1464 matches found
Reflected XSS vulnerability in kiuwanJenkinsPlugin
kiuwanJenkinsPlugin 1.6.0 and earlier does not escape output that can indirectly be controlled through query parameters in an error message for a form validation endpoint. This results in a reflected cross-site scripting XSS vulnerability. NOTE: Only older releases of Jenkins are affected by this...
Missing permission check in deployit-plugin allows enumerating credentials IDs
deployit-plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials usin...
CSRF vulnerability and missing permission check in deployit-plugin allows capturing credentials
deployit-plugin 10.0.1 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
XXE vulnerability in urltrigger
urltrigger 0.48 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Job/Configure permission or otherwise able to control the contents of an URL to an XML document being examined for changes to have Jenkins parse a crafted XML...
XSS vulnerability in markdown-formatter
markdown-formatter 0.1.0 and earlier uses a Markdown library to parse Markdown that does not escape crafted link target URLs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with the ability to edit any description rendered using the configured markup...
Stored XSS vulnerability in dashboard-view
dashboard-view 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Configure permission. dashboard-view 2.16 does not render unsafe URLs. As part of this fix, the property...
CSRF vulnerability in config-file-provider allows deleting configuration files
config-file-provider 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID. This is due to an incomplete fix o...
Incorrect permission checks in config-file-provider allow enumerating credentials IDs
config-file-provider 3.7.0 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture...
Remote code execution vulnerability in templating-engine
templating-engine 2.1 and earlier does not protect its pipeline configurations using Script Security Plugin. This vulnerability allows attackers with Job/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. templating-engine 2.2 integrates with Script...
Denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.285 and earlier, LTS...
Reflected XSS vulnerability in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 6.7 and earlier does not escape user input in a form validation response. This results in a reflected cross-site scripting XSS vulnerability. hp-application-automation-tools-plugin 6.8 escapes user input in the affected form validation response. NOTE: A...
CSRF vulnerability in promoted-builds
promoted-builds 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion regular, forced, and re-execute, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to promote builds. promoted-builds 3.9.1 requires POST...
SSL/TLS certificate validation unconditionally disabled by hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 6.7 and earlier unconditionally disables SSL/TLS certificate validation for connections to Service Virtualization servers. hp-application-automation-tools-plugin 6.8 no longer disables SSL/TLS certificate validation unconditionally by default. It provides an...
CSRF vulnerability and missing permission checks in hp-application-automation-tools-plugin
hp-application-automation-tools-plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password. Additionally, these form...
Missing permission check in cloud-stats
cloud-stats 0.26 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages. cloud-stats 0.27 requires Overall/Administer permission to access...
CSRF vulnerability in libvirt-slave
libvirt-slave 1.9.0 and earlier does not require POST requests for a form submission endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to stop hypervisor domains. libvirt-slave 1.9.1 requires POST requests for the affected HTTP endpoint...
Missing permission checks in warnings-ng allow listing workspace contents
warnings-ng 8.4.4 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace contents. A sequence ...
XSS vulnerability in claim
claim 2.18.1 and earlier does not escape the user display name shown in claims. This results in a cross-site scripting XSS vulnerability exploitable by attackers who are able to control the display names of Jenkins users, either via the security realm, or directly inside Jenkins. NOTE: Everyone...
Stored XSS vulnerability in uno-choice
uno-choice 2.5.2 and earlier does not escape reference parameter values. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5.3 escapes reference parameter values...
CSRF vulnerability in claim
claim 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to change claims. claim 2.18.2 requires POST requests for the affected HTTP endpoint...
Stored XSS vulnerability in artifact-repository-parameter
artifact-repository-parameter 1.0.0 and earlier does not escape parameter names and descriptions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. artifact-repository-parameter 1.0.1 escapes parameter names and descriptions...
Arbitrary file read vulnerability in workspace browsers
Due to a time-of-check to time-of-use TOCTOU race condition, the file browser for workspaces, archived artifacts, and $JENKINSHOME/userContent/ follows symbolic links to locations outside the directory being browsed in Jenkins 2.275 and LTS 2.263.2. This allows attackers with Job/Workspace...
Stored XSS vulnerability in button labels
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape button labels in the Jenkins UI. This results in a cross-site scripting vulnerability exploitable by attackers with the ability to control button labels. An example of buttons with a user-controlled label are the buttons of the...
Improper handling of REST API XML deserialization errors
Jenkins provides XML REST APIs to configure views, jobs, and other items. When deserialization fails because of invalid data, Jenkins 2.274 and earlier, LTS 2.263.1 and earlier stores invalid object references created through these endpoints in the Old Data Monitor. If an administrator discards t...
Credentials stored in plain text by bumblebee
bumblebee 4.1.5 and earlier stores credentials unencrypted in its global configuration file com.agiletestware.bumblebee.BumblebeeGlobalConfig.xml on the Jenkins controller as part of its configuration. These credentials can be viewed by users with access to the Jenkins controller file system...
Stored XSS vulnerability on new item page
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not escape display names and IDs of item types shown on the New Item page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to specify display names or IDs of item types. NOTE: As of the publicati...
Arbitrary file existence check in file fingerprints
Jenkins provides a feature for jobs to store and track fingerprints of files used during a build. Jenkins 2.274 and earlier, LTS 2.263.1 and earlier provides a REST API to check where a given fingerprint was used by which builds. This endpoint does not fully validate that the provided fingerprint...
Plugin Installation Manager Tool did not verify plugin downloads
Plugin Installation Manager Tool is part of the Jenkins project Docker images. As jenkins-plugin-cli it is used to download and install plugins even before Jenkins is running. Plugin Installation Manager Tool 2.1.3 and earlier does not verify plugin downloads. This may allow third parties such as...
CSRF vulnerability in shelve-project-plugin
shelve-project-plugin 3.0 and earlier does not require POST requests for HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to shelve, unshelve, or delete a project. shelve-project-plugin 3.1 requires POST requests for the affected...
Missing permission checks in chaos-monkey
chaos-monkey 0.4 and earlier does not perform permission checks in an HTTP endpoint. This allows attackers with Overall/Read permission to access the Chaos Monkey page and to see the history of actions. chaos-monkey 0.4.1 requires Overall/Administer permission to access the Chaos Monkey page and ...
Missing permission check in kubernetes allows enumerating credentials IDs
kubernetes 1.27.3 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. A...
XXE vulnerability in mercurial
mercurial 2.11 and earlier does not configure its XML changelog parser to prevent XML external entity XXE attacks. This allows attackers able to control an agent process to have Jenkins parse a crafted changelog file that uses external entities for extraction of secrets from the Jenkins controlle...
Password stored in plain text by jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system...
Stored XSS vulnerability in FindBugs
FindBugs 5.0.0 and earlier does not escape the annotation message in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide report files to FindBugs's post build step. As of publication of this advisory, there is no fix...
Passwords stored in plain text by mailcommander
mailcommander 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisor...
Incorrect default pattern in audit-trail
audit-trail uses regular expressions to match requested URLs whose dispatch should be logged. In audit-trail 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling. audit-trail 3.7 changes...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape the name and description of build parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. uno-choice 2.5 escapes the name of build parameters and applies the configured markup...
XXE vulnerability in Nerrvana
Nerrvana 1.02.06 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Overall/Read permission to have Jenkins parse a crafted HTTP request with XML data that uses external entities for extraction of secrets from the Jenkins controlle...
Stored XSS vulnerability in release
release 2.10.2 and earlier does not escape the release version in the badge tooltip. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Release/Release permission. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in Persona
Persona 2.4 and earlier allows users with Overall/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in uno-choice
uno-choice 2.4 and earlier does not escape List and Map return values of sandboxed scripts for Reactive Reference Parameter. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. This issue is caused by an incomplete fix for...
XXE vulnerability in liquibase-runner
liquibase-runner 1.4.5 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to provide Liquibase changesets evaluated by the plugin to have Jenkins parse a crafted XML file that uses external entities for extraction of secrets from t...
CSRF vulnerability in warnings allows remote code execution
warnings 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to execute arbitrary code. warnings 5.0.2 requires POST requests f...
CSRF vulnerability in lockable-resources
lockable-resources 2.8 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. lockable-resources 2.9 requires POST requests for the...
Missing hostname validation in mailer
mailer 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. mailer 1.32.1 validates the SMTP hostname when connecting via TLS by default. In...
Stored XSS vulnerability in locked-files-report
locked-files-report 1.6 and earlier does not escape locked files' names in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in Storable Configs
Storable Configs 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in radiatorviewplugin
radiatorviewplugin 1.29 and earlier does not escape the full name of the jobs in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in upstream cause in pipeline-maven
pipeline-maven 3.9.2 and earlier does not escape the upstream job's display name shown as part of a build cause. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. pipeline-maven 3.9.3 escapes upstream job names in build causes...
Stored XSS vulnerability in custom-job-icon
custom-job-icon 0.2 and earlier does not escape the job descriptions in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission. As of publication of this advisory, there is no fix...