1464 matches found
Users with Overall/Read access could enumerate credential IDs in artifactory
artifactory provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an...
XML External Entity processing vulnerability in pipeline-maven
pipeline-maven did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of a temporary directory on the agent that the Maven build is executing on to have Jenkins parse a maliciously crafted XML file that...
Users with Overall/Read access are able to enumerate credential IDs in ansible-tower
ansible-tower provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part of an attack ...
azure-ad stored credentials in plain text
azure-ad stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-ad now stores the client secret encrypted...
koji globally and unconditionally disables SSL/TLS certificate validation
koji unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...
XXE vulnerability via UDP broadcast response in swarm client
swarm allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents. swarm does not configure the XML parser in a way that would prevent XML External Entity XXE processing. This allows unauthenticated attackers o...
aqua-microscanner stored credentials in plain text
aqua-microscanner stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. aqua-microscanner now stores credentials encrypted...
XSS vulnerability in form validation button
The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting XSS vulnerability exploitable by users with the ability to control job names. The affected form control has been rewritten to no longer need to escape job URLs...
AWS CloudWatch Logs Publisher Plugin stores credentials in plain text
AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Hyper.sh Commons Plugin stores credentials in plain text
Hyper.sh Commons Plugin stores credentials unencrypted in its global configuration file sh.hyper.plugins.hypercommons.Tools.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in gearman-plugin
A missing permission check in a form validation method in gearman-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
relution-publisher stores credentials in plain text
relution-publisher stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relutionpublisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
mabl-integration stores credentials in plain text
mabl-integration stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in kmap-jenkins allow SSRF
A missing permission check in a form validation method in kmap-jenkins allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in...
Crowd Integration Plugin stores credentials in plain text
Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
jenkins-cloudformation-plugin stores credentials in plain text
jenkins-cloudformation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in sinatra-chef-builder allow SSRF
A missing permission check in a form validation method in sinatra-chef-builder allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
CSRF vulnerability and missing permission check in nomad allow SSRF
A missing permission check in a form validation method in nomad allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
VS Team Services Continuous Deployment Plugin stores credentials in plain text
vsts-cd stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in audit2db allow connecting to arbitrary databases
A missing permission check in a form validation method in audit2db allows users with Overall/Read permission to initiate a JDBC database connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests,...
CSRF vulnerability and missing permission check in zephyr-enterprise-test-management allow SSRF
A missing permission check in a form validation method in zephyr-enterprise-test-management allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST...
Open STF Plugin stores credentials in plain text
Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in jenkins-reviewbot allow SSRF
A missing permission check in a form validation method in jenkins-reviewbot allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting ...
Assembla Auth Plugin stores credentials in plain text
Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
websphere-deployer stores credentials in plain text
websphere-deployer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
Perfecto Mobile Plugin stores credentials in plain text
Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
starteam stores credentials in plain text
starteam stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
minio-storage stores credentials in plain text
minio-storage stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
jabber-server-plugin stores credentials in plain text
jabber-server-plugin stores credentials unencrypted in its global configuration file de.enexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
netsparker-cloud-scan stored credentials in plain text
netsparker-cloud-scan stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system. netsparker-cloud-scan now stores API tokens...
ECS Publisher Plugin stored and displayed API token in plain text
ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Additionally, the API token was not mask...
Sandbox bypass in Pipeline: Groovy Plugin
Pipeline: Groovy sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the contents of a pipeline to bypass the sandbox protection and execute arbitrary code on the Jenkins controller...
Information disclosure in Azure VM Agents Plugin
A missing permission check in a form validation method in Azure VM Agents Plugin allowed users with Overall/Read access to verify a submitted configuration, obtaining limited information about the Azure account and configuration. Additionally, this form validation method did not require POST...
SSRF vulnerability due to missing permission check in Mattermost Notification Plugin
A missing permission check in a form validation method in Mattermost Notification Plugin allowed users with Overall/Read permission to initiate a connection test, connecting to an attacker-specified Mattermost server and room and posting a message. Additionally, this form validation method did no...
SSRF vulnerability due to missing permission check in OctopusDeploy Plugin
A missing permission check in a form validation method in OctopusDeploy Plugin allowed users with Overall/Read permission to initiate a connection test, sending an HTTP HEAD request to an attacker-specified URL, returning HTTP response code if successful, or exception error message otherwise...
OpenId Connect Authentication Plugin showed plain text client secret in configuration form
OpenId Connect Authentication Plugin stores the client secret in the global Jenkins configuration. While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client...
Sandbox Bypass via CSRF in Warnings Next Generation Plugin
Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site...
Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled. Monitoring Plugin now checks on startup whether Jenkins has CSRF protection enabled and enables its...
CSRF vulnerability and missing permission checks in Kanboard Plugin allowed server-side request forgery
Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF...
Administrators could persist access to Jenkins using crafted 'Remember me' cookie
Users with the Overall/RunScripts permission typically administrators were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for...
Sandbox Bypass in Script Security and Pipeline Plugins
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Re...
Code execution through crafted URLs
Jenkins uses the Stapler web framework for HTTP request handling. Stapler's basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked...
Potential denial of service through cron expression form validation
The form validation for cron expressions e.g. "Poll SCM", "Build periodically" could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely...
Failures to process form submission data could result in secrets being displayed or written to logs
When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in...
Stored XSS vulnerability in Config File Provider Plugin
Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting XSS vulnerability. Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin
Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part ...
SonarQube Scanner Plugin stored server authentication token in plain text
SonarQube Scanner Plugin stored a server authentication token unencrypted in its global configuration file on the Jenkins controller. This token could be viewed by users with access to the Jenkins controller file system. The plugin now stores the token encrypted in the configuration files on disk...
Artifactory Plugin stored old directly entered credentials unencrypted on disk
Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system. Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using...
CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials
HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method,...
CSRF vulnerability and missing permission checks in Confluence Publisher Plugin
Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials. Additionally, this form validation method did not require POS...