1464 matches found
Stored XSS vulnerability in build-monitor-plugin
build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...
Cross-site WebSocket hijacking vulnerability in the CLI
Jenkins has a built-in command line interface CLI to access Jenkins from a script or shell environment. Since Jenkins 2.217 and LTS 2.222.1, one of the ways to communicate with the CLI is through a WebSocket endpoint. This endpoint relies on the default Jenkins web request authentication...
Arbitrary file read vulnerability in git-server can lead to RCE
git-server uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing Git commands received via SSH. This command parser has a feature that replaces an @ character followed by a file path in an argument with the file's...
XXE vulnerability in qualys-pc
qualys-pc 1.0.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to configure jobs to have Jenkins parse a crafted HTTP response with XML data that uses external entities for extraction of secrets from the Jenkins controller or...
Arbitrary file read vulnerability in log-command
log-command uses the https://github.com/kohsuke/args4jargs4j library to parse command arguments and options on the Jenkins controller when processing commands received via instant messaging platforms such as IRC or Jabber. This command parser has a feature that replaces an @ character followed by...
Path traversal vulnerability in matrix-project
matrix-project 822.v01b8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. This allows attackers with Item/Configure permission to create or replace any config.xml file on the Jenkins controller file...
Shared projects are unconditionally discovered by gitlab-branch-source
GitLab allows sharing a project with another group. gitlab-branch-source 684.veafa7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group. This allows attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins...
Arbitrary file deletion vulnerability in scriptler
scriptler 342.v6a89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. scriptler 344.v5addb5f9e685 ensures that the file being deleted is...
Missing permission check in scriptler
scriptler 342.v6a89fd40f466 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID. scriptler 344.v5addb5f9e685 requires the appropriate permission to read the contents of a...
CSRF vulnerability and missing permission checks in Nexus Platform allow XXE
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. Additionally, the plugin does not configure its X...
Open redirect vulnerability in oic-auth
oic-auth 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication o...
Tokens stored and displayed in plain text by paaslane-estimate
paaslane-estimate 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionall...
CSRF vulnerability and missing permission checks in paaslane-estimate
paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...
CSRF vulnerability and missing permission checks in Nexus Platform allow capturing credentials
Nexus Platform 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing...
CSRF vulnerability and missing permission checks in neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP...
Exposure of system-scoped credentials in jira
jira 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. jira...
Arbitrary file deletion vulnerability in electricflow
In electricflow, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step. electricflow 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup...
Non-constant time webhook token comparison in multibranch-scan-webhook-trigger
multibranch-scan-webhook-trigger 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory...
Non-constant time webhook token comparison in teams-webhook-trigger
teams-webhook-trigger 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is ...
Stored XSS vulnerability in trac
trac 1.13 and earlier does not escape the Trac website URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
SSRF vulnerability in bitbucket-push-and-pull-request allows capturing credentials
bitbucket-push-and-pull-request provides a webhook endpoint at /bitbucket-hook/ to receive webhook notifications. When acting on these notifications, bitbucket-push-and-pull-request 2.4.0 through 2.8.3 both inclusive trusts values provided in the webhook payload, including certain URLs, and uses...
Disabled permissions granted by assembla-auth
assembla-auth provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE. assembla-auth 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users wi...
CSRF vulnerability in cloudbees-folder may approve unsandboxed scripts
cloudbees-folder 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the...
Improper masking of credentials in config-file-provider
config-file-provider 952.va544a6234b46 and earlier does not mask i.e., replace with asterisks credentials specified in configuration files when they're written to the build log. config-file-provider 953.v0432a802e4d2 masks credentials configured in configuration files if they appear in the build...
CSRF vulnerability in blueocean allows capturing credentials
blueocean 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. This...
HTML injection vulnerability in fortify
fortify 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected...
CSRF vulnerability and missing permission check in servicenow-devops allow capturing credentials
servicenow-devops 1.38.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
CSRF vulnerability in bazaar
bazaar 1.22 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete previously created Bazaar SCM tags. As of publication of this advisory, there is no fix. Learn why we announce...
Incorrect permission checks in qualys-was allow capturing credentials
qualys-was 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
Secret displayed without masking by chef-identity
chef-identity stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in chef-identity 2.0.3 and earlier the global configuration form does not mask th...
Missing permission check in datadog allows capturing credentials
datadog 5.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. datadog...
Session fixation vulnerability in openshift-login
openshift-login 1.1.0.227.v27e08dfb1a20 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. openshift-login 1.1.0.230.v5d7030bf5432 invalidates the existing session on login...
Missing SSH host key validation in oracle-cloud-infrastructure-compute
oracle-cloud-infrastructure-compute 1.0.16 and earlier does not perform SSH host key validation when connecting to OCI clouds. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections to OCI clouds. oracle-cloud-infrastructure-compute 1.0.17 provides...
Missing permission check in macstadium-orka allows capturing credentials
macstadium-orka 1.33 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
CSRF vulnerability in rebuild
rebuild 320.v5a0933ae7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to rebuild a previous build. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in assembla-auth
assembla-auth 1.14 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this advisory,...
Missing permission checks in teamconcert
teamconcert 2.4.1 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. teamconcert 2.4.2 requires...
Exposure of system-scoped credentials in dimensionsscm
dimensionsscm 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled...
Stored XSS vulnerability in sonargraph-integration
sonargraph-integration 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. NOTE: This issue is caused by an...
Stored XSS vulnerability in template-workflows
template-workflows 41.v32d86a313b4a and earlier does not escape names of jobs used as buildings blocks for Template Workflow Job. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create jobs. As of publication of this advisory, there is no fix. Lear...
Missing permission check in email-ext
email-ext 2.96 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system. This form...
CSRF vulnerability in reverse-proxy-auth-plugin
reverse-proxy-auth-plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
Credentials displayed without masking by cavisson-ns-nd-integration
cavisson-ns-nd-integration stores credentials in job config.xml files on the Jenkins controller as part of its configuration. While these credentials are stored encrypted on disk, in cavisson-ns-nd-integration 4.8.0.149 and earlier, the job configuration form does not mask these credentials,...
Arbitrary file write vulnerability on agents in pipeline-utility-steps
pipeline-utility-steps provides the untar and unzip Pipeline steps to extract archives into job workspaces. pipeline-utility-steps 2.15.2 and earlier does not validate or limit file paths of files contained within these archives. This allows attackers able to provide crafted archives as parameter...
Session fixation vulnerability in cas-plugin
cas-plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. cas-plugin 1.6.3 invalidates the existing session on login...
CSRF vulnerability and missing permission checks in codedx
codedx 3.1.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Stored XSS vulnerability in TestComplete
TestComplete 2.8.1 and earlier does not escape the TestComplete project name in its test result page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce...
Arbitrary file write vulnerability in file-parameters
file-parameters 285.v757c5b67ac25 and earlier does not restrict the name and resulting uploaded file name of Stashed File Parameters. This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content...
Missing permission check in azure-vm-agents allows enumerating credentials IDs
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in miniorange-saml-sp allow XXE
miniorange-saml-sp 2.0.2 and earlier does not perform permission checks in multiple HTTP endpoints. This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML. As the...