1464 matches found
File path information disclosure in htmlpublisher
htmlpublisher 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. htmlpublisher 427 displays only the parent directory name of files...
Missing input validation for parameter values in git-parameter
git-parameter implements a choice build parameter that lists the configured Git SCMโs branches, tags, pull requests, and revisions. git-parameter 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices. This allows...
Tokens stored in plain text by aqua-security-scanner
aqua-security-scanner 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...
Stored XSS vulnerability in applitools-eyes
applitools-eyes 1.16.5 and earlier does not escape the Applitools URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. applitools-eyes 1.16.6 rejects Applitools URLs that contain HTML metacharacters...
API keys stored and displayed in plain text by applitools-eyes
applitools-eyes 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job...
Tokens stored and displayed in plain text by ApicaLoadtest
ApicaLoadtest 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Tokens stored and displayed in plain text by deadmanssnitch
deadmanssnitch 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuratio...
Token stored in plain text by user1st-utester
user1st-utester 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file io.jenkins.plugins.user1st.utester.UTesterPlugin.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file syste...
API keys displayed without masking by testsigma
testsigma stores Testsigma API keys in job config.xml files on the Jenkins controller as part of its configuration. While these API keys are stored encrypted on disk, in testsigma 1.6 and earlier, the job configuration form does not mask these API keys, increasing the potential for attackers to...
Keys stored in plain text by ifttt-build-notifier
ifttt-build-notifier 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication ...
Tokens stored in plain text by ibm-cloud-devops
ibm-cloud-devops 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of...
Token stored and displayed in plain text by xooa
xooa 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, th...
Keys stored and displayed in plain text by nouvola-divecloud
nouvola-divecloud 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller fil...
Stored XSS vulnerability in cloudbees-jenkins-advisor
cloudbees-jenkins-advisor 374.v194bd4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. cloudbees-jenkins-advisor...
CSRF vulnerability and missing permission checks in vmanager-plugin
vmanager-plugin 4.0.1-286.v9e25a740ba48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form...
Insufficient validation of claims in oidc-provider
In oidc-provider, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOBURL environment variable for the sub Subject claim. In oidc-provider 96.vee8ed882ec4d and earlier the generation of build ID Tokens...
SSL/TLS certificate validation unconditionally disabled by dingding-notifications
dingding-notifications 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this...
Authentication bypass vulnerability in WSO2 Oauth
In WSO2 Oauth 1.0 and earlier authentication claims are accepted without validation by the "WSO2 Oauth" security realm. This allows unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. Sessions...
Host key reuse in SSH build agent Docker images
The https://hub.docker.com/r/jenkins/ssh-agentjenkins/ssh-agent and deprecated https://hub.docker.com/r/jenkins/ssh-slavejenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of...
Missing permission check allows retrieving agent configurations
Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Agent/Create permission but without Agent/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires...
Script Security sandbox bypass vulnerability through folder-scoped libraries in templating-engine
templating-engine allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be...
API keys stored and displayed in plain text by asakusa-satellite-plugin
asakusa-satellite-plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Passwords stored in plain text by monitor-remote-job
monitor-remote-job 1.0 stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there ...
Stored XSS vulnerability in AnchorChain
AnchorChain 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step. As of...
atlassian-bitbucket-server-integration allows bypassing CSRF protection for any URL
An extension point in Jenkins allows selectively disabling cross-site request forgery CSRF protection for specific URLs. atlassian-bitbucket-server-integration implements this extension point to support OAuth 1.0 authentication. In atlassian-bitbucket-server-integration 2.1.0 through 4.1.3 both...
Incorrect permission check in gitlab-plugin allows enumerating credentials IDs
gitlab-plugin 1.9.6 and earlier does not correctly perform a permission check in an HTTP endpoint. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to enumerate credential IDs of GitLab API token credentials and Secret text...
Improper handling of case sensitivity in oic-auth
oic-auth 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case,...
Cache confusion in eiffel-broadcaster
eiffel-broadcaster allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. eiffel-broadcaster 2.8.0 through 2.10.2 both inclusive uses the credential ID as the cache key. This allows attackers able to...
Stored XSS vulnerability in simple-queue
simple-queue 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Create permission. simple-queue 1.4.5 escapes the view name...
Denial of service vulnerability in bundled json-lib
Jenkins uses the library https://github.com/jenkinsci/json-liborg.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project's fork of https://search.maven.org/artifact/net.sf.json-lib/json-libnet.sf.json-lib:json-lib, which has since been renamed to...
Restarting a run with revoked script approval allowed by pipeline-model-definition
pipeline-model-definition 2.2214.vbb34b2ea9b83 and earlier does not check whether the main Jenkinsfile script used to restart a build from a specific stage is approved. This allows attackers with Item/Build permission to restart a previous build whose Jenkinsfile script is no longer approved. NOT...
Arbitrary file read vulnerability through agent connections can lead to RCE
NOTE: This entry was updated on 2024-08-10 to add a reference to a https://github.com/jenkinsci-cert/SECURITY-3430workaround. Jenkins uses the https://github.com/jenkinsci/remotingRemoting library typically agent.jar or remoting.jar for the communication between controller and agents. This librar...
Exposure of secrets through system log in structs
structs provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution. When structs 337.v1b04ea4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secre...
Missing permission checks in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 24.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate ALM jobs configurations, ALM Octane configurations and Service Virtualization configurations...
XXE vulnerabilities in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 24.1.0 and earlier does not configure its XML parsers to prevent XML external entity XXE attacks. This allows attackers able to control the input files for hp-application-automation-tools-plugin build steps and post-build steps to have Jenkins parse a crafte...
Terrapin SSH vulnerability in Jenkins CLI client
The CLI client jenkins-cli.jar in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to https://vulners.com/cve/CVE-2023-48795CVE-2023-48795 https://en.wikipedia.org/wiki/TerrapinattackTerrapin attack. This vulnerability allows...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS...
Improper input sanitization in htmlpublisher
SECURITY-784 / CVE-20218-1000175 is a path traversal vulnerability in htmlpublisher 1.15 and earlier. The fix for it retained compatibility for older reports as a fallback. In htmlpublisher 1.16 through 1.32 both inclusive this fallback for reports created in htmlpublisher 1.15 and earlier does n...
Path traversal vulnerability in htmlpublisher
htmlpublisher 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller. Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it...
Incorrect trust policy behavior for pull requests from forks in cloudbees-bitbucket-branch-source
Multibranch Pipelines with Bitbucket branch source can be configured to discover pull requests from forks. The trust policy is set to "Forks in the same account" by default. In cloudbees-bitbucket-branch-source 866.vdea7dcd3008e and earlier, except 848.850.v6aa2a234ac81, this trust policy allows...
Improper SSL/TLS certificate validation in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 through 3.1.0 both inclusive an option change from disabled validation to enabled validation fails to take effect until Jenkins is...
Stored XSS vulnerability in build-monitor-plugin
build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...
Terrapin SSH vulnerability in trilead-api
trilead-api bundles the https://github.com/jenkinsci/trilead-ssh2/Jenkins project's fork of the Trilead SSH2 library for use by other plugins. trilead-api 2.133.vfb8a7b9c5dd1 and earlier, except 2.84.86.vf9c960e9b458, bundles versions of Jenkins/Trilead SSH2 that are susceptible to...
SSL/TLS certificate validation disabled by default in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 this option is set to disable SSL/TLS certificate validation by default. In Delphix 3.0.2 this option is set to enable SSL/TLS certifica...
Stored XSS vulnerability in icescrum
icescrum 1.1.6 and earlier does not sanitize iceScrum project URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in htmlpublisher
htmlpublisher 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 1.32.1 escapes job names, report...
CSRF vulnerability and missing permission check in docker-build-step
docker-build-step 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided...
Cross-site WebSocket hijacking vulnerability in the CLI
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Arbitrary file read vulnerability in git-server can lead to RCE
git-server uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's...
Shared projects are unconditionally discovered by gitlab-branch-source
GitLab allows sharing a project with another group. gitlab-branch-source 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins...