Lucene search
+L
JenkinsMost viewed

1464 matches found

Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

Stored XSS vulnerability in log-parser

log-parser did not escape an error message shown when log parsing patterns are invalid. This resulted in a persisted cross-site scripting vulnerability exploitable by attackers able to control the log parsing rules configuration, typically users with Job/Configure permission. Jenkins applies the...

5.4CVSS5.4AI score0.00882EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

azure-event-grid-notifier stores credentials in plain text

azure-event-grid-notifier stores the Azure Event Grid secret key unencrypted in job config.xml files on the Jenkins controller. This key can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

4.3CVSS5AI score0.00812EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/25 12:0 a.m.•7 views

neuvector-vulnerability-scanner stored credentials in plain text

neuvector-vulnerability-scanner stored registry credentials unencrypted in its global configuration file io.jenkins.plugins.neuvector.NeuVectorBuilder.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system...

5.5CVSS5.7AI score0.00252EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/12 12:0 a.m.•7 views

Stored XSS vulnerability in build-environment

build-environment did not escape values of environment variables shown on its views. This resulted in a cross-site scripting vulnerability exploitable by attackers able to control the values of build environment variables, typically users with Job/Configure or Job/Build permission. Jenkins applie...

5.4CVSS5.4AI score0.00688EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/09/12 12:0 a.m.•7 views

Sandbox bypass vulnerability in script-security

Sandbox protection in script-security could be circumvented through any of the following: Crafted method names in method call expressions CVE-2019-10393 Crafted property names in property expressions on the left-hand side of assignment expressions CVE-2019-10394 Crafted property names in property...

4.9CVSS6.1AI score0.01047EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/28 12:0 a.m.•7 views

ibm-application-security showed plain text password in job configuration form fields

ibm-application-security stores service passwords in job configurations. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...

6.5CVSS6.1AI score0.00807EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/28 12:0 a.m.•7 views

Stored XSS vulnerability in update center

Jenkins did not properly escape the update site URL in some status messages shown in the update center, resulting in a stored cross-site scripting vulnerability that is exploitable by administrators and affects other administrators. Jenkins now escapes the update site URL in status messages shown...

4.8CVSS5.4AI score0.01371EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in relution-publisher allow SSRF

A missing permission check in a form validation method in relution-publisher allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL using attacker-specified credentials and attacker-specified HTTP proxy configuration. Additionally, the form validation...

4.3CVSS5AI score0.00636EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•7 views

HTTP session fixation vulnerability in gitlab-oauth

gitlab-oauth does not invalidate the previous session and create a new one upon successful login. This allows attackers able to control or obtain another user's pre-login session ID to impersonate them. As of publication of this advisory, there is no fix...

7.5CVSS7.2AI score0.01306EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•7 views

labmanager globally and unconditionally disables SSL/TLS certificate validation

labmanager unconditionally disables SSL/TLS certificate validation for the entire Jenkins controller JVM. As of publication of this advisory, there is no fix...

6.5CVSS6.4AI score0.00841EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/08/07 12:0 a.m.•7 views

Open redirect vulnerability in gitlab-oauth

gitlab-oauth records the HTTP Referer header when the authentication process starts and redirects users to that URL when the user has finished logging in. This implements an open redirect, allowing malicious sites to implement a phishing attack, with users expecting they have just logged in to...

6.1CVSS6.2AI score0.00965EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•7 views

Stored XSS vulnerability in m2release

m2release did not properly escape variables in multiple views, resulting in a stored cross-site scripting vulnerability. Variables on affected views are now escaped...

5.4CVSS5.3AI score0.00688EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•7 views

google-kubernetes-engine stored temporary secret in a user accessible location

google-kubernetes-engine created a temporary file named .kube…config containing a temporary access token in the project workspace. This allowed the file to be accessed via workspace browsers, or accidentally archived, disclosing the token. This temporary file is now created outside the regular...

4.3CVSS5AI score0.00344EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/31 12:0 a.m.•7 views

configuration-as-code exported secret values in plain text

configuration-as-code allows to export the current Jenkins configuration as a YAML file. Secrets such as passwords should be exported in their encrypted form to prevent accidental disclosure. configuration-as-code did not reliably detect which values in the exported YAML file need to be considere...

4.9CVSS5.2AI score0.00608EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/17 12:0 a.m.•7 views

Unauthorized view fragment access

Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content. In some cases attackers could directly access a view fragment containing sensitive information, bypassing any...

4.3CVSS6AI score0.01647EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/17 12:0 a.m.•7 views

Arbitrary file write vulnerability using file parameter definitions

Users with Job/Configure permission could specify a relative path escaping the base directory in the file name portion of a file parameter definition. This path would be used to store the uploaded file on the Jenkins controller, resulting in an arbitrary file write vulnerability. File parameters...

6.5CVSS6.7AI score0.10225EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/11 12:0 a.m.•7 views

caliper-ci stores credentials in plain text

caliper-ci stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix...

8.8CVSS5.6AI score0.01632EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/07/11 12:0 a.m.•7 views

Stored XSS vulnerability in depgraph-view

depgraph-view does not correctly escape the Display Name value for jobs in Jenkins, resulting in a stored cross-site scripting vulnerability. As of publication of this advisory, there is no fix...

5.4CVSS5.3AI score0.03885EPSS
Exploits5Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/06/11 12:0 a.m.•7 views

Missing permission checks in electricflow

Various form validation and form autocompletion methods in electricflow lacked permission checks. This allowed attackers with Overall/Read access to obtain information about the configuration of electricflow, as well as the configuration and data of connected ElectricFlow servers. These form...

4.3CVSS5AI score0.01353EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/06/11 12:0 a.m.•7 views

XML External Entity processing vulnerability in token-macro

token-macro did not configure its XML parser in a way that would prevent XML External Entity XXE processing. This allowed attackers able to control the contents of files processed with the $XML macro to have Jenkins parse a maliciously crafted XML file that uses external entities for extraction o...

7.5CVSS7.1AI score0.01999EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/05/31 12:0 a.m.•7 views

Users with Overall/Read access could enumerate credential IDs in artifactory

artifactory provides a list of applicable credential IDs to allow users configuring the plugin to select the one to use. This functionality does not correctly check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those can be used as part of an...

4.3CVSS5AI score0.01876EPSS
Exploits1Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/30 12:0 a.m.•7 views

aqua-microscanner stored credentials in plain text

aqua-microscanner stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. aqua-microscanner now stores credentials encrypted...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/30 12:0 a.m.•7 views

XXE vulnerability via UDP broadcast response in swarm client

swarm allows clients to auto-discover Jenkins instances on the same network through a UDP discovery request. Responses to this request are XML documents. swarm does not configure the XML parser in a way that would prevent XML External Entity XXE processing. This allows unauthenticated attackers o...

9.3CVSS7.8AI score0.01794EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/30 12:0 a.m.•7 views

azure-ad stored credentials in plain text

azure-ad stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. azure-ad now stores the client secret encrypted...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/10 12:0 a.m.•7 views

XSS vulnerability in form validation button

The f:validateButton form control for the Jenkins UI did not properly escape job URLs. This resulted in a cross-site scripting XSS vulnerability exploitable by users with the ability to control job names. The affected form control has been rewritten to no longer need to escape job URLs...

5.4CVSS6AI score0.01346EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

octopusdeploy stores credentials in plain text

octopusdeploy stores credentials unencrypted in its global configuration file hudson.plugins.octopusdeploy.OctopusDeployPlugin.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

VS Team Services Continuous Deployment Plugin stores credentials in plain text

vsts-cd stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in nomad allow SSRF

A missing permission check in a form validation method in nomad allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

6.5CVSS6.3AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

Crowd Integration Plugin stores credentials in plain text

Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01622EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

starteam stores credentials in plain text

starteam stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

Assembla Auth Plugin stores credentials in plain text

Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS7.9AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

mabl-integration stores credentials in plain text

mabl-integration stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

minio-storage stores credentials in plain text

minio-storage stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

netsparker-cloud-scan stored credentials in plain text

netsparker-cloud-scan stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system. netsparker-cloud-scan now stores API tokens...

8.8CVSS6.2AI score0.01832EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

Open STF Plugin stores credentials in plain text

Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01226EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in jenkins-reviewbot allow SSRF

A missing permission check in a form validation method in jenkins-reviewbot allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting ...

6.5CVSS6.3AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

jabber-server-plugin stores credentials in plain text

jabber-server-plugin stores credentials unencrypted in its global configuration file de.enexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in kmap-jenkins allow SSRF

A missing permission check in a form validation method in kmap-jenkins allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in...

6.5CVSS6.4AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

Perfecto Mobile Plugin stores credentials in plain text

Perfecto Mobile Plugin stores credentials unencrypted in its global configuration file com.perfectomobile.jenkins.ScriptExecutionBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

6.5CVSS6.5AI score0.01186EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

relution-publisher stores credentials in plain text

relution-publisher stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relutionpublisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01773EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

jenkins-cloudformation-plugin stores credentials in plain text

jenkins-cloudformation-plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01423EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in zephyr-enterprise-test-management allow SSRF

A missing permission check in a form validation method in zephyr-enterprise-test-management allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CloudShare Docker-Machine Plugin stores credentials in plain text

CloudShare Docker-Machine Plugin stores credentials unencrypted in its global configuration file com.cloudshare.jenkins.CloudShareConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01377EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

websphere-deployer stores credentials in plain text

websphere-deployer stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

8.8CVSS6.3AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

AWS CloudWatch Logs Publisher Plugin stores credentials in plain text

AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

8.8CVSS6.2AI score0.01365EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/04/03 12:0 a.m.•7 views

CSRF vulnerability and missing permission check in gearman-plugin

A missing permission check in a form validation method in gearman-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...

6.5CVSS6.3AI score0.01486EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/25 12:0 a.m.•7 views

Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin

Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types. Script Security and Pipeline: Groovy have been hardened to prevent these methods...

9.8CVSS7AI score0.03366EPSS
Exploits0Affected Software2
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/25 12:0 a.m.•7 views

ECS Publisher Plugin stored and displayed API token in plain text

ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Additionally, the API token was not mask...

6.5CVSS6.5AI score0.01613EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/25 12:0 a.m.•7 views

SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin

A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSR...

6.5CVSS6.4AI score0.01536EPSS
Exploits0Affected Software1
Jenkins Security Advisories
Jenkins Security Advisories
•added 2019/03/25 12:0 a.m.•7 views

PRQA Plugin stored password in plain text

PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk...

7.8CVSS5.9AI score0.00298EPSS
Exploits0Affected Software1
Total number of security vulnerabilities1464