1464 matches found
AWS CodeBuild Plugin stored AWS Secret Key in plain text
AWS CodeBuild Plugin stored the AWS Secret Key in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This key could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. While masked from view using a password form field...
Persisted cross-site scripting vulnerability in Badge Plugin
Badge Plugin stored and displayed user-provided HTML for badges and summaries unprocessed, allowing users with the ability to control badge content to store malicious HTML to be displayed within Jenkins. Badge Plugin 1.5 and newer sanitizes the provided HTML for display on the Jenkins web UI...
CSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials
GitHub Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkin...
Server-side request forgery vulnerability in CAS Plugin
A form validation method in GitHub Branch Source Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests,...
Server-side request forgery vulnerability in Git Plugin
Various form validation methods in Git Plugin did not check the permission of the user accessing them, allowing anyone with Overall/Read access to Jenkins to cause Jenkins to send a GET request to a specified URL. Additionally, these form validation methods did not require POST requests, resultin...
Black Duck Hub Plugin allowed any user with Overall/Read to read and write its configuration
Black Duck Hub Plugin did not perform permission checks for its /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint. This allowed any user with Overall/Read permission to both read and write the plugin configuration XML. Black Duck Hub Plugin...
Path traversal vulnerability in agent to controller security subsystem
The agent to controller security subsystem ensures that the Jenkins controller is protected from maliciously configured agents. Learn more. A path traversal vulnerability allowed agents to escape whitelisted directories to read and write to files they should not be able to access. Paths are now...
XML External Entity processing vulnerability in Black Duck Hub Plugin
Black Duck Hub Plugin's /descriptorByName/com.blackducksoftware.integration.hub.jenkins.PostBuildHubScan/config.xml API endpoint was affected by an XML External Entity XXE processing vulnerability. This allowed an attacker with Overall/Read access to have Jenkins parse a maliciously crafted file...
Email Extension Plugin showed plain text SMTP password in configuration form field
Email Extension Plugin stores an SMTP password in the global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting...
Liquibase Runner Plugin allows users to load arbitrary Java code into controller JVM
Liquibase Runner Plugin allows users with Job/Configure permission to configure its build step in a way that loads arbitrary class files into the Jenkins controller JVM, resulting in arbitrary code execution. As of publication of this advisory, there is no fix...
Perforce Plugin uses ineffective credentials encryption
Perforce Plugin encrypts its credentials using DES and an encryption key stored in its public source code, so it only serves as basic obfuscation. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could resul...
Disclosure of user names and node names to unauthorized users through post-commit hook URL in Subversion Plugin
The class handling unauthenticated Subversion post-commit hook notification requests at the /subversion/ path unnecessarily extended another type that handled requests to the …/search/ sub-path. This allowed submission of search queries to Jenkins, and getting a list of search results usually...
Coverity Plugin stored keystore and private key passwords in plain text
The Coverity Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins controller local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-sit...
Azure Slave Plugin bundled outdated httpclient library with denial of service vulnerability
The Azure Slave Plugin bundles a version of the httpclient library that is vulnerable to CVE-2015-5262. As the plugin has been deprecated in favor of Azure VM Agents Plugin in 2016, there are no plans to release a fix. It has been removed from distribution per request by the former maintainers...
Unprivileged users are able to enumerate credential IDs in Google Play Android Publisher Plugin
Google Play Android Publisher Plugin provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use to authenticate with the Google Play API. This functionality did not check permissions, allowing any user with Overall/Read permission to get a...
Stored cross-site scripting vulnerability in TestLink Plugin
Users with Job/Configure permission were able to configure TestLink reports to display arbitrary unescaped HTML e.g. in test case names. The plugin now properly escapes its HTML output...
HTTP/2 denial of service vulnerability in bundled Jetty
Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat. Jenkins 2.523 and earlier, LTS...
Improper masking of credentials in credentials-binding
credentials-binding 687.v619cb15e923f and earlier does not properly mask i.e., replace with asterisks credentials present in exception error messages that are written to the build log. credentials-binding 687.689.v1af775332fc9 rethrows exceptions that contain credentials, masking those credential...
CSRF vulnerability in simple-queue
simple-queue 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery CSRF vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. simple-queue 1.4.7 requires POST requests for the affected HTTP...
Session fixation vulnerability in oic-auth
oic-auth 4.418.vccc7061f5b6d and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. oic-auth 4.421.v5422614ebe0a invalidates the existing session on login...
Rebuilding a run with revoked script approval allowed by workflow-cps
workflow-cps 3990.vd281dd77a388 and earlier, except 3975.3977.v478dd9e956c3, does not check whether the main Jenkinsfile script for a rebuilt build is approved. This allows attackers with Item/Build permission to rebuild a previous build whose Jenkinsfile script is no longer approved. NOTE: This...
Item creation restriction bypass vulnerability in Jenkins
Jenkins provides APIs for fine-grained control of item creation: Authorization strategies can prohibit the creation of items of a given type in a given item group ACLhasCreatePermission2. Item types can prohibit creation of new instances in a given item group...
Sensitive information exposure in build logs by mq-notifier
mq-notifier has a global option to log the JSON payload it sends to RabbitMQ in the build log. This includes the build parameters, some of which may be sensitive, and they are not masked. In mq-notifier 1.4.0 and earlier, this option is enabled by default. This results in unwanted exposure of...
Stored XSS vulnerability in gitbucket
gitbucket 0.8 and earlier does not sanitize Gitbucket URLs on build views. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs. As of publication of this advisory, there is no fix. Learn why we announce this...
Incorrect permission checks in google-compute-engine
google-compute-engine 4.550.vb327fca3db11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission while lacking Item/Configure permission on any particular job to do the following: Enumerate system-scoped...
Builds can be filtered by values of sensitive build variables
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 both inclusive, LTS 2.60.1 through 2.414.1 both inclusive does not exclude sensitive build variables...
Temporary uploaded file created with insecure permissions
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly...
Stored XSS vulnerability in build-failure-analyzer
build-failure-analyzer 2.4.1 and earlier does not escape Failure Cause names in build logs. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to create or update Failure Causes. build-failure-analyzer 2.4.2 escapes Failure Cause names in build logs...
Temporary plugin file created with insecure permissions
Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they m...
HTML injection vulnerability in aws-codecommit-trigger
aws-codecommit-trigger 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message. This results in an HTML injection vulnerability. NOTE: Since Jenkins 2.275 and LTS 2.263.2, a security hardening for form validation responses...
Non-constant time nonce comparison in azure-ad
azure-ad 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb, does not use a constant-time comparison when checking whether the provided and expected CSRF protection nonce are equal. This could potentially allow attackers to use statistical methods to obtain a valid nonce. azure-ad...
XXE vulnerability in ivy
ivy 2.5 and earlier bundles versions of Apache Ivy vulnerable to CVE-2022-46751. This allows attackers able to control the input file for the "Trigger the build of other projects based on the Ivy dependency management system" post-build step to have Jenkins parse a crafted XML document that uses...
Non-constant time token comparison in tuleap-oauth
tuleap-oauth 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. tuleap-oauth 1.1.21 uses a constant-time comparison when...
Missing permission check in delphix allows enumerating credentials IDs
delphix 3.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
Stored XSS vulnerability in docker-swarm
docker-swarm processes Docker responses to generate the Docker Swarm Dashboard view. docker-swarm 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting XSS vulnerability exploitable by...
CSRF vulnerability in favorite-view
favorite-view 5.v77a37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to add or remove views from another user's favorite views tab bar. As of publication of this advisory,...
Stored XSS vulnerability
Jenkins applies formatting to the console output of builds, transforming plain URLs into hyperlinks. Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs of these hyperlinks in build logs. This results in a stored cross-site scripting XSS vulnerability...
Exposure of system-scoped credentials in mabl-integration
mabl-integration 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not...
CSRF vulnerability in pipeline-restful-api
pipeline-restful-api 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape the versions of build artifacts on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control maven project versions in pom.xml. As of publication of this...
Stored XSS vulnerability in repository
repository 1.10 and earlier does not escape project and build display names on the Build Artifacts As Maven Repository page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to change project or build display names. As of publication of this advisory,...
CSRF vulnerability in email-ext
email-ext 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery CSRF vulnerability. This allows attackers to make another user stop watching an attacker-specified job. email-ext 2.96.1 requires POST requests for the affected HTTP endpoint...
CSRF vulnerability and missing permission check in jenkinsci-appspider-plugin
jenkinsci-appspider-plugin 1.0.15 and earlier does not perform a permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified...
Improper masking of credentials in hashicorp-vault-plugin
hashicorp-vault-plugin 360.v0a1c04cf807d and earlier does not properly mask i.e., replace with asterisks credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met: The credentials are printed in build steps executing on an agent...
Missing permission check in thycotic-secret-server allows enumerating credentials IDs
thycotic-secret-server 1.0.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another...
Lack of authentication mechanism in spoonscript webhook
spoonscript provides a webhook endpoint at /turbo-webhook/ that can be used to trigger builds of jobs configured to use a specified repository. In spoonscript 1.3 and earlier, this endpoint can be accessed by attackers with Item/Read permission to trigger builds of jobs corresponding to the...
CSRF vulnerability and missing permission checks in octoperf
octoperf 4.5.2 and earlier does not perform permission checks in several HTTP endpoints. This allows attackers with Overall/Read permission to connect to a previously configured Octoperf server using attacker-specified credentials. Additionally, these endpoints do not require POST requests,...
Missing permission check in octoperf allows enumerating credentials IDs
octoperf 4.5.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. An...
XSS vulnerability in update-center2
https://github.com/jenkins-infra/update-center2/update-center2 is the tool used to generate the Jenkins update sites hosted on updates.jenkins.io. NOTE: While it is designed for use by the Jenkins project for this purpose, others may be using it to operate their own self-hosted update sites...
Workspace temporary directories accessible through directory browser
Jenkins uses temporary directories adjacent to workspace directories, usually with the @tmp name suffix, to store temporary files related to the build. In pipelines, these temporary directories are adjacent to the current working directory when operating in a subdirectory of the automatically...