1464 matches found
AWS CodeBuild Plugin stored AWS Secret Key in plain text
AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form field...
AWS CodePipeline Plugin stored AWS Secret Key in plain text
AWS CodePipeline Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form...
AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration
AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml file. In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment...
Persisted cross-site scripting vulnerability in Badge Plugin
Badge Plugin stored and displayed user-provided HTML for badges and summaries unprocessed, allowing users with the ability to control badge content to store malicious HTML to be displayed within Jenkins. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI...
CollabNet Plugin globally and unconditionally disables SSL/TLS certificate validation
CollabNet Plugin disabled SSL/TLS certificate validation for the entire Jenkins controller JVM by default. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property...
Configuration as Code Plugin allowed anyone with Overall/Read access to export Jenkins configuration
Configuration as Code Plugin lacked a permission check in the method handling the URL exporting the system configuration. This allowed users with Overall/Read access to Jenkins to obtain this YAML export. This permission check has been added in Configuration as Code Plugin 0.8-alpha...
Server-side request forgery vulnerability in Git Plugin
Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resultin...
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
Path traversal vulnerability in agent to controller security subsystem
The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access. Paths are now...
Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration
Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint. This allowed any user with Overall/Read permission to both read and write the plugin configuration XML. Black Duck Hub Plugin...
XML External Entity processing vulnerability in Black Duck Hub Plugin
Black Duck Hub Plugin's /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity XXE processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file...
Email Extension Plugin showed plain text SMTP password in configuration form field
Email Extension Plugin stores an SMTP password in the global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
Perforce Plugin uses ineffective credentials encryption
Perforce Plugin encrypts its credentials using DES and an encryption key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could resul...
vSphere Plugin does not validate SSL/TLS certificates
vSphere Plugin disabled SSL/TLS certificate validation unconditionally, allowing potential man-in-the-middle attacks. vSphere Plugin 2.17 now has SSL/TLS certificate validation enabled by default...
CSRF vulnerability and missing permission checks in vSphere Plugin form validation allowed enumerating credentials IDs, capturing credentials, and denial of service
vSphere Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to perform various actions such as: Connect to an attacker-specified vSphere server using attacker-specified credentials IDs obtained through another...
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix...
Coverity Plugin stored keystore and private key passwords in plain text
The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-sit...
Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability
The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262. As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers...
Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin
Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a...
Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin
The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...
Stored cross-site scripting vulnerability in TestLink Plugin
Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names. The plugin now properly escapes its HTML output...
Missing permission checks and CSRF vulnerability in gitee
gitee 1288.v18bdebc9069b and earlier does not perform permission checks in several HTTP endpoints implementing form validation for its global configuration. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained...
CSRF vulnerability and missing permission check in contrast-continuous-application-security
contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...
XXE vulnerability in assembla
assembla 1.4 and earlier does not configure its XML parser to prevent XML external entity XXE attacks when parsing responses from the configured Assembla server. This allows attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.523 and earlier, LTS...
Rebuilding a run with revoked script approval allowed by workflow-cps
workflow-cps 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main Jenkinsfile script for a rebuilt build is approved. This allows attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approved. NOTE: This...
Session fixation vulnerability in oic-auth
oic-auth 4.418.vccc7061f5b6d and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 4.421.v5422614ebe0a invalidates the existing session on login...
Item creation restriction bypass vulnerability in Jenkins
Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group ACLhasCreatePermission2. Item types can prohibit creation of new instances in a given item group...
Lack of issuer claim validation in oic-auth
oic-auth 4.354.v321ce67a1de8 and earlier does not check the iss Issuer claim of an ID Token during its authentication flow, a value that identifies the Originating Party IdP. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to...
Sensitive information exposure in build logs by mq-notifier
mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...
Stored XSS vulnerability in gitbucket
gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability and missing permission checks in paaslane-estimate
paaslane-estimate 1.0.4 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. Additionally, these HTTP endpoints do not require POST requests, resultin...
XXE vulnerability in ivy
ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...
Non-constant time nonce comparison in azure-ad
azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...
Missing permission check in delphix allows enumerating credentials IDs
delphix 3.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
CSRF vulnerability in favorite-view
favorite-view 5.v77a37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to add or remove views from another user's favorite views tab bar. As of publication of this advisory,...
Stored XSS vulnerability
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting XSS vulnerability...
CSRF vulnerability in pipeline-restful-api
pipeline-restful-api 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows...
Exposure of system-scoped credentials in mabl-integration
mabl-integration 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not...
Exposure of system-scoped credentials in dimensionsscm
dimensionsscm 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml. As of publication of this...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change project or build display names. As of publication of this advisory,...
CSRF vulnerability in email-ext
email-ext 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to make another user stop watching an attacker-specified job. email-ext 2.96.1 requires POST requests for the affected HTTP endpoint...
CSRF vulnerability in reverse-proxy-auth-plugin
reverse-proxy-auth-plugin 1.7.4 and earlier does not require POST requests for a form validation method, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials...
Missing permission check in azure-vm-agents allows enumerating credentials IDs
azure-vm-agents 852.v8d35f0960a43 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Improper masking of credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 360.v0a1c04cf807d and earlier does not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent...
Session fixation vulnerability in cas-plugin
cas-plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. cas-plugin 1.6.3 invalidates the existing session on login...
SSL/TLS certificate validation unconditionally disabled by neuvector-vulnerability-scanner
neuvector-vulnerability-scanner 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server. As of publication of this advisory, there is no fix. Learn why we announce this...
Lack of authentication mechanism in fogbugz webhook
fogbugz provides a webhook endpoint at /fbTrigger/ that can be used to trigger builds of any jobs. In fogbugz 2.2.17 and earlier, this endpoint can be accessed by attackers with Item/Read permission, allowing them to trigger builds of jobs specified in a jobname request parameter. As of publicati...
CSRF vulnerability in lucene-search
lucene-search 387.v938aecbf7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to reindex the database. As of publication of this advisory, there is no fix. Learn why we announce th...