1464 matches found
Non-constant time nonce comparison in azure-ad
azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...
XXE vulnerability in ivy
ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...
Missing permission check in delphix allows enumerating credentials IDs
delphix 3.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
CSRF vulnerability in favorite-view
favorite-view 5.v77a37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to add or remove views from another user's favorite views tab bar. As of publication of this advisory,...
Stored XSS vulnerability
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting XSS vulnerability...
Exposure of system-scoped credentials in mabl-integration
mabl-integration 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not...
CSRF vulnerability in pipeline-restful-api
pipeline-restful-api 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml. As of publication of this...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change project or build display names. As of publication of this advisory,...
Exposure of system-scoped credentials in dimensionsscm
dimensionsscm 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled...
Improper masking of credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 360.v0a1c04cf807d and earlier does not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent...
CSRF vulnerability in email-ext
email-ext 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to make another user stop watching an attacker-specified job. email-ext 2.96.1 requires POST requests for the affected HTTP endpoint...
Lack of authentication mechanism in spoonscript webhook
spoonscript provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In spoonscript 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the...
Improper masking of credentials in multiple plugins
Multiple plugins do not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent typically inside a node block. Push mode for...
Stored XSS vulnerability in quayio-trigger
quayio-trigger 0.1 and earlier does not limit URL schemes for repository homepage URLs submitted via Quay.io trigger webhooks. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to submit crafted Quay.io trigger webhook payloads. As of publication of thi...
Lack of authentication mechanism in quayio-trigger webhook
quayio-trigger provides a webhook endpoint at /quayio-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In quayio-trigger 0.1 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of...
Tokens stored and displayed in plain text by reportportal
reportportal 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the...
Stored XSS vulnerability in pipeline-aggregator-view
pipeline-aggregator-view 1.13 and earlier does not escape a variable representing the current view's URL in inline JavaScript. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission. pipeline-aggregator-view 1.14 obtains...
Stored XSS vulnerability in cppcheck
cppcheck 1.26 and earlier does not escape file names from Cppcheck report files before showing them on the Jenkins UI. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control report file contents. As of publication of this advisory, there is no fix...
Stored XSS vulnerability in Mashup Portlets
Mashup Portlets 1.1.2 and earlier provides the "Generic JS Portlet" feature that lets a user populate a portlet using a custom JavaScript expression. This results in a stored cross-site scripting XSS vulnerability exploitable by authenticated attackers with Overall/Read permission. As of...
Information disclosure through error stack traces related to agents
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 do...
Missing permission checks in synopsys-coverity allow enumerating credentials IDs
synopsys-coverity 3.0.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Exposure of system-scoped Kubernetes credentials in kubernetes-credentials-provider
kubernetes-credentials-provider 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and...
CSRF vulnerability and missing permission checks in jira-steps
jira-steps 2.0.165.v8846cf59f3db and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing...
Session fixation vulnerability in Keycloak Authentication
Keycloak Authentication 2.3.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
CSRF vulnerability in Keycloak Authentication
Keycloak Authentication 2.3.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request. This vulnerability allows attackers to trick users into logging in to the attacker's account. As of publication of this...
XXE vulnerability in TestComplete
TestComplete 2.8.1 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control the zip archive input file for the 'TestComplete Test' build step to have Jenkins parse a crafted file that uses external entities for extraction of...
CSRF vulnerability and missing permission check in rabbitmq-consumer
rabbitmq-consumer 2.8 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified AMQP server using attacker-specified username and password. Additionally, this form validation...
Passwords stored in plain text by view-cloner
view-cloner 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory,...
Session fixation vulnerability in oic-auth
oic-auth 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 2.5 invalidates the existing session on login...
Session fixation vulnerability in openid
openid 2.4 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix. Learn why we announce this...
Open redirect vulnerability in openid
openid 2.4 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication. As of publication of...
Path traversal vulnerability in pwauth
pwauth 0.4 and earlier does not restrict the names of files in methods implementing form validation. This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system. As of publication of this advisory, there is...
CSRF vulnerability and missing permission check in BearyChat
BearyChat 3.0.2 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this form validation method does not require POST requests, resulting in a cross-site...
Open redirect vulnerability in google-login
google-login 1.4 through 1.6 both inclusive improperly determines that a redirect URL after login is legitimately pointing to Jenkins. This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication...
Stored XSS vulnerability in custom-build-properties
custom-build-properties 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to set or change these values...
Lack of authentication mechanism for webhook in xpdev
xpdev provides a webhook endpoint at /xpdev-webhook that can be used to trigger builds configured to use a specified repository. In xpdev 1.0 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to an...
XXE vulnerability in japex
japex 1.7 and earlier does not configure its XML parser to prevent XML external entity XXE attacks. This allows attackers able to control XML input files for the 'Record Japex test report' post-build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets...
Whole-script approval in script-security vulnerable to SHA-1 collisions
script-security 1189.vbab7c8fd5fde and earlier stores whole-script approvals as the https://en.wikipedia.org/wiki/SHA-1SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. script-security 1190.v65867aa47126 uses...
Passwords stored in plain text by cavisson-ns-nd-integration
cavisson-ns-nd-integration 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system...
CSRF vulnerability and missing permission check in cluster-stats
cluster-stats 0.4.6 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to delete recorded Jenkins Cluster Statistics. Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery CSR...
Sandbox bypass vulnerabilities in Script Security Plugin and in Pipeline: Groovy Plugin
Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be...
Non-constant time webhook token comparison in gitlab-plugin
gitlab-plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. gitlab-plugin 1.5.36 uses a constant-time comparison...
Agent-to-controller security bypass vulnerability in nunit
nunit 0.27 and earlier implements an agent-to-controller message that parses files inside a user-specified directory as test results. This allows attackers able to control agent processes to obtain test results from files in an attacker-specified directory on the Jenkins controller. nunit 0.28...
Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin and Pipeline: Deprecated Groovy Libraries Plugin
Pipeline: Groovy Libraries Plugin and older releases of the Pipeline: Deprecated Groovy Libraries Plugin formerly Pipeline: Shared Groovy Libraries Plugin define the library Pipeline step, which allows Pipeline authors to dynamically load Pipeline libraries. The return value of this step can be...
Missing permission checks in Katalon allow capturing credentials
Katalon 1.0.32 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...
Stored XSS vulnerability in custom-checkbox-parameter
custom-checkbox-parameter 1.4 and earlier does not escape the name and description of the parameter types it provides. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission. Exploitation of this vulnerability requires that paramete...
Missing permission checks in compuware-topaz-for-total-test allow enumerating credentials IDs
compuware-topaz-for-total-test 2.4.8 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using...
Content-Security-Policy protection for user content disabled by NeuVector Vulnerability Scanner
Jenkins sets the Content-Security-Policy header to static files served by Jenkins specifically DirectoryBrowserSupport, such as workspaces, /userContent, or archived artifacts, unless a Resource Root URL is specified. NeuVector Vulnerability Scanner 1.20 and earlier globally disables the...
Missing permission checks in rundeck
rundeck 3.6.11 and earlier does not perform Run/Artifacts permission checks in multiple HTTP endpoints. This allows attackers with Item/Read permission to obtain information about build artifacts of a given job, if the optional Run/Artifacts permission is enabled. As of publication of this...