1464 matches found
Missing permission checks and CSRF vulnerability in gitee
gitee 1288.v18bdebc9069b and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained...
Open redirect vulnerability
Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines whether a URL is safe to redirect to in the default login flow: A URL containing relative path segments ./ or ../ is validated before the servlet container collapses those segments into a protocol-relative URL starting with...
Authorization Token stored in plain text by openshift-pipeline
openshift-pipeline 1.0.57 and earlier stores authorization tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These token can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.523 and earlier, LTS...
File path information disclosure in htmlpublisher
htmlpublisher 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. htmlpublisher 427 displays only the parent directory name of files...
Missing input validation for parameter values in git-parameter
git-parameter implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions. git-parameter 439.vb0e46ca14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices. This allows...
Tokens stored and displayed in plain text by ApicaLoadtest
ApicaLoadtest 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...
Token stored and displayed in plain text by xooa
xooa 0.0.7 and earlier stores the Xooa Deployment token unencrypted in its global configuration file io.jenkins.plugins.xooa.GlobConfig.xml on the Jenkins controller as part of its configuration. This token can be viewed by users with access to the Jenkins controller file system. Additionally, th...
Keys stored in plain text by ifttt-build-notifier
ifttt-build-notifier 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication ...
Insufficient validation of claims in oidc-provider
In oidc-provider, claim templates can use environment variables for jobs and builds for dynamic content. The default claim template for build ID tokens uses the JOBURL environment variable for the sub Subject claim. In oidc-provider 96.vee8ed882ec4d and earlier the generation of build ID Tokens...
CSRF vulnerability and missing permission checks in vmanager-plugin
vmanager-plugin 4.0.1-286.v9e25a740ba48 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. Additionally, these form...
SSL/TLS certificate validation unconditionally disabled by dingding-notifications
dingding-notifications 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. As of publication of this advisory, there is no fix. Learn why we announce this...
Host key reuse in SSH build agent Docker images
The https://hub.docker.com/r/jenkins/ssh-agentjenkins/ssh-agent and deprecated https://hub.docker.com/r/jenkins/ssh-slavejenkins/ssh-slave Docker images can be used to set up a build agent for use via the SSH Build Agents plugin. In jenkins/ssh-agent 6.11.1 and earlier and all versions of...
Encrypted values of secrets stored in agent configuration revealed to users with Agent/Extended Read permission
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI. This allows attackers with Agent/Extended Read permission to view encrypted values of secrets. NOTE: This issue is related to SECURITY-266 in the...
Cache confusion in eiffel-broadcaster
eiffel-broadcaster allows events published to RabbitMQ to be signed using certificate credentials. To improve performance, the plugin caches some data from the credential. eiffel-broadcaster 2.8.0 through 2.10.2 both inclusive uses the credential ID as the cache key. This allows attackers able to...
Denial of service vulnerability in bundled json-lib
Jenkins uses the library https://github.com/jenkinsci/json-liborg.kohsuke.stapler:json-lib to process JSON. This library is the Jenkins project's fork of https://search.maven.org/artifact/net.sf.json-lib/json-libnet.sf.json-lib:json-lib, which has since been renamed to...
Stored XSS vulnerability in simple-queue
simple-queue 1.4.4 and earlier does not escape the view name. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with View/Create permission. simple-queue 1.4.5 escapes the view name...
Rebuilding a run with revoked script approval allowed by workflow-cps
workflow-cps 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main Jenkinsfile script for a rebuilt build is approved. This allows attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approved. NOTE: This...
Session fixation vulnerability in oic-auth
oic-auth 4.418.vccc7061f5b6d and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 4.421.v5422614ebe0a invalidates the existing session on login...
Item creation restriction bypass vulnerability in Jenkins
Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group ACLhasCreatePermission2. Item types can prohibit creation of new instances in a given item group...
Lack of issuer claim validation in oic-auth
oic-auth 4.354.v321ce67a1de8 and earlier does not check the iss Issuer claim of an ID Token during its authentication flow, a value that identifies the Originating Party IdP. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.443 and earlier, LTS...
Stored XSS vulnerability in build-monitor-plugin
build-monitor-plugin 1.14-860.vd06ef2568b3f and earlier does not escape Build Monitor View names. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure Build Monitor Views. As of publication of this advisory, there is no fix. Learn why we...
CSRF vulnerability and missing permission check in docker-build-step
docker-build-step 2.11 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL. Additionally, the plugin reconfigures itself using the provided...
Stored XSS vulnerability in gitbucket
gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Sensitive information exposure in build logs by mq-notifier
mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...
Stored XSS vulnerability in htmlpublisher
htmlpublisher 1.32 and earlier does not escape job names, report names, and index page titles shown as part of the report frame. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. htmlpublisher 1.32.1 escapes job names, report...
Improper SSL/TLS certificate validation in Delphix
Delphix provides a global option for administrators to enable or disable SSL/TLS certificate validation for Data Control Tower DCT connections. In Delphix 3.0.1 through 3.1.0 both inclusive an option change from disabled validation to enabled validation fails to take effect until Jenkins is...
Open redirect vulnerability in oic-auth
oic-auth 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication o...
CSRF vulnerability and missing permission checks in paaslane-estimate
paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...
Arbitrary file deletion vulnerability in scriptler
scriptler 342.v6a89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint. This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. scriptler 344.v5addb5f9e685 ensures that the file being deleted is...
CSRF vulnerability and missing permission checks in neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, this HTTP...
Non-constant time webhook token comparison in teams-webhook-trigger
teams-webhook-trigger 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is ...
Stored XSS vulnerability in trac
trac 1.13 and earlier does not escape the Trac website URL on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. As of publication of this advisory, there is no fix. Learn why we announce this...
Non-constant time nonce comparison in azure-ad
azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...
XXE vulnerability in ivy
ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...
Disabled permissions granted by assembla-auth
assembla-auth provides an authorization strategy that defines four levels of access to Jenkins, based on the corresponding permissions in Assembla spaces: ALL, EDIT, VIEW, and NONE. assembla-auth 1.14 and earlier does not verify that the permissions it grants are enabled. This results in users wi...
HTML injection vulnerability in fortify
fortify 22.1.38 and earlier does not escape the error message for a form validation method. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses prevents JavaScript execution, so no scripts can be injected...
Missing permission check in delphix allows enumerating credentials IDs
delphix 3.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
CSRF vulnerability in favorite-view
favorite-view 5.v77a37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to add or remove views from another user's favorite views tab bar. As of publication of this advisory,...
Incorrect permission checks in qualys-was allow capturing credentials
qualys-was 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials...
CSRF vulnerability and missing permission check in servicenow-devops allow capturing credentials
servicenow-devops 1.38.0 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Stored XSS vulnerability
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting XSS vulnerability...
Session fixation vulnerability in openshift-login
openshift-login 1.1.0.227.v27e08dfb1a20 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. openshift-login 1.1.0.230.v5d7030bf5432 invalidates the existing session on login...
Exposure of system-scoped credentials in mabl-integration
mabl-integration 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not...
CSRF vulnerability in pipeline-restful-api
pipeline-restful-api 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows...
Exposure of system-scoped credentials in dimensionsscm
dimensionsscm 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change project or build display names. As of publication of this advisory,...
Stored XSS vulnerability in sonargraph-integration
sonargraph-integration 5.0.1 and earlier does not correctly escape the file path and the project name for the Log file field form validation. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. NOTE: This issue is caused by an...
Missing permission checks in teamconcert
teamconcert 2.4.1 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. teamconcert 2.4.2 requires...