1464 matches found
SSL/TLS certificate validation disabled by default in checkmarx
checkmarx allows to globally enable or disable SSL/TLS validation for connections to the Checkmarx server. checkmarx 2022.4.3 and earlier disables it by default. Unless changed by an administrator, it would cause all connections to the Checkmarx server to ignore SSL/TLS validation, thereby enabli...
CSRF vulnerability in convert-to-pipeline results in RCE
convert-to-pipeline 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with...
Missing permission check in global-post-script allowed obtaining configuration data
global-post-script does not perform permission checks on a method implementing form validation. This allows users with Overall/Read permission to list the files contained in $JENKINSHOME/global-post-script that can be used by the plugin. As of publication of this advisory, there is no fix...
mattermost stored webhook endpoint token in plain text
Mattermost allows the definition of incoming from the perspective of the service webhook URLs. These contain what is effectively a secret token as part of the URL. mattermost stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and j...
CSRF vulnerability and missing permission checks in Maven Artifact ChoiceListProvider (Nexus) Plugin allowed capturing credentials
Maven Artifact ChoiceListProvider Nexus Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Nexus or Artifactory server using attacker-specified credentials IDs obtained throu...
RabbitMQ password stored in plain text by collabnet
collabnet 2.0.8 and earlier stores a RabbitMQ password unencrypted in its global configuration file hudson.plugins.collabnet.share.TeamForgeShare.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...
Stored XSS vulnerability in rapiddeploy-jenkins
rapiddeploy-jenkins 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure jobs. rapiddeploy-jenkins 4.2.1 escapes package names...
Jenkins accepted cached legacy CLI authentication
The fix for SECURITY-901 in Jenkins 2.150.2 and 2.160 did not reject existing remoting-based CLI authentication caches. This means that users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated. Support for the...
SECURITY-607
Bulletin has no description...
Stored XSS vulnerability in node offline cause description
Since Jenkins 2.483, the description of the reason why a node is offline the "offline cause" is defined as containing HTML and rendered as such. Jenkins 2.550 and earlier, LTS 2.541.1 and earlier does not escape the user-provided description of the "Mark temporarily offline" offline cause. This...
Missing permission check in publish-to-bitbucket allows enumerating credentials IDs
publish-to-bitbucket 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials...
Token stored in plain text by telegram-notifications
telegram-notifications 1.4.0 and earlier stores the Telegram Bot token unencrypted in its global configuration file jenkinsci.plugins.telegrambot.TelegramBotGlobalConfiguration.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins...
Credentials stored in plain text by github-pr-coverage-status
github-pr-coverage-status 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file com.github.terma.jenkins.githubprcoveragestatus.Configuration.xml on the Jenkins controller as part of its configuration. These...
Missing permission checks in build-metrics
build-metrics 1.3 and earlier does not perform a permission check in multiple HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about jobs otherwise inaccessible to them. As of publication of this advisory, there is no fix. Learn why we announce this...
Incorrect permission checks in role-strategy may allow accessing some items
Items like jobs can be organized hierarchically in Jenkins, using the Folders Plugin or something similar. An item is expected to be accessible only if all its ancestors are accessible as well. role-strategy 3.1 and earlier does not correctly perform permission checks to determine whether an item...
Stored XSS vulnerability in link-column
link-column allows users with View/Configure permission to add a new column to list views that contains a user-configurable link. link-column 1.0 and earlier does not filter the URL for these links, allowing the javascript: scheme. This results in a stored cross-site scripting XSS vulnerability...
Credentials transmitted in plain text by backlog
backlog stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by backlog 2.4 and earlier. These credentials could be viewed by users with Extended Read...
Users with Overall/Read access can enumerate credential IDs in pipeline-githubnotify-step
pipeline-githubnotify-step 1.0.4 and earlier provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs...
CSRF vulnerability and missing permission checks in Cloud Foundry Plugin allowed capturing credentials
Cloud Foundry Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
IBM z/OS Connector Plugin stores password in plain text
IBM z/OS Connector Plugin did not encrypt password credentials stored in its configuration. This could be used by users with Jenkins controller file system access to obtain the password. While masked from view using a password form field, the AWS Secret Key was transferred in plain text to...
Path traversal vulnerability allows arbitrary file writing in HTML Publisher Plugin
HTML Publisher Plugin allows specifying a name for the HTML reports it publishes. This report name was used in the URL of the report and as a directory name on the Jenkins controller without further processing, resulting in a path traversal vulnerability that allowed overriding files outside the...
Arbitrary file read vulnerability through symbolic links in pipeline-groovy-lib
pipeline-groovy-lib 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries. This allows attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem. pipeline-groovy-lib 798.v5cc688825312 prohibi...
CSRF vulnerability in extensible-choice-parameter
extensible-choice-parameter 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute sandboxed Groovy code. As of publication of this advisory, there is no fix...
CSRF vulnerability and missing permission checks in nexus-task-runner
nexus-task-runner 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this endpoint does not require POST requests,...
Disabled permissions can be granted by folder-auth
folder-auth 217.vd5b18537403e and earlier does not verify that permissions configured to be granted are enabled. This may allow users formerly granted typically optional permissions, like Overall/Manage to access functionality they're no longer entitled to. As of publication of this advisory, the...
Exposure of multi-line secrets through error messages in Jenkins
Jenkins provides the secretTextarea form field for multi-line secrets. Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line...
Improper masking of credentials in nodejs
nodejs integrates with https://plugins.jenkins.io/config-file-provider/Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. nodejs 1.6.0 and earlier does not properly mask i.e., replace with asterisks credentials specified in...
Missing permission check in loaderio-jenkins-plugin allows enumerating credentials IDs
loaderio-jenkins-plugin 1.0.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission check in delete-log-plugin
delete-log-plugin 1.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Item/Read permission to delete build logs. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSRF vulnerability. As of...
CSRF vulnerability and missing permission checks in mailer
mailer 391.ve4a38c1bcf4b and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. Additionally, this form validation method does n...
Stored XSS vulnerability in computer-queue-plugin
computer-queue-plugin 1.5 and earlier does not escape the agent name in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Agent/Configure permission. computer-queue-plugin 1.6 escapes the agent name in tooltips...
Credentials transmitted in plain text by sonar-quality-gates
sonar-quality-gates stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration for...
CSRF vulnerability and missing permission check in icescrum
icescrum did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to initiate a connection test to an attacker-specified server with attacker-specified access token or username and password. Additionally, the form validatio...
CSRF vulnerability and missing permission check in XL TestView allow capturing credentials
XL TestView does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Clickjacking vulnerability in Monitoring Plugin
Monitoring Plugin did not set the X-Frame-Options header, allowing its pages to be embedded. This could result in clickjacking attacks. Monitoring Plugin now sets the X-Frame-Options header to sameorigin, preventing embedding...
Arachni Scanner Plugin stored credentials in plain text
Arachni Scanner Plugin stored its password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now integrates with Credentials Plugin. Existing configurations are migrated...
SECURITY-655
Bulletin has no description...
Deserialization vulnerability
Jenkins uses serialization and deserialization in multiple places, like agent/controller communication the Remoting library and to load and save configuration and build data using XStream. To protect from common deserialization vulnerabilities, Jenkins uses a custom deserialization filter that on...
Open redirect vulnerability in "Delegate to servlet container" security realm
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to redirect to after login. This allows attackers to perform phishing attacks by redirecting users to an attacker-controlled domain. Jenkins...
Missing permission check allows canceling queue items
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not perform an Item/Read permission check in an HTTP endpoint. This allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. NOTE: This is due to an incomplete...
RCE vulnerability from unvalidated LDAP referrals in active-directory
active-directory 2.41 and earlier follows LDAP referrals from the configured Active Directory server by default. These can forward to an RMI URL that causes Jenkins to deserialize attacker-controlled data, resulting in Remote Code Execution RCE on the Jenkins controller if deserialization "gadget...
Open redirect vulnerability in bitbucket-oauth
bitbucket-oauth 0.17 and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. bitbucket-oauth 0.18 only redirects to relative Jenkin...
CSRF vulnerability in jenkins-multijob-plugin allows resuming builds
jenkins-multijob-plugin 662.vd2e0001f6bbd and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to resume failed Multijob builds. jenkins-multijob-plugin 669.v9d96ad9c71b0 requires POST...
Open redirect vulnerability in azure-ad
azure-ad 666.v6060de32f87d and earlier does not restrict the redirect URL after login. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. azure-ad 667.v4c5827ae74a0 only redirects to...
OS command injection vulnerability on agents in git-client
git-client generates temporary script files to provide credentials e.g., SSHASKPASS. In git-client 6.4.0 and earlier, these script files contain the path to the workspace directory as part of a command argument. This argument is not correctly escaped, allowing attackers able to control the...
AWS Secret Key stored and displayed in plain text by statistics-gatherer
statistics-gatherer 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller as part of its configuration. This key can be viewed by users with access to the Jenkins...
Script security sandbox bypass vulnerability in shared-library-version-override
shared-library-version-override 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs...
XXE vulnerability in ivytrigger
ivytrigger 1.01 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input files for the "IvyTrigger - Poll with an Ivy script" build trigger to have Jenkins parse a crafted XML document that uses external entities for extraction of...
Stored XSS vulnerability in authorize-project
authorize-project 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. authorize-project 1.8.0 no longer evaluates a string...
Missing permission checks in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names. jenkinsci-appspider-plugin 1.0.17 requires...