1464 matches found
Agent-to-controller security bypass vulnerability in compuware-topaz-utilities
compuware-topaz-utilities 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
Agent-to-controller security bypass vulnerability in compuware-scm-downloader
compuware-scm-downloader 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability is only...
Agent-to-controller security bypass vulnerability in compuware-xpediter-code-coverage
compuware-xpediter-code-coverage 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. NOTE: This vulnerability ...
Content-Security-Policy protection for user content disabled by XFramium Builder
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. XFramium Builder 1.0.22 and earlier globally disables the Content-Security-Poli...
Content-Security-Policy protection for user content disabled by ScreenRecorder
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. ScreenRecorder 0.7 and earlier programmatically updates the Java system propert...
XXE vulnerability in repo
repo 1.15.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control which repo binary is executed on agents to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins...
Agent-to-controller security bypass vulnerability in Katalon
Katalon 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version,...
XXE vulnerability in compuware-topaz-for-total-test
compuware-topaz-for-total-test 2.4.8 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML documen...
Missing permission check in compuware-strobe-measurement allows enumerating credentials IDs
compuware-strobe-measurement 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission check in cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.129 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified username and password. Additionally, this form...
Missing webhook endpoint authorization in rundeck
rundeck 3.6.11 and earlier does not protect access to the /plugin/rundeck/webhook/ endpoint. This allows attackers with Item/Read permission to trigger jobs that are configured to be triggerable via Rundeck. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission check in scm-httpclient allow capturing credentials
scm-httpclient 1.5 and earlier does not perform permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
Missing permission check in apprenda allows enumerating credentials IDs
apprenda 2.2.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. As o...
CSRF vulnerability and missing permission checks in CONS3RT allow capturing credentials
CONS3RT 1.0.0 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials...
Path traversal and CSRF vulnerability in build-publisher
build-publisher 1.22 and earlier allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file system by providing a crafted file name to an API endpoint. Additionally, this endpoint does not require POST requests, resulting in a cross-sit...
Stored XSS vulnerability in cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.134 and earlier does not escape configuration options of the Execute NetStorm/NetCloud Test build step. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, the...
CSRF vulnerability in security-inspector
security-inspector 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users a...
Lack of authentication mechanism in DotCi webhook
DotCi provides a webhook endpoint at /githook/ that can be used to trigger builds of the job for a GitHub repository. In DotCi 2.40.00 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the...
API key stored in plain text by bigpanda-jenkins
bigpanda-jenkins 1.4.0 and earlier stores the BigPanda API key unencrypted in its global configuration file BigpandaGlobalNotifier.xml on the Jenkins controller as part of its configuration. This API key can be viewed by users with access to the Jenkins controller file system. Additionally, the...
Missing hostname verification in git-client
git-client 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH. This lack of verification could be abused using a man-in-the-middle attack to intercept these connections. git-client 3.11.1 provides strategies for performing host key verificati...
Missing permission check in android-signing allows listing workspace contents
android-signing 2.2.5 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A...
XSS vulnerability in testng-plugin
testng-plugin has options in its post-build step configuration to not escape test descriptions and exception messages. If those options are unchecked, testng-plugin 554.va4a552116332 and earlier renders the unescaped text provided in test results. This results in a cross-site scripting XSS...
Stored XSS vulnerability in rich-text-publisher-plugin
rich-text-publisher-plugin 1.4 and earlier does not escape the HTML message set by its post-build step. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Token stored in plain text by cisco-spark
cisco-spark 1.1.1 and earlier stores bearer tokens unencrypted in its global configuration file org.jenkinsci.plugins.spark.SparkNotifier.xml on the Jenkins controller as part of its configuration. These bearer tokens can be viewed by users with access to the Jenkins controller file system. As of...
Stored XSS vulnerability in build-metrics
build-metrics 1.3 does not escape the build description on one of its views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Build/Update permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Stored XSS vulnerability in validating-email-parameter
validating-email-parameter 1.10 and earlier does not escape the name and description of its parameter type. Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and...
CSRF vulnerability and missing permission checks in ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password. Additionally, these endpoints do not require PO...
Password stored in plain text by ec2-deployment-dashboard
ec2-deployment-dashboard 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file...
Passwords stored in plain text by hpe-network-virtualization
hpe-network-virtualization 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file...
Secrets stored in plain text by rocketchatnotifier
rocketchatnotifier 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file RocketChatNotifier.xml on the Jenkins controller as part of its configuration. These secrets can be viewed by users with access to the Jenkins controller file system. As o...
CSRF vulnerability in rrod
rrod 1.1.0 and earlier does not require POST requests for HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to accept pending requests, thereby renaming or deleting jobs. As of publication of this advisory, there is no fix. Learn why ...
Path traversal vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths ...
CSRF vulnerability and missing permission check in vmware-vrealize-orchestrator
vmware-vrealize-orchestrator 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a...
CSRF vulnerability and missing permission checks in convertigo-mobile-platform
convertigo-mobile-platform 1.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting ...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Application Detector Plugin 1.0.8 and earlier SECURITY-2732 / CVE-2022-30960 Autocomplete Parameter Plugin 1.1 and earlier SECURITY-2729 / CVE-2022-30961 Global Variable String Parameter Plugin 1.2 and...
XXE vulnerability in Storable Configs
Storable Configs 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side...
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in workflow-cps
workflow-cps allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In workflow-cps 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and...
Multiple vulnerabilities in Windows Remote Command library in windows-slaves
windows-slaves 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it. This library has a buffer overflow vulnerability that may allow users able to...
CSRF vulnerability and missing permission checks in ssh allow capturing credentials
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Stored XSS vulnerability in Autocomplete Parameter
Autocomplete Parameter 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
Missing permission check in gitlab-plugin allows enumerating credentials IDs
gitlab-plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
User-scoped credentials exposed to other users by blueocean-pipeline-scm-api
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...
CSRF vulnerability and missing permission checks in blueocean
blueocean 1.25.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to send requests to an attacker-specified URL. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
CSRF vulnerability in subversion
subversion 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to connect to an attacker-specified URL. subversion 2.15.4 requires POST requests for the affected...
Private key stored in plain text by google-compute-engine
google-compute-engine 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system...
Untrusted users can modify some Pipeline libraries in workflow-cps-global-lib
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definitio...
CSRF vulnerability in ownership
ownership 0.13.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to restore the default ownership of a job. As of publication of this advisory, there is no fix. Learn why we announce...
Stored XSS vulnerability in sitemonitor
sitemonitor 0.6 and earlier does not escape URLs of sites to monitor in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
XXE vulnerability in covcomplplot
covcomplplot 1.1.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Public Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a crafted file that uses external entities f...
XXE vulnerability in Pipeline: Phoenix AutoTest
Pipeline: Phoenix AutoTest 1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of...