1464 matches found
Stored XSS vulnerability in validating-email-parameter
validating-email-parameter 1.10 and earlier does not escape the name and description of its parameter type. Additionally, it disables the security hardening added in Jenkins 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix that protects the "Build With Parameters" and...
Passwords stored in plain text by hpe-network-virtualization
hpe-network-virtualization 1.0 stores passwords unencrypted in its global configuration file org.jenkinsci.plugins.nvemulation.plugin.NvEmulationBuilder.xml on the Jenkins controller as part of its configuration. These passwords can be viewed by users with access to the Jenkins controller file...
Path traversal vulnerability in embeddable-build-status
embeddable-build-status 2.0.3 and earlier allows specifying a style query parameter that is used to choose a different SVG image style without restricting possible values. This results in a relative path traversal vulnerability, allowing attackers without Overall/Read permission to specify paths ...
CSRF vulnerability and missing permission check in vmware-vrealize-orchestrator
vmware-vrealize-orchestrator 3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to send an HTTP POST request to an attacker-specified URL. Additionally, this HTTP endpoint does not require POST requests, resulting in a...
Missing permission check in gitlab-plugin allows enumerating credentials IDs
gitlab-plugin 1.5.31 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability...
Multiple vulnerabilities in Windows Remote Command library in windows-slaves
windows-slaves 1.8 and earlier includes the Windows Remote Command library. It provides a general-purpose remote command execution capability that Jenkins uses to check if Java is available, and if not, to install it. This library has a buffer overflow vulnerability that may allow users able to...
User-scoped credentials exposed to other users by blueocean-pipeline-scm-api
When pipelines are created using the pipeline creation wizard in Blue Ocean, the credentials used are stored in the per-user credentials store of the user creating the pipeline. To allow pipelines to use this credential to scan repositories and checkout from SCM, the Blue Ocean Credentials Provid...
CSRF vulnerability and missing permission checks in blueocean
blueocean 1.25.3 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to send requests to an attacker-specified URL. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery CSRF...
Stored XSS vulnerability in Autocomplete Parameter
Autocomplete Parameter 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure...
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in workflow-cps
workflow-cps allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection. In workflow-cps 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and...
CSRF vulnerability and missing permission checks in ssh allow capturing credentials
ssh 2.6.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
XXE vulnerability in Storable Configs
Storable Configs 1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers with Item/Configure permission to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side...
Stored XSS vulnerabilities in multiple plugins providing additional parameter types
Multiple plugins do not escape the name and description of the parameter types they provide: Application Detector Plugin 1.0.8 and earlier SECURITY-2732 / CVE-2022-30960 Autocomplete Parameter Plugin 1.1 and earlier SECURITY-2729 / CVE-2022-30961 Global Variable String Parameter Plugin 1.2 and...
Untrusted users can modify some Pipeline libraries in workflow-cps-global-lib
Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definitio...
CSRF vulnerability in subversion
subversion 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to connect to an attacker-specified URL. subversion 2.15.4 requires POST requests for the affected...
Private key stored in plain text by google-compute-engine
google-compute-engine 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in JiraTestResultReporter
JiraTestResultReporter 165.v817928553942 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials. Additionally, this form validation...
Path traversal vulnerability on Windows in ci-with-toad-edge
ci-with-toad-edge 2.3 and earlier uses a patched fork of an old version of the file browser for workspaces, archived artifacts, and userContent/ from Jenkins core DirectoryBrowserSupport to serve reports. The fork did not receive the fix for SECURITY-2481 in Jenkins 2.315 and LTS 2.303.2. This...
CSRF vulnerability in ownership
ownership 0.13.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to restore the default ownership of a job. As of publication of this advisory, there is no fix. Learn why we announce...
Stored XSS vulnerability in sitemonitor
sitemonitor 0.6 and earlier does not escape URLs of sites to monitor in tooltips. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Path traversal vulnerability in Pipeline: Phoenix AutoTest allows reading arbitrary files
Pipeline: Phoenix AutoTest 1.3 and earlier implements a Pipeline step copy to copy files from the running build's directory on the Jenkins controller to an agent without sanitizing the path specified. This allows attackers with Item/Configure permission to copy arbitrary files and directories fro...
Arbitrary file read vulnerability in Pipeline: Phoenix AutoTest
Pipeline: Phoenix AutoTest 1.3 and earlier implements a Pipeline step ftp to upload files to an FTP server without limiting the source directory. This allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller via FTP to an attacker-specified FTP server...
CSRF vulnerability and missing permission checks in proxmox
proxmox 0.7.0 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to: connect to an attacker-specified host using attacker-specified username and password, performing a connection test, disable SSL/TLS validation for the...
Arbitrary file read vulnerability in ci-with-toad-edge
ci-with-toad-edge 2.3 and earlier allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller by specifying an input folder on the Jenkins controller as a parameter to its build steps. ci-with-toad-edge 2.4 only allows copying files from the node the build is...
CSRF vulnerability and missing permission check in ownership
ownership 0.13.0 and earlier does not perform a permission check in several HTTP endpoints. This allows attackers with Item/Read permission to change the owners and item-specific permissions of a job. Additionally, this endpoint does not require POST requests, resulting in a cross-site request...
XXE vulnerability in covcomplplot
covcomplplot 1.1.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the 'Public Coverage / Complexity Scatter Plot' post-build step to have Jenkins parse a crafted file that uses external entities f...
XXE vulnerability in Pipeline: Phoenix AutoTest
Pipeline: Phoenix AutoTest 1.3 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of...
Stored XSS vulnerability in selected-tests-executor
selected-tests-executor 1.3.3 and earlier does not escape the Properties File Path option for Choosing Tests parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix...
Arbitrary file read vulnerability in selected-tests-executor
selected-tests-executor 1.3.3 and earlier allows users with Item/Configure permission to read arbitrary files on the Jenkins controller using the Choosing Tests parameter. As of publication of this advisory, there is no fix. Learn why we announce this...
Passwords stored in plain text by instant-messaging
instant-messaging provides a framework for plugins integrating Jenkins with instant messaging services. instant-messaging 1.41 and earlier stores passwords for group chats unencrypted in the global configuration file of plugins based on instant-messaging on the Jenkins controller. These passwords...
Stored XSS vulnerability in folder-auth
folder-auth 1.3 and earlier does not escape the names of roles shown on the configuration form. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. folder-auth 1.4 escapes the names of roles shown on the configuration form...
Client Secret stored in plain text by gitlab-oauth
gitlab-oauth 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This client secret can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is...
Missing permission checks in kubernetes-cd allow enumerating credentials IDs
kubernetes-cd 2.3.1 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
CSRF vulnerability and missing permission checks in release-helper
release-helper 1.3.3 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, this form validation method does...
Arbitrary file read vulnerability in kubernetes-cd
kubernetes-cd contributes the 'Kubernetes configuration kubeconfig' credential type. kubernetes-cd 2.3.1 and earlier allows users with Credentials/Create or Credentials/Update permission to read arbitrary files on the Jenkins controller by defining a 'From a file on the Jenkins master' Kubeconfig...
Passwords stored in plain text by vmware-vrealize-codestream
vmware-vrealize-codestream 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
CSRF vulnerability and missing permission checks in aws-credentials
aws-credentials 189.v3551d5642995 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an AWS service using an attacker-specified token. Additionally, this form validation method does not require...
Sensitive parameter values captured in build metadata files by parameterized-trigger
parameterized-trigger 2.43 and earlier captures environment variables passed to builds triggered using parameterized-trigger, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file...
CSRF vulnerability and missing permission check in scp
scp 1.8 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified SSH server using attacker-specified username and password. Additionally, this form validation method does not...
Stored XSS vulnerability in promoted-builds-simple
promoted-builds-simple 1.9 and earlier does not escape the name of custom promotion levels. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Overall/Administer permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Sensitive data stored in plain text by support-core
support-core has a feature to redact potentially sensitive information in the support bundle. support-core 2.79 and earlier does not redact some sensitive information in the support bundle. This sensitive information can be viewed by anyone with access to the bundle. support-core 2.79.1 adds a li...
Stored XSS vulnerability in custom-checkbox-parameter
custom-checkbox-parameter 1.1 and earlier does not escape parameter names of custom checkbox parameters. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. custom-checkbox-parameter 1.2 escapes parameter names of custom checkbo...
CSRF vulnerability and missing permission checks in Chef Sinatra allow XXE
Chef Sinatra 1.20 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse the response as XML. As the plugin does not configure...
Agent-to-controller security bypass vulnerability in doktor
doktor 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc. Additionally, error messages allow attackers able to control agent processes to determine whether a file with a given name exists. As of publication of this...
CSRF vulnerability and missing permission check in SWAMP allows capturing credentials
SWAMP 1.2.6 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored i...
Password parameter default values exposed by pipeline-build-step
pipeline-build-step 2.15 and earlier reveals password parameter default values when generating a pipeline script using the Pipeline Snippet Generator. This allows attackers with Item/Read permission to retrieve the default password parameter value from jobs. pipeline-build-step 2.15.1 redacts...
Vulnerabilities in multiple Pipeline-related plugins allow reading arbitrary files on the controller
Multiple Pipeline-related plugins follow symbolic links or do not limit path names, resulting in arbitrary file read vulnerabilities: - Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading...
Sensitive information disclosure in workflow-cps
workflow-cps 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds. This allows attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline. workflow-cps 2656.vf7ae7b75a457 does not allow...
Sandbox bypass vulnerability in workflow-cps-global-lib
workflow-cps-global-lib 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration. This allows attackers with Item/Configure permission to execute arbitrar...
Agent-to-controller security bypass in conjur-credentials allows retrieving all credentials
conjur-credentials 1.0.9 and earlier implements functionality that allows agent processes to obtain all username/password credentials Credentials Plugin stored on the Jenkins controller. This allows attackers able to control agent processes to retrieve those credentials. As of publication of this...