1464 matches found
CSRF vulnerability and missing permission check in gearman-plugin
A missing permission check in a form validation method in gearman-plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
CSRF vulnerability and missing permission check in nomad allow SSRF
A missing permission check in a form validation method in nomad allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL. Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability...
Open STF Plugin stores credentials in plain text
Open STF Plugin stores credentials unencrypted in its global configuration file hudson.plugins.openstf.STFBuildWrapper.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Crowd Integration Plugin stores credentials in plain text
Crowd Integration Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
Assembla Auth Plugin stores credentials in plain text
Assembla Auth Plugin stores credentials unencrypted in the global configuration file config.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
mabl-integration stores credentials in plain text
mabl-integration stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...
minio-storage stores credentials in plain text
minio-storage stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.minio.MinioUploader.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
jabber-server-plugin stores credentials in plain text
jabber-server-plugin stores credentials unencrypted in its global configuration file de.enexus.jabber.JabberBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in kmap-jenkins allow SSRF
A missing permission check in a form validation method in kmap-jenkins allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting in...
AWS CloudWatch Logs Publisher Plugin stores credentials in plain text
AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file jenkins.plugins.awslogspublisher.AWSLogsConfig.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in jenkins-reviewbot allow SSRF
A missing permission check in a form validation method in jenkins-reviewbot allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials. Additionally, the form validation method does not require POST requests, resulting ...
relution-publisher stores credentials in plain text
relution-publisher stores credentials unencrypted in its global configuration file org.jenkinsci.plugins.relutionpublisher.configuration.global.StoreConfiguration.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...
netsparker-cloud-scan stored credentials in plain text
netsparker-cloud-scan stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml on the Jenkins controller. These API tokens could be viewed by users with access to the Jenkins controller file system. netsparker-cloud-scan now stores API tokens...
Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin
Sandbox protection in the Script Security and Pipeline: Groovy Plugins could be circumvented through methods supporting type casts and type coercion. This allowed attackers to invoke constructors for arbitrary types. Script Security and Pipeline: Groovy have been hardened to prevent these methods...
ECS Publisher Plugin stored and displayed API token in plain text
ECS Publisher Plugin stored the API token unencrypted in jobs' config.xml files and its global configuration file on the Jenkins controller. This token could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Additionally, the API token was not mask...
SSRF vulnerability due to missing permission check in Fortify on Demand Uploader Plugin
A missing permission check in multiple form validation methods in Fortify on Demand Uploader Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server. Additionally, the form validation methods did not require POST requests, resulting in a CSR...
Sandbox bypass in Pipeline: Groovy Plugin
Pipeline: Groovy sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the contents of a pipeline to bypass the sandbox protection and execute arbitrary code on the Jenkins controller...
AppDynamics Dashboard Plugin stored password in plain text
AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a...
Script security sandbox bypass in Job DSL Plugin
Job DSL Plugin supports sandboxed Groovy expressions for Job DSL definitions. Its sandbox protection could be circumvented during parsing, compilation, and script instantiation by providing a crafted Groovy script. This allowed users able to control the Job DSL scripts to bypass the sandbox...
Information disclosure in Azure VM Agents Plugin
A missing permission check in a form validation method in Azure VM Agents Plugin allowed users with Overall/Read access to verify a submitted configuration, obtaining limited information about the Azure account and configuration. Additionally, this form validation method did not require POST...
Session fixation vulnerability in GitHub Authentication Plugin
GitHub Authentication Plugin did not invalidate the previous session and create a new one upon successful login, allowing attackers able to control or obtain another user's pre-login session ID to impersonate them. GitHub Authentication Plugin now invalidates the previous session during login and...
Sandbox Bypass via CSRF in Warnings Plugin
Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site...
CSRF vulnerability and missing permission checks in Kanboard Plugin allowed server-side request forgery
Kanboard Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit a GET request to an attacker-specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF...
Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration. Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled. Monitoring Plugin now checks on startup whether Jenkins has CSRF protection enabled and enables its...
Sandbox Bypass in Groovy Plugin
Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming...
Sandbox Bypass via CSRF in Warnings Next Generation Plugin
Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site...
XXE vulnerability in Job Import Plugin
Job Import Plugin allows to import jobs from other Jenkins instances. As a first step in this process, Job Import Plugin sends a request to another Jenkins instance, parsing XML REST API output to obtain a list of jobs that could be imported. Job Import Plugin did not configure the XML parser in ...
CSRF vulnerability in Job Import Plugin allowed creating and overwriting jobs, installing some plugins
Job Import Plugin did not require that POST requests are sent to its /import URL, which processes requests to import jobs. This resulted in a cross-site request forgery CSRF vulnerability that could be exploited to create or replace jobs on the local instance if the remote Jenkins instance has...
Administrators could persist access to Jenkins using crafted 'Remember me' cookie
Users with the Overall/RunScripts permission typically administrators were able to use the Jenkins script console to craft a 'Remember me' cookie that would never expire. This allowed attackers access to a Jenkins instance while the corresponding user in the configured security realm exists, for...
Deleting a user in an external security realm did not invalidate their session or 'Remember me' cookie
When using an external security realm such as LDAP or Active Directory, deleting a user from the security realm does not result in the user losing access to Jenkins. While deleting the user record from Jenkins did invalidate the 'Remember me' cookie, there was no way to invalidate active sessions...
Sandbox Bypass in Script Security and Pipeline Plugins
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Re...
Potential denial of service through cron expression form validation
The form validation for cron expressions e.g. "Poll SCM", "Build periodically" could enter infinite loops when cron expressions only matching certain rare dates were entered, blocking request handling threads indefinitely...
Code execution through crafted URLs
Jenkins uses the Stapler web framework for HTTP request handling. Stapler's basic premise is that it uses reflective access to code elements matching its naming conventions. For example, any public method whose name starts with get, and that has a String, int, long, or no argument can be invoked...
Failures to process form submission data could result in secrets being displayed or written to logs
When Jenkins fails to process form submissions due to an internal error, the error message shown to the user and written to the log typically includes the serialized JSON form submission. Secrets, such as submitted passwords, might be included with the JSON object, and shown or written to disk in...
CSRF vulnerability in Email Extension Template Plugin
Some URLs implementing form submission handling in Email Extension Template Plugin did not require POST requests, resulting in a CSRF vulnerability that allowed attackers to create or remove templates. These URLs now require POST requests...
Artifactory Plugin stored old directly entered credentials unencrypted on disk
Artifactory Plugin 2.4.0 introduced support for securely storing credentials using the Credentials Plugin. Old, insecurely stored credentials however were not removed when switching to this new system. Artifactory Plugin 2.16.2 and newer remove obsolete credentials stored in plain text when using...
Stored XSS vulnerability in Config File Provider Plugin
Config File Provider Plugin did not escape configuration file metadata, resulting in a stored cross-site scripting XSS vulnerability. Config File Provider Plugin now escapes configuration file metadata shown on the Jenkins UI...
CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials
HipChat Plugin did not perform permission checks on a method that sends test notifications. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method,...
Unprivileged users with Overall/Read access are able to enumerate credential IDs in Mesos Plugin
Mesos Plugin provides a list of applicable credential IDs to allow administrators configuring the Mesos cloud to select the one to use. This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs. Those could be used as part ...
"Remember me" cookie was evaluated even if that feature is disabled
The "Remember me" feature can be disabled in the Jenkins security configuration. This did not disable the processing of previously set "Remember me" cookies, so they still allowed users to be logged in. "Remember me" cookies are no longer evaluated when the corresponding feature is disabled...
CSRF vulnerability and missing permission checks in SaltStack Plugin allowed capturing credentials
SaltStack Plugin did not perform permission checks on methods implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in...
CSRF vulnerability and missing permission checks in Agiletestware Pangolin Connector for TestRail Plugin allowed overriding plugin configuration
Agiletestware Pangolin Connector for TestRail Plugin did not perform permission checks on an API endpoint used to validate and save the plugin configuration. This allowed users with Overall/Read access to Jenkins to override the plugin configuration. Additionally, the API endpoint did not require...
CSRF vulnerability and missing permission checks in Confluence Publisher Plugin
Confluence Publisher Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to submit login requests to Confluence using attacker-specified credentials. Additionally, this form validation method did not require POS...
Users without Overall/Read permission can have Jenkins reset parts of global configuration on the next restart
Unauthenticated users could provide maliciously crafted login credentials that cause Jenkins to move the config.xml file from the Jenkins home directory. This configuration file contains basic configuration of Jenkins, including the selected security realm and authorization strategy. If Jenkins i...
AWS CodePipeline Plugin stored AWS Secret Key in plain text
AWS CodePipeline Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form...
Persisted cross-site scripting vulnerability in Badge Plugin
Badge Plugin stored and displayed user-provided HTML for badges and summaries unprocessed, allowing users with the ability to control badge content to store malicious HTML to be displayed within Jenkins. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI...
AWS CodeDeploy Plugin persisted possibly sensitive environment variables in job configuration
AWS CodeDeploy Plugin could persist environment variables from the last run of any project with the post-build step configured in the job's config.xml file. In some cases, this allowed users with file system access or Extended Read permission to obtain those potentially sensitive environment...
AWS CodeBuild Plugin stored AWS Secret Key in plain text
AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form field...
CollabNet Plugin globally and unconditionally disables SSL/TLS certificate validation
CollabNet Plugin disabled SSL/TLS certificate validation for the entire Jenkins controller JVM by default. CollabNet Plugin 2.0.5 and newer no longer does that. It instead requires users to opt in to disabling SSL/TLS certificate validation by setting the system property...
Configuration as Code Plugin logged passwords in clear text
Configuration as Code Plugin logged secrets set via its configuration to the Jenkins controller system log in plain text. This allowed users with access to the Jenkins log files to obtain these passwords and similar secrets. Secrets are now masked when logging configuration...