https://hub.docker.com/r/jenkins/ssh-agentjenkins/ssh-agent and deprecated https://hub.docker.com/r/jenkins/ssh-slavejenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of...

9.1CVSS8.2AI score0.00466EPSS
Exploits0
jenkins
jenkins
added 2025/04/02 12:0 a.m.7 views

Missing permission check allows retrieving agent configurations

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires...

4.3CVSS5.9AI score0.0039EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/04/02 12:0 a.m.7 views

Script Security sandbox bypass vulnerability through folder-scoped libraries in templating-engine

templating-engine allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be...

8.8CVSS8.4AI score0.01171EPSS
Exploits1Affected Software1
jenkins
jenkins
added 2025/04/02 12:0 a.m.7 views

API keys stored in plain text by vmanager-plugin

vmanager-plugin 4.0.0-282.v5096ac2db275 and earlier stores Verisium Manager vAPI keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file syste...

4.3CVSS5.1AI score0.00302EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/04/02 12:0 a.m.7 views

Passwords stored in plain text by monitor-remote-job

monitor-remote-job 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there ...

5.5CVSS5.6AI score0.00276EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/04/02 12:0 a.m.7 views

API keys stored and displayed in plain text by asakusa-satellite-plugin

asakusa-satellite-plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

5.5CVSS5.6AI score0.00276EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/03/19 12:0 a.m.7 views

EdDSA implementation in eddsa-api exhibits signature malleability

eddsa-api makes the EdDSA-Java library ed25519-java available to other plugins. eddsa-api 0.3.0-13.v7cb69ed68f00 and earlier bundles version 0.3.0 of EdDSA-Java, which exhibits signature malleability and does not satisfy the SUF-CMA Strong Existential Unforgeability under Chosen Message Attacks...

4.3CVSS6AI score0.00134EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/03/19 12:0 a.m.7 views

Stored XSS vulnerability in AnchorChain

AnchorChain 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of...

8CVSS4.9AI score0.00274EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/03/05 12:0 a.m.7 views

Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the...

4.3CVSS6AI score0.00727EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/01/22 12:0 a.m.7 views

Incorrect permission check in gitlab-plugin allows enumerating credentials IDs

gitlab-plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and Secret text...

4.3CVSS5.1AI score0.00288EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/01/22 12:0 a.m.7 views

Cache confusion in eiffel-broadcaster

eiffel-broadcaster allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. eiffel-broadcaster 2.8.0 through 2.10.2 both inclusive uses the credential ID as the cache key. This allows attackers able to...

4.3CVSS5.2AI score0.00292EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/01/22 12:0 a.m.7 views

atlassian-bitbucket-server-integration allows bypassing CSRF protection for any URL

An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. atlassian-bitbucket-server-integration implements this extension point to support OAuth 1.0 authentication. In atlassian-bitbucket-server-integration 2.1.0 through 4.1.3 both...

8.8CVSS7.8AI score0.00285EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2025/01/22 12:0 a.m.7 views

Improper handling of case sensitivity in oic-auth

oic-auth 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case,...

8.8CVSS5.2AI score0.0053EPSS
Exploits0Affected Software1
jenkins
jenkins
added 2024/11/27 12:0 a.m.7 views

Denial of service vulnerability in bundled json-lib

Jenkins uses the library https://github.com/jenkinsci/json-liborg.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project's fork of https://search.maven.org/artifact/net.sf.json-lib/json-libnet.sf.json-lib:json-lib, which has since been renamed to...

7.5CVSS5.2AI score0.17572EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464